Bitte um Hilfe! Ein Trojaner hat versucht meine TAN-Daten über ein Popup-Fenster beim Online Banking der Postbank zu erspähen.
Malwarebytes, FSECURE und Windows Defender schlagen nicht an.
Hier das Logfile des ComboFix:Combofix Logfile:
Code:
Alles auswählen Aufklappen ATTFilter
ComboFix 10-09-27.05 - Zuhause 28.09.2010 22:31:00.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.49.1031.18.1022.300 [GMT 2:00]
ausgeführt von:: c:\users\Zuhause\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows-Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Neuer Wiederherstellungspunkt wurde erstellt
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\96729996.ini
c:\users\Zuhause\AppData\Local\Temp\cmdlperf.dll
c:\users\Zuhause\AppData\Roaming\Microsoft\Windows\Recent\1.url
c:\windows\system\Color
c:\windows\system32\jgaw400.dll
.
((((((((((((((((((((((( Dateien erstellt von 2010-08-28 bis 2010-09-28 ))))))))))))))))))))))))))))))
.
2010-09-28 20:59 . 2010-09-28 20:59 -------- d-----w- c:\users\Zuhause\AppData\Local\temp
2010-09-28 20:59 . 2010-09-28 20:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-28 20:02 . 2010-06-22 12:57 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 04:55 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-28 04:55 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-28 04:55 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-28 04:54 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-26 18:22 . 2010-09-26 18:22 -------- d-----w- c:\users\Zuhause\AppData\Roaming\QuickScan
2010-09-25 09:31 . 2010-09-25 09:31 -------- d-----w- c:\users\Zuhause\AppData\Local\Mozilla
2010-09-04 16:17 . 2010-09-04 16:17 -------- dc----w- c:\program files\iPod
2010-09-04 16:02 . 2010-09-04 16:04 -------- dc----w- c:\program files\QuickTime
2010-09-04 11:22 . 2010-09-04 11:22 -------- d-----w- c:\users\Zuhause\AppData\Local\Apps
2010-09-04 11:22 . 2010-09-04 16:07 -------- d-----w- c:\users\Zuhause\AppData\Local\Deployment
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 20:46 . 2010-07-04 20:14 -------- d-----w- c:\programdata\TwonkyMedia
2010-09-28 20:20 . 2010-07-04 20:14 -------- dc----w- c:\program files\TwonkyMedia
2010-09-28 20:17 . 2010-04-10 16:49 -------- dc----w- c:\program files\Microsoft Silverlight
2010-09-28 04:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-19 03:56 . 2006-11-02 15:33 618204 ----a-w- c:\windows\system32\perfh007.dat
2010-09-19 03:56 . 2006-11-02 15:33 122442 ----a-w- c:\windows\system32\perfc007.dat
2010-09-04 16:17 . 2008-04-22 19:59 -------- d-----w- c:\program files\Common Files\Apple
2010-09-01 18:15 . 2008-01-10 21:35 -------- d-----w- c:\users\Zuhause\AppData\Roaming\Skype
2010-09-01 17:07 . 2008-01-10 21:40 -------- d-----w- c:\users\Zuhause\AppData\Roaming\skypePM
2010-08-29 20:52 . 2006-12-12 17:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-28 21:28 . 2010-06-11 22:44 -------- d-----w- c:\programdata\city balm loud
2010-08-28 21:16 . 2007-08-25 09:39 -------- d-----w- c:\program files\WISO
2010-08-14 22:03 . 2007-10-27 08:05 -------- d-----w- c:\program files\Google
2010-08-13 21:19 . 2006-12-12 17:44 -------- d-----w- c:\program files\NewTech Infosystems
2010-08-13 21:19 . 2006-12-12 17:44 -------- d-----w- c:\program files\Common Files\NewTech Infosystems
2010-08-13 21:16 . 2009-11-19 11:31 -------- d-----w- c:\programdata\NOS
2010-08-13 17:14 . 2007-09-24 19:05 -------- d-----w- c:\program files\Common Files\Java
2010-08-13 17:09 . 2010-08-13 17:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-13 17:09 . 2007-09-25 20:04 -------- d-----w- c:\program files\Java
2010-08-08 15:18 . 2008-04-01 18:25 -------- d-----w- c:\program files\Larry
2010-08-08 14:24 . 2006-12-12 17:22 -------- d-----w- c:\program files\Acer Zone
2010-08-07 09:05 . 2010-08-02 20:32 -------- d-----w- c:\users\Zuhause\AppData\Roaming\LiveCAD3
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2003-11-17 118832]
"F-Secure TNB"="c:\program files\F-Secure\TNB\TNBUtil.exe" [2003-10-28 647168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="d:\musik\ITunes\iTunesHelper.exe" [2010-09-01 421160]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-25 110592]
Scanner Finder.lnk - c:\program files\ScanWizard 5\ScannerFinder.exe [2009-11-1 315392]
VPro500.lnk - c:\windows\VPro500.exe [2008-2-20 467968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bleh idol]
c:\programdata\Remote pure pure.mjkwt [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
R2 MMEX300;AIWA MM-EX300 USB driver;c:\windows\system32\Drivers\MMEX300.sys [2001-03-06 46443]
R2 PPSCAN;PPSCAN; [x]
R3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [2006-12-28 4352]
R3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\DRIVERS\fwlanusb.sys [2006-12-28 265088]
R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\DRIVERS\NETFWDSL.SYS [x]
R3 SPC610NC;Philips SPC500NC Webcam;c:\windows\system32\DRIVERS\SPC610NC.SYS [2005-10-13 156800]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2007-07-01 682232]
S0 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2003-12-01 82304]
S0 sonypvl3;sonypvl3; [x]
S1 sonypvf3;sonypvf3; [x]
S1 sonypvt3;sonypvt3; [x]
S2 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2003-11-14 48720]
S2 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2003-11-14 42576]
S2 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2003-02-06 16048]
S2 PPCLASS;PPCLASS; [x]
S2 TwonkyMedia;TwonkyMedia;c:\program files\TwonkyMedia\twonkymediaserverwatchdog.exe [2009-05-04 263824]
.
Inhalt des "geplante Tasks" Ordners
2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 10:40]
2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 10:40]
2010-09-28 c:\windows\Tasks\User_Feed_Synchronization-{24A3E891-DFFF-433A-AF38-A978226196B4}.job
- c:\windows\system32\msfeedssync.exe [2010-09-05 04:24]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ycomp/defaults/su/*hxxp://de.yahoo.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Zuhause\AppData\Roaming\Mozilla\Firefox\Profiles\a17mrx9q.default\
FF - component: c:\users\Zuhause\AppData\Roaming\Mozilla\Firefox\Profiles\a17mrx9q.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Zuhause\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\Zuhause\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Zuhause\AppData\Roaming\Mozilla\Firefox\Profiles\a17mrx9q.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: d:\musik\ITunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX Richtlinien ----
d:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-09-28 22:59
Windows 6.0.6001 Service Pack 1 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-09-28 23:15:50
ComboFix-quarantined-files.txt 2010-09-28 21:15
Vor Suchlauf: 12 Verzeichnis(se), 50.901.360.640 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 50.891.751.424 Bytes frei
- - End Of File - - FD791911E8B64C357EB21D852068DB64
--- --- ---