|
Plagegeister aller Art und deren Bekämpfung: winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
12.09.2010, 09:42 | #1 |
| winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? Hallo, ich bin neu hier, und zur zeit von trojanern etc. auf meinen beiden rechnern geplagt. viel ahnung von alle dem habe ich leider nicht, und würde mich deshalb sehr über hilfe freuen. Zu einem Rechner: Also gestern habe ich bei einem check mit Malwarebytes folgendes gefunden: Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully. Nun bin ich mir nicht sicher ob der rechner wieder sauber ist. ich habe im forum ein thema gefunden, dass sich mit dem selben problem beschäftigt unter dem titel "Kann winlogon\taskman trojaner nicht entfernen, was tun? bin also die ersten schritte genau so durchgegangen. bis ich zu dem schritt des combofix kam. da ist mir die warnung ins auge gesprungen, dass man combofix nie ohne professionelle hilfe ausführen sollte. deshalb bin ich nun hier. meine bisherigen logfiles: malewarebytes erster check mit fund: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4595 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/09/2010 4:08:55 AM mbam-log-2010-09-12 (04-08-55).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Durchsuchte Objekte: 181142 Laufzeit: 33 Minute(n), 9 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 1 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) OTL check: OTL logfile created on: 12/09/2010 4:24:40 AM - Run 1 OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\***\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy 1,015.00 Mb Total Physical Memory | 608.00 Mb Available Physical Memory | 60.00% Memory free 918.00 Mb Paging File | 623.00 Mb Available in Paging File | 68.00% Paging File free Paging file location(s): [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 15.00 Gb Total Space | 1.29 Gb Free Space | 8.58% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: OKEEEPC Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\***\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.) PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) PRC - C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.) PRC - C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.) PRC - C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.) PRC - C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.) PRC - C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\igfxext.exe (Intel Corporation) PRC - C:\Program Files\Vpn Client Sydney\cvpnd.exe (Cisco Systems, Inc.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\***\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found SRV - (Browser Defender Update Service) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.) SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools) SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools) SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH) SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH) SRV - (CVPND) -- C:\Program Files\Vpn Client Sydney\cvpnd.exe (Cisco Systems, Inc.) SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation) SRV - (usnjsvc) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation) SRV - (RMWPService) -- C:\Program Files\Reference Manager 12\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe (Apache Software Foundation) ========== Driver Services (SafeList) ========== DRV - (SBRE) -- C:\WINDOWS\System32\drivers\SBREdrv.sys File not found DRV - (ndfs) -- C:\Program Files\Netdrive\ndfs.sys File not found DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH) DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools) DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH) DRV - (dtscsi) -- C:\WINDOWS\System32\Drivers\dtscsi.sys () DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys () DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH) DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH) DRV - (Ktp) -- C:\WINDOWS\system32\drivers\ETD.sys (ELANTECH Devices Corp.) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation) DRV - (L1e) -- C:\WINDOWS\system32\drivers\l1e51x86.sys (Atheros Communications, Inc.) DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation) DRV - (CVPNDRVA) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys (Cisco Systems, Inc.) DRV - (AsusACPI) -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS (ASUSTeK Computer Inc.) DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.) DRV - (s115mgmt) Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s115mgmt.sys (MCCI Corporation) DRV - (s115obex) -- C:\WINDOWS\system32\drivers\s115obex.sys (MCCI Corporation) DRV - (s115mdm) -- C:\WINDOWS\system32\drivers\s115mdm.sys (MCCI Corporation) DRV - (s115mdfl) -- C:\WINDOWS\system32\drivers\s115mdfl.sys (MCCI Corporation) DRV - (s115bus) Sony Ericsson Device 115 driver (WDM) -- C:\WINDOWS\system32\drivers\s115bus.sys (MCCI Corporation) DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.) DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.) DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Zone Labs LLC) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://eeepc.asus.com/global IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {8b86149f-01fb-4842-9dd8-4d7eb02fd055}:0.20.0 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..network.proxy.autoconfig_url: "hxxp://www.usyd.edu.au/proxy.pac" FF - prefs.js..network.proxy.backup.ftp: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.backup.ftp_port: 8085 FF - prefs.js..network.proxy.backup.gopher: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.backup.gopher_port: 8085 FF - prefs.js..network.proxy.backup.socks: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.backup.socks_port: 8085 FF - prefs.js..network.proxy.backup.ssl: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.backup.ssl_port: 8085 FF - prefs.js..network.proxy.ftp: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.ftp_port: 8085 FF - prefs.js..network.proxy.gopher: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.gopher_port: 8085 FF - prefs.js..network.proxy.http: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.http_port: 8085 FF - prefs.js..network.proxy.share_proxy_settings: true FF - prefs.js..network.proxy.socks: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.socks_port: 8085 FF - prefs.js..network.proxy.ssl: "www-cache5.usyd.edu.au" FF - prefs.js..network.proxy.ssl_port: 8085 FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/12 02:19:02 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/12 02:18:58 | 000,000,000 | ---D | M] [2010/02/02 09:49:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Extensions [2010/09/11 23:27:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Firefox\Profiles\2dgrnluf.default\extensions [2010/02/15 19:43:22 | 000,000,000 | ---D | M] (All-in-One Gestures) -- C:\Documents and Settings\***\Application Data\Mozilla\Firefox\Profiles\2dgrnluf.default\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055} [2010/03/03 20:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Mozilla\Firefox\Profiles\2dgrnluf.default\extensions\yetanothersmoothscrolling@kataho [2010/09/11 23:27:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/09/07 23:18:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll [2010/09/12 02:17:46 | 000,001,392 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom-de.xml [2010/09/12 02:17:46 | 000,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-de.xml [2010/09/12 02:17:46 | 000,006,805 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\leo_ende_de.xml [2010/09/12 02:17:46 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-de.xml [2010/09/12 02:17:46 | 000,000,801 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2008/04/14 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.) O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.) O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.) O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.) O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.) O4 - HKLM..\Run: [Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008/07/23 03:59:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{14ed215a-10c3-11df-bc8e-002215fa5909}\Shell\AutoRun\command - "" = tmp.folder/restore.exe O33 - MountPoints2\{14ed215a-10c3-11df-bc8e-002215fa5909}\Shell\ExploRE\CoMmaNd - "" = tmp.folder/restore.exe O33 - MountPoints2\{14ed215a-10c3-11df-bc8e-002215fa5909}\Shell\OPeN\commAnd - "" = tmp.folder/restore.exe O33 - MountPoints2\{a7e3b152-109d-11df-bc8a-002215fa5909}\Shell\AutoRun\command - "" = tmp.folder/restore.exe O33 - MountPoints2\{a7e3b152-109d-11df-bc8a-002215fa5909}\Shell\ExploRE\CoMmaNd - "" = tmp.folder/restore.exe O33 - MountPoints2\{a7e3b152-109d-11df-bc8a-002215fa5909}\Shell\OPeN\commAnd - "" = tmp.folder/restore.exe O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/09/12 04:20:09 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010/09/12 03:34:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\Malwarebytes [2010/09/12 03:34:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/09/12 03:33:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/09/12 03:33:57 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/09/12 03:33:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/09/08 01:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\***\Application Data\foobar2000 [2010/09/07 23:47:39 | 000,000,000 | ---D | C] -- C:\Program Files\foobar2000 [2010/09/07 23:20:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun [2010/09/07 23:18:28 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll [2010/09/07 23:18:28 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe [2010/09/07 23:18:28 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe [2010/09/07 23:18:28 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe [2010/09/07 22:21:15 | 000,000,000 | ---D | C] -- C:\rwc [2008/08/23 15:59:30 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\U1 Setup.exe [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/09/12 04:20:12 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\***\Desktop\OTL.exe [2010/09/12 04:17:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job [2010/09/12 04:15:00 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/09/12 04:14:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/09/12 04:13:27 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\***\NTUSER.DAT [2010/09/12 04:13:27 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\***\ntuser.ini [2010/09/12 03:34:05 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/09/11 23:04:29 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/09/08 03:15:24 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\***\Desktop\Word 2007.lnk [2010/09/07 23:47:41 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\***\Application Data\Microsoft\Internet Explorer\Quick Launch\foobar2000.lnk [2010/09/07 23:47:41 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\foobar2000.lnk [2010/09/07 23:04:33 | 000,289,296 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/09/07 22:51:50 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/09/12 03:34:05 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/09/07 23:47:41 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\***\Application Data\Microsoft\Internet Explorer\Quick Launch\foobar2000.lnk [2010/09/07 23:47:41 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\foobar2000.lnk [2010/02/03 21:26:15 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll [2010/02/03 16:34:53 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\fusioncache.dat [2009/09/04 14:59:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2009/04/07 11:57:59 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI [2009/04/06 11:41:45 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat [2009/04/06 09:21:14 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\***\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/04/04 06:08:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\***\Application Data\wklnhst.dat [2009/04/04 05:54:36 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll [2009/04/04 05:54:36 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll [2009/04/04 05:54:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll [2009/04/04 05:54:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\serauth2.dll [2009/04/04 05:54:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\serauth1.dll [2009/04/04 05:54:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nsprs.dll [2009/04/04 05:52:18 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll [2009/04/04 05:52:18 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll [2009/04/03 20:24:02 | 000,223,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\dtscsi.sys [2009/04/03 20:22:25 | 000,664,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2009/04/03 20:22:25 | 000,096,384 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd3789.sys [2009/04/03 20:08:15 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\***\Local Settings\Application Data\fusioncache.dat [2008/08/23 17:12:17 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2008/08/23 12:51:29 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll [2008/07/23 02:57:33 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2008/03/18 06:54:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini [2007/10/26 12:28:18 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll [2007/10/26 12:28:04 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll [2005/10/14 18:56:50 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll [2005/10/14 18:56:50 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\VorbisEnc.dll [2005/10/14 18:56:50 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll [2005/10/14 18:56:50 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll [2005/10/14 18:56:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll [2005/10/14 18:56:50 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll [2005/10/14 18:56:50 | 000,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll [2005/10/14 18:56:50 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll [2005/10/14 18:56:48 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\MMSwitch.dll [2005/01/03 08:10:44 | 000,319,488 | ---- | C] () -- C:\WINDOWS\System32\DLXAPI32.DLL ========== LOP Check ========== [2009/04/11 12:56:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ISI ResearchSoft [2009/04/03 20:35:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Teleca [2010/09/12 04:15:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/04/11 12:57:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers [2010/09/08 03:15:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\EndNote [2010/09/08 01:59:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\foobar2000 [2009/04/06 11:37:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\ICQ [2009/04/06 11:26:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\ICQLite [2009/04/11 12:57:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\ISI ResearchSoft [2010/02/06 23:29:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\MPEG Streamclip [2010/05/24 02:01:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\NetDrive [2009/04/13 12:24:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Snapfish [2009/04/05 18:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\StarOffice8 [2009/04/03 20:30:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Stata10 [2009/04/03 19:52:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\***\Application Data\Teleca [2010/09/12 04:17:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2 @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 < End of report > UND: OTL Extras logfile created on: 12/09/2010 4:24:40 AM - Run 1 OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\***\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy 1,015.00 Mb Total Physical Memory | 608.00 Mb Available Physical Memory | 60.00% Memory free 918.00 Mb Paging File | 623.00 Mb Available in Paging File | 68.00% Paging File free Paging file location(s): [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 15.00 Gb Total Space | 1.29 Gb Free Space | 8.58% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: OKEEEPC Current User Name: *** Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" () Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~4\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNetisabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNetisabled:@xpsp2res.dll,-22008 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation) "C:\Program Files\ICQLite\ICQLite.exe" = C:\Program Files\ICQLite\ICQLite.exe:*:Enabled:ICQ Lite -- File not found "C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation) "C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation) "C:\Program Files\ICQ6\ICQ.exe" = C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, Inc.) "C:\Program Files\Reference Manager 12\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe" = C:\Program Files\Reference Manager 12\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe:*:Enabled:RMWP_Apache_Admin.exe -- (Apache Software Foundation) "C:\Program Files\Netdrive\ndsvc.exe" = C:\Program Files\Netdrive\ndsvc.exe:*:Enabled:NetDrive service -- File not found ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{15B25E12-3E5F-4C13-A637-9EC72A55491E}" = SPSS 15.0 for Windows "{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail "{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver "{25BEC3AB-5CD4-481D-9143-215C1BBB189E}" = Sony Ericsson PC Suite "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 21 "{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}" = Windows Live Photo Gallery "{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger "{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC "{5C52CED3-D45C-4DA9-932F-B91BD44BB461}" = Adabas D 13.01.00 "{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6 "{6395D480-9F3B-4930-8204-B91C8882F967}" = Stata 10 "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{84E2AA5A-8BA3-4F08-9F6F-C14E4C679FF0}" = Asus OS Cleaner "{871DF2BE-41D2-4334-AC33-839AF16FC8FE}" = Cisco Systems VPN Client 5.0.02.0090 "{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine "{8BCAC105-C501-41F9-AED1-587024ABCA8C}" = Reference Manager 12 Professional Edition "{90120000-0010-0407-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (German) 12 "{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007 "{90120000-0015-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007 "{90120000-0019-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007 "{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-001F-0410-0000-0000000FF1CE}_ENTERPRISE_{322296D4-1EAE-4030-9FBC-D2787EB25FA2}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007 "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{90120000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2007 "{90120000-0044-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}_ENTERPRISE_{26454C26-D259-4543-AA60-3189E09C5F76}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00B2-0407-0000-0000000FF1CE}" = Microsoft – Speichern als PDF oder XPS – Add-In für 2007 Microsoft Office-Programme "{90120000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2007 "{90120000-00BA-0407-0000-0000000FF1CE}_ENTERPRISE_{9BD40163-B95D-4B07-8991-0AB775B6D88B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{9176251A-4CC1-4DDB-B343-B487195EB397}" = Windows Live Writer "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English) "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A4AE8CC0-2FE9-4E81-B694-6391263D438D}" = Amos 7 "{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer "{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3 "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{C60BA916-9E44-4DA4-B11A-9E27B7624EF5}" = Sony Ericsson Drivers "{C92E7DF1-624A-4D95-A4C4-18CB491B44A4}" = Sony Ericsson Device Data "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2 "{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar "{D6BF6477-8369-489F-8DE6-3731F4B88560}" = Sony Ericsson PC Suite "{DEB6ACEB-C418-4880-9133-1C5EB9AFBC79}" = Eee Storage "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU] "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Audacity_is1" = Audacity 1.2.6 "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus "Browser Defender_is1" = Browser Defender 2.0.6.15 "Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0 "Elantech" = ETD Ware PS/2-x86 5.0.0.4 WHQL "ENTERPRISE" = Microsoft Office Enterprise 2007 "foobar2000" = foobar2000 v1.1 "HDMI" = Intel(R) Graphics Media Accelerator Driver "ie8" = Windows Internet Explorer 8 "ISI ResearchSoft - Export Helper" = ISI ResearchSoft - Export Helper "IZArc 3.4.1.6_is1" = IZArc 3.4.1.6 "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Mozilla Firefox (3.5.11)" = Mozilla Firefox (3.5.11) "Spyware Doctor" = Spyware Doctor 7.0 "VLC media player" = VLC media player 1.0.5 "Windows Live Toolbar" = Windows Live Toolbar ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 1/02/2010 6:37:07 AM | Computer Name = OKEEEPC | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired. Error - 1/02/2010 7:51:05 AM | Computer Name = OKEEEPC | Source = Google Update | ID = 20 Description = Error - 1/02/2010 9:07:24 AM | Computer Name = OKEEEPC | Source = MsiInstaller | ID = 11316 Description = Product: Windows Live Sign-in Assistant -- Error 1316. A network error occurred while attempting to read from the file: C:\DOCUME~1\***\LOCALS~1\Temp\IXP000.TMP\Install_{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}.msi Error - 1/02/2010 9:21:59 AM | Computer Name = OKEEEPC | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired. Error - 2/02/2010 3:00:36 AM | Computer Name = OKEEEPC | Source = Google Update | ID = 20 Description = Error - 3/02/2010 4:27:37 AM | Computer Name = OKEEEPC | Source = MsiInstaller | ID = 1013 Description = Product: CounterSpy -- CounterSpy 3.1.2848 is already installed on the machine. If you wish to downgrade to CounterSpy 3.1.2836, you must first uninstall CounterSpy 3.1.2848. Error - 6/02/2010 4:57:35 AM | Computer Name = OKEEEPC | Source = Google Update | ID = 20 Description = Error - 15/02/2010 11:33:06 PM | Computer Name = OKEEEPC | Source = SecurityCenter | ID = 1802 Description = The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall. Error - 19/02/2010 8:08:41 AM | Computer Name = OKEEEPC | Source = Application Hang | ID = 1002 Description = Hanging application winamp.exe, version 5.5.4.2165, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error - 20/02/2010 11:57:06 AM | Computer Name = OKEEEPC | Source = Google Update | ID = 20 Description = [ OSession Events ] Error - 6/05/2009 1:20:00 AM | Computer Name = OKEEEPC | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 768 seconds with 720 seconds of active time. This session ended with a crash. [ System Events ] Error - 7/09/2010 2:00:07 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7023 Description = The Application Management service terminated with the following error: %%126 Error - 7/09/2010 2:00:07 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7023 Description = The Application Management service terminated with the following error: %%126 Error - 7/09/2010 2:00:08 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7023 Description = The Application Management service terminated with the following error: %%126 Error - 7/09/2010 2:00:08 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7023 Description = The Application Management service terminated with the following error: %%126 Error - 7/09/2010 2:00:08 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7023 Description = The Application Management service terminated with the following error: %%126 Error - 8/09/2010 2:26:17 AM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: SBRE Error - 11/09/2010 11:05:30 AM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: SBRE Error - 11/09/2010 1:30:09 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: SBRE Error - 11/09/2010 3:31:28 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: SBRE Error - 11/09/2010 4:15:55 PM | Computer Name = OKEEEPC | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: SBRE < End of report > Malewarebytes zweiter durchlauf: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4595 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/09/2010 5:35:55 AM mbam-log-2010-09-12 (05-35-55).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|) Durchsuchte Objekte: 181176 Laufzeit: 27 Minute(n), 24 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) Danach habe ich den text aus dem alten thema in OTL kopiert und es wurde neu gestartet All processes killed ========== OTL ========== No active process named houfunocoor.exe was found! Error: No service named yeg0auiavae5oyu was found to stop! Service\Driver key yeg0auiavae5oyu not found. File File not found not found. Error: No service named eygimovnxku was found to stop! Service\Driver key eygimovnxku not found. File C:\WINDOWS\system32\tooziwig.exe not found. Error: No service named uzi3ndu1 was found to stop! Service\Driver key uzi3ndu1 not found. File C:\WINDOWS\system32\drivers\uzi3ndu1.sys not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tessoub not found. File C:\WINDOWS\system32\houfunocoor.exe not found. Folder C:\41d3af1abfa4f1f72688\ not found. Folder C:\9072b1f0a91a00e85a\ not found. ========== FILES ========== File\Folder C:\WINDOWS\system32\houfunocoor.exe not found. File\Folder C:\WINDOWS\system32\tooziwig.exe not found. File\Folder C:\WINDOWS\system32\drivers\uzi3ndu1.sys not found. File\Folder C:\WINDOWS\system32\drivers\yeg0auiavae5oyu.sys not found. ========== COMMANDS ========== C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 43511 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Oliver ->Temp folder emptied: 707705 bytes ->Temporary Internet Files folder emptied: 36298668 bytes ->Java cache emptied: 69582051 bytes ->FireFox cache emptied: 75795290 bytes ->Google Chrome cache emptied: 10252157 bytes ->Flash cache emptied: 24738 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 2577 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 15392689 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 2412876 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 201.00 mb OTL by OldTimer - Version 3.2.12.0 log created on 09122010_160443 Files\Folders moved on Reboot... Registry entries deleted on Reboot... so weit bin ich nun. Beim alten thema wurde jetzt der combofix ausgeführt, den ich wie gesagt nicht ohne professionelle hilfe laufen lassen wollte. Über hilfe und tipps würde ich mich sehr freuen. Danke schonmal im vorraus. |
12.09.2010, 10:21 | #2 |
/// Malware-holic | winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? bitte erstelle und poste ein combofix log.
__________________Ein Leitfaden und Tutorium zur Nutzung von ComboFix |
12.09.2010, 11:29 | #3 |
| winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? Hallo Markus,
__________________vielen Dank erst mal für deine schnelle Antwort und deine Hilfe. Ich habe jetzt combofix durchlaufen lassen. allerdings gab es 2 abweichungen von dem tutorium. bevor combofix gescannt hat wurde kurz ein fehler angezeigt und der computer wurde neu gestartet. als er wieder hochgefahren ist wurde alles gescannt. hierbei war allerdings nie ein windows desktop zu sehen. Sonst gab es keine probleme. Hier also die log file von combofix: Combofix Logfile: Code:
ATTFilter ComboFix 10-09-11.03 - *** 12/09/2010 18:04:48.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.645 [GMT 8:00] Running from: c:\documents and settings\***\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\Thumbs.db . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_usnjsvc ((((((((((((((((((((((((( Files Created from 2010-08-12 to 2010-09-12 ))))))))))))))))))))))))))))))) . 2010-09-12 09:46 . 2010-09-12 09:46 34 ----a-w- c:\windows\system32\BD2030.DAT 2010-09-12 08:04 . 2010-09-12 08:04 -------- d-----w- C:\_OTL 2010-09-11 19:34 . 2010-09-11 19:34 -------- d-----w- c:\documents and settings\***\Application Data\Malwarebytes 2010-09-11 19:34 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-09-11 19:33 . 2010-09-11 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-09-11 19:33 . 2010-09-11 19:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-11 19:33 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-09-07 17:59 . 2010-09-07 17:59 -------- d-----w- c:\documents and settings\***\Application Data\foobar2000 2010-09-07 15:47 . 2010-09-07 15:48 -------- d-----w- c:\program files\foobar2000 2010-09-07 15:19 . 2010-09-07 15:19 503808 ----a-w- c:\documents and settings\***\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-770c665a-n\msvcp71.dll 2010-09-07 15:19 . 2010-09-07 15:19 499712 ----a-w- c:\documents and settings\***\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-770c665a-n\jmc.dll 2010-09-07 15:19 . 2010-09-07 15:19 12800 ----a-w- c:\documents and settings\***\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40402b37-n\decora-d3d.dll 2010-09-07 15:19 . 2010-09-07 15:19 61440 ----a-w- c:\documents and settings\***\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40402b37-n\decora-sse.dll 2010-09-07 15:19 . 2010-09-07 15:19 348160 ----a-w- c:\documents and settings\***\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-770c665a-n\msvcr71.dll 2010-09-07 15:18 . 2010-07-16 21:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-07 14:21 . 2010-09-07 14:21 -------- d-----w- C:\rwc . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-12 10:12 . 2010-02-03 13:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-09-07 19:15 . 2009-04-11 05:00 -------- d-----w- c:\documents and settings\***\Application Data\EndNote 2010-09-07 15:22 . 2008-08-23 06:26 -------- d-----w- c:\program files\Microsoft Works 2010-09-07 15:19 . 2008-08-23 07:06 -------- d-----w- c:\program files\Common Files\Java 2010-09-07 15:18 . 2008-08-23 07:06 -------- d-----w- c:\program files\Java 2010-09-07 14:47 . 2009-04-05 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-07-08 20:26 . 2010-07-08 20:26 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2010-06-30 12:31 . 2008-07-22 18:54 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:22 . 2008-07-22 18:55 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-23 13:44 . 2008-07-22 18:55 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2008-07-22 18:55 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2010-06-17 14:03 . 2008-07-22 18:53 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-14 14:31 . 2008-07-22 19:46 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2008-05-07 23:34 . 2008-08-23 07:59 15523560 ----a-w- c:\program files\U1 Setup.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-20 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-20 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-20 131072] "AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-07-23 98304] "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-07-23 479232] "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208] "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-25 335872] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-12 528384] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "RTHDCPL"="RTHDCPL.EXE" [2008-07-17 16806400] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoRun OSCleaner.lnk - c:\program files\ASUS\Asus OS Cleaner\AsOSCleaner.exe [2008-8-23 118784] SuperHybridEngine.exe.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-8-23 303104] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\ICQ6\\ICQ.exe"= "c:\\Program Files\\Reference Manager 12\\WebPublisher\\thirdparty\\Apache2\\bin\\RMWP_Apache_Admin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/02/2010 9:22 PM 207792] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/02/2010 9:00 PM 108289] R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/02/2010 9:26 PM 112592] S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] S3 ndfs;ndfs;\??\c:\program files\Netdrive\ndfs.sys --> c:\program files\Netdrive\ndfs.sys [?] S3 RMWPService;RMWPService;c:\program files\Reference Manager 12\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe [28/01/2004 4:25 PM 20537] S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [3/04/2009 8:38 PM 83208] S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [3/04/2009 8:38 PM 15112] S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [3/04/2009 8:38 PM 108680] S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [3/04/2009 8:38 PM 100488] S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [3/04/2009 8:38 PM 98568] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/02/2010 9:20 PM 359624] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/04/2009 8:22 PM 664064] . Contents of the 'Scheduled Tasks' folder 2010-09-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://eeepc.asus.com/global IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\***\Application Data\Mozilla\Firefox\Profiles\2dgrnluf.default\ FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net Rootkit scan 2010-09-12 18:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3268) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Vpn Client Sydney\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\windows\system32\igfxext.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-09-12 18:18:32 - machine was rebooted ComboFix-quarantined-files.txt 2010-09-12 10:18 Pre-Run: 1,499,512,832 bytes free Post-Run: 1,379,729,408 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 4F2C5E79EAA99768C0A6F27625643050 Noch eine Sache ist mir aufgefallen, weiß aber nicht ob sie von Bedeutung ist: Beim schreiben dieses Eintrags hat der computer oftmals kurzzeitig nicht reagiert. Ist mir vorher nicht aufgefallen. Gruß Koma83 |
12.09.2010, 14:40 | #4 |
/// Malware-holic | winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? schlägt Malwarebytes denn noch an bei nem vollständigem suchlauf nach update? |
12.09.2010, 20:39 | #5 |
| winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? hi, ich habe Malwarebytes jetzt nochmal aktualisiert und durchlaufen lassen. Es wird nichts mehr gefunden. Ist nun wieder alles sauber? Vielen Dank nochmal für die Hilfe. |
12.09.2010, 20:40 | #6 |
/// Malware-holic | winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? |
12.09.2010, 21:33 | #7 |
| winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? okay, ist fertig gescant. eine logfile oder so habe ich nicht bekommen. ergebnis war aber positiv. es gab keine funde. |
13.09.2010, 13:15 | #8 |
/// Malware-holic | winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? esetze folgendes um: dep aktivieren: dep für alle prozesse: Datenausführungsverhinderung (DEP) • "Datenausführungsverhinderung für alle Programme und Dienste mit Ausnahme der ausgewählten einschalten:". wenn es zu problemen kommen sollte, kann man die betroffenen prozesse aus der Überwachung entfernen. als browser den firefox nutzen: Webbrowser Firefox | Schneller, sicherer & anpassbar | Mozilla Europe als adon noscript, es werden dadurch einige scripts (java) zb blockiert, du kannst diese dann frei geben, in dem du auf der seite, die freigegeben werden soll, nen rechtsklick machst, noscript wählst, und temporär alle berectigungen aufheben wählst, somit werden sie für den besuch aufgehoben, oder alle beschrenkungen aufheben, somit wird die seite freigegeben. das kann man natürlich wieder rückgängig machen. http://filepony.de/download-adblock_firefox// hier gibt es noch filterlisten: Bekannte Filterlisten für Adblock Plus hier würde ich 2 oder 3 deutsche filter auswählen. unter sonstiges die malware blocklist. um das surfen sicherer zu machen, würde ich Sandboxie empfehlen. Download: drop.io (als pdf) wenn du mit dem programm gut auskommst, ist ne lizenz zu empfehlen. 1. es gibt dann noch ein paar mehr funktionen. 2. kommt nach nem monat die anzeige, dass das programm freeware ist, die verschwindet erst nach ner zeit, find ich n bissel nerfig. 3. ist die lizenz lebenslang gültig, kostenpunkt rund 25 €, und du kannst sie auf allen pcs in deinem haushalt einsetzen. autorun für usb deaktivieren: über diesen weg werden sehr häufig schaddateien verbreitet, schalte die funktion also ab. Tipparchiv - Autorun/Autoplay gezielt für Laufwerkstypen oder -buchstaben abschalten - WinTotal.de usb sticks, festplatten etc, sollte man mit panda vaccine impfen: ANTIMALWARE: Panda USB Vaccine - Download FREE - PANDA SECURITY so holt man sich keine infektionen ins haus, wenn man mal die festplatte etc verleit. regelmäßige Backups des systems sind sehr wichtig, du weist nie, ob deine festplatte mal kaputt geht. Acronis True Image 2011 - Festplatten-Backup-Software, Datei-Backup und Disk Imaging, Wiederherstellung von Anwendungseinstellungen, Backup von Musik, Videos, Fotos und Outlook-Mails außerdem kannst du, bei neuerlichem malware befall das system zurücksetzen. Das Backup sollte möglichst auf eine externe festplatte etc emacht werden, nicht auf die selbe, wo sich die zu sichernden daten befinden. Von sehr wichtigen Daten könnte man noch eine zusätzliche Sicherung auf dvds/cds erstellen, dazu könnte man auch wiederbeschreibbare verwenden (rws) falls die sammlung mal erneuert werden soll. updates: Updates sind für dein system genauso wichtig, wie ein antivirenscanner. Sehr häufig gelangen schädlinge nur aufs system, weil der user veraltete software nutzt. instaliere die folgenden update checker. Secunia: http://www.trojaner-board.de/83959-s...ector-psi.html und file hippo update checker: FileHippo.com Update Checker - FileHippo.com das file Hippo Symbol wird im infobereich neben der uhr auftauchen, mache bitte nen rechtsklick darauf, wähle settings, results, setze einen haken bei "hide beta updates" klicke ok. passwörter endern. alsonun nur noch in der sandbox surfen, klicke dazu auf sandboxed web browser |
13.09.2010, 15:09 | #9 |
| winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? Hey, super. Vielen dank für deine Hilfe und die vielen Tipps zum sichereren surfen!!! Echt top. Okay, dann kann man das Thema jetzt schließen... Weiß allerdings auch hier nicht wie... |
13.09.2010, 15:14 | #10 |
/// Malware-holic | winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? das bleibt offen :-) ok dann hoffen wir mal das wir uns in diesem teil des forums nicht mehr wieder sehen :d noch ne kleinigkeit. reinige mit otcleanit: http://oldtimer.geekstogo.com/OTM.exe Klicke cleanup! dein pc wird evtl. neu starten programm löscht sich selbst, + die verwendeten tools |
Themen zu winlogon-taskman-trojaner gefunden. Combofix ausführen oder nicht? |
acroiehelper.dll, alternate, antivir, audacity, avgntflt.sys, avira, bho, browser, browser guard, combofix, components, entfernen, error, excel.exe, failed, firefox, firefox.exe, flash player, google, google chrome, helper, home, location, microsoft office word, moved, mozilla, msiinstaller, nicht sicher, office 2007, oldtimer, otl.exe, plug-in, problem, realtek, registry, saver, sched.exe, searchplugins, security, security update, senden, server, shell32.dll, software, sptd.sys, spyware, super, taskman, third party, timeout, trojan, trojaner, vlc media player, was tun, windows, windows internet, windows internet explorer, windows security |