Trojan.Generic.4060291 entfernen

Uli2222 · 17.09.2010, 11:49

Da isses

Combofix Logfile:

Code:

ATTFilter

ComboFix 10-09-16.03 - Dr. Ulrich Gmelin 17.09.2010  12:35:35.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1033.18.1023.716 [GMT 2:00]
ausgeführt von:: c:\documents and settings\Dr. Ulrich Gmelin\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\documents and settings\Dr. Ulrich Gmelin\Desktop\cfscript.txt
AV: F-Secure Internet Security 2011 10.50 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Internet Security 2011 10.50 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.

(((((((((((((((((((((((   Dateien erstellt von 2010-08-17 bis 2010-09-17  ))))))))))))))))))))))))))))))
.

2010-09-16 11:34 . 2010-09-16 11:34	--------	d-----w-	c:\program files\Enigma Software Group
2010-09-16 11:34 . 2010-09-16 11:49	--------	d-----w-	c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
2010-09-16 11:33 . 2010-09-16 11:33	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2010-09-15 05:46 . 2010-09-16 04:48	--------	d-----w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\SSH
2010-09-15 05:44 . 2010-09-15 05:45	--------	d-----w-	c:\program files\SSH Secure Shell
2010-09-15 05:43 . 2010-09-15 05:43	--------	d-----w-	c:\documents and settings\DR6590~1~ULR\LOCALS~1
2010-09-15 05:43 . 2010-09-15 05:43	--------	d-----w-	c:\documents and settings\DR6590~1~ULR
2010-09-14 19:29 . 2010-09-14 20:04	--------	d-----w-	c:\program files\SSHTunnelClient
2010-09-07 18:39 . 2010-09-07 18:39	--------	d-----w-	c:\program files\Conduit
2010-09-07 18:39 . 2010-09-07 18:39	--------	d-----w-	c:\documents and settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Conduit
2010-09-07 18:39 . 2010-09-17 05:57	--------	d-----w-	c:\documents and settings\Dr. Ulrich Gmelin\Local Settings\Application Data\Hotspot_Shield
2010-09-07 18:39 . 2010-09-16 11:48	--------	d-----w-	c:\program files\Hotspot_Shield
2010-09-07 18:36 . 2010-09-07 18:39	--------	d-----w-	C:\Hotspot Shield
2010-09-07 18:36 . 2010-09-07 18:39	--------	d-----w-	c:\program files\Hotspot Shield
2010-09-01 08:00 . 2010-09-01 08:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Vodafone
2010-09-01 07:59 . 2010-09-01 07:59	--------	d-----w-	c:\program files\Vodafone
2010-08-28 19:38 . 2000-10-02 10:27	125712	----a-w-	c:\windows\system32\VB6DE.DLL
2010-08-28 19:38 . 1998-06-17 22:00	89360	----a-w-	c:\windows\system32\VB5DB.DLL
2010-08-28 19:38 . 2010-08-28 19:38	--------	d-----w-	c:\program files\Convar
2010-08-28 19:38 . 2002-02-28 07:46	217088	----a-w-	c:\windows\system32\DartSock.dll
2010-08-28 19:38 . 2002-02-21 08:12	118784	----a-w-	c:\windows\system32\DartWeb.dll
2010-08-28 19:38 . 1998-06-13 20:53	44544	----a-w-	c:\windows\system32\Gif89.dll
2010-08-28 19:38 . 2003-07-18 11:58	516784	----a-r-	c:\windows\system32\XceedCry.dll
2010-08-28 19:31 . 2010-08-28 19:31	--------	d-----w-	c:\program files\PC Inspector File Recovery
2010-08-28 17:51 . 2010-08-28 19:30	--------	d-----w-	c:\program files\Stellar Phoenix Photo Recovery

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 10:42 . 2010-07-22 14:04	--------	d-----w-	c:\program files\Steam
2010-09-17 08:48 . 2009-08-14 14:23	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2010-09-17 08:19 . 2009-08-13 18:27	41624	----a-w-	c:\windows\system32\drivers\fsbts.sys
2010-09-17 08:15 . 2009-08-13 18:17	--------	d-----w-	c:\program files\F-Secure Internet Security
2010-09-17 08:11 . 2009-08-13 18:19	81800	----a-w-	c:\windows\system32\drivers\fsdfw.sys
2010-09-17 08:08 . 2009-08-13 18:17	--------	d-----w-	c:\documents and settings\All Users\Application Data\fssg
2010-09-17 08:03 . 2009-08-14 05:11	--------	d-----w-	c:\program files\Mozilla Thunderbird
2010-09-17 07:32 . 2009-09-06 16:45	1235	----a-w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\SAS7_000.DAT
2010-09-17 07:13 . 2009-08-14 14:52	1	----a-w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-15 05:45 . 2009-08-13 17:40	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-09-09 12:27 . 2009-09-14 09:33	--------	d-----w-	c:\program files\Opera
2010-09-01 09:39 . 2010-05-17 18:33	--------	d-----w-	c:\program files\MWconn
2010-08-29 06:15 . 2010-03-04 16:39	--------	d-----w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\U3
2010-08-28 19:20 . 2009-08-13 19:16	--------	d-----w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\F-Secure
2010-08-17 13:17 . 2003-03-31 19:00	58880	----a-w-	c:\windows\system32\spoolsv.exe
2010-08-15 08:10 . 2009-08-13 17:25	87340	----a-w-	c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-08-08 09:53 . 2010-08-08 09:53	61440	----a-w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7ddcd765-n\decora-sse.dll
2010-08-08 09:53 . 2010-08-08 09:53	503808	----a-w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\msvcp71.dll
2010-08-08 09:53 . 2010-08-08 09:53	499712	----a-w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\jmc.dll
2010-08-08 09:53 . 2010-08-08 09:53	348160	----a-w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5d04deb7-n\msvcr71.dll
2010-08-08 09:53 . 2010-08-08 09:53	12800	----a-w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7ddcd765-n\decora-d3d.dll
2010-08-07 12:42 . 2010-03-31 18:02	--------	d-----w-	c:\program files\Safari
2010-08-07 12:38 . 2010-08-07 12:38	72488	----a-w-	c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-08-03 05:19 . 2009-08-13 18:27	--------	d-----w-	c:\program files\Common Files\Java
2010-08-03 05:19 . 2009-08-13 18:27	--------	d-----w-	c:\program files\Java
2010-07-25 16:37 . 2010-04-03 12:50	14776	---ha-w-	c:\windows\system32\mlfcache.dat
2010-07-24 14:00 . 2010-03-23 14:56	--------	d-----w-	c:\documents and settings\All Users\Application Data\Skype
2010-07-24 14:00 . 2010-03-23 14:56	--------	d-----w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\Skype
2010-07-24 13:56 . 2010-03-23 14:59	--------	d-----w-	c:\documents and settings\Dr. Ulrich Gmelin\Application Data\skypePM
2010-07-22 15:49 . 2003-03-31 19:00	590848	----a-w-	c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-08-14 05:33	5120	----a-w-	c:\windows\system32\xpsp4res.dll
2010-07-17 03:00 . 2010-06-25 05:15	423656	----a-w-	c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2003-03-31 19:00	149504	----a-w-	c:\windows\system32\schannel.dll
2010-06-23 13:44 . 2003-03-31 19:00	1851904	----a-w-	c:\windows\system32\win32k.sys
2010-06-23 02:48 . 2010-06-23 02:48	37376	----a-w-	c:\windows\system32\drivers\HssDrv.sys
2010-06-23 02:47 . 2010-06-23 02:47	32768	----a-w-	c:\windows\system32\drivers\taphss.sys
2010-06-21 15:27 . 2003-03-31 19:00	354304	----a-w-	c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2010-09-16 11:48	2735200	----a-w-	c:\program files\Hotspot_Shield\tbHot1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C95A4E8E-816D-4655-8C79-D736DA1ADB6D}"= "c:\program files\Hotspot_Shield\tbHot1.dll" [2010-09-16 2735200]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-08-28 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-03 88267]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-23 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-23 536576]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-02 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-01-20 335872]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2010-09-17 200360]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2010-09-17 1654440]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"PspContr"="PspContr.Exe" [2003-10-01 376832]
"PspUsbCf"="PspUsbCf.exe" [2003-10-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-04-20 2327552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dr. Ulrich Gmelin\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ   	msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\jedi academy\\GameData\\jasp.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\jedi academy\\GameData\\jamp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13621:UDP"= 13621:UDP:MFP Bot Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [13.08.2009 20:27 41624]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [13.08.2009 20:19 81800]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [13.08.2009 20:18 71496]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [20.04.2009 17:20 9216]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [13.08.2009 20:17 124072]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe [13.08.2009 20:18 58024]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\wbsd.sys [13.08.2009 19:48 27008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15.07.2010 13:20 136176]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [17.05.2010 20:05 7680]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [17.05.2010 20:07 110592]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [17.05.2010 20:06 105344]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [13.08.2009 20:17 40872]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [13.08.2009 20:17 26280]

--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - winevvii
.
Inhalt des "geplante Tasks" Ordners

2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 11:19]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-15 11:19]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
IE: Senden an &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
TCP: {C789C896-85AD-4677-AFA1-B37C64724A90} = 192.168.0.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-09-17 12:41
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?9?4?4??????? ???B???????????????B? ?????? 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'lsass.exe'(1744)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL

- - - - - - - > 'explorer.exe'(3564)
c:\program files\F-Secure Internet Security\Spam Control\fsscoepl.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\System32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\AGRSMMSG.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\F-Secure Internet Security\Common\FSHDLL32.EXE
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\windows\system32\PspContr.Exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-09-17  12:46:16 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2010-09-17 10:46
ComboFix2.txt  2010-09-16 18:50

Vor Suchlauf: 54.130.880.512 bytes free
Nach Suchlauf: 54.116.417.536 bytes free

- - End Of File - - F4D806EBC4A3C675CD25A1848DEF5071

--- --- ---

Trojan.Generic.4060291 entfernen

Plagegeister aller Art und deren Bekämpfung: Trojan.Generic.4060291 entfernen

Trojan.Generic.4060291 entfernen

Ähnliche Themen: Trojan.Generic.4060291 entfernen