Evtl Trojaner Befall / Rootkit / a1vcwtl4.exe

kennyw · 08.01.2011, 23:29

Hey Leute,

Würde gerne wissen ob dieser PC befallen ist. Es handelt sich um den meiner Freundin , also nicht der gleiche wie der mit dem WoW Problem aus dem anderen Thread.

Habe folgende Logs gemacht :
HiJackthis Logfile:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:23:46, on 08.01.2011
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Safe mode

Running processes:
C:\Windows\system32\ctfmon.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O8 - Extra context menu item: add to &BOM - C:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears-Einstellungen - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files\Tunngle\TnglCtrl.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 4989 bytes

--- --- ---

ComboFix

Combofix Logfile:

Code:

ATTFilter

ComboFix 11-01-08.01 - Chrissy 08.01.2011  23:15:22.2.2 - x86 MINIMAL
Microsoft Windows 7 Professional   6.1.7600.0.1252.49.1031.18.2046.1485 [GMT 1:00]
ausgeführt von:: c:\users\Chrissy\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((   Dateien erstellt von 2010-12-08 bis 2011-01-08  ))))))))))))))))))))))))))))))
.

2011-01-08 21:13 . 2010-12-20 17:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-08 21:13 . 2011-01-08 21:13	--------	d-----w-	c:\program files\Malwarebytes' Anti-
2011-01-08 21:13 . 2010-12-20 17:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-01-08 16:39 . 2011-01-08 16:39	--------	d-----w-	c:\users\Chrissy\AppData\Roaming\Malwarebytes
2011-01-08 16:06 . 2011-01-08 16:06	--------	d-----w-	c:\programdata\Malwarebytes
2011-01-08 08:59 . 2011-01-08 21:03	--------	d-----w-	c:\program files\Microsoft Security Client
2010-12-15 12:32 . 2010-12-15 12:32	--------	d-----w-	c:\program files\Common Files\Blizzard Entertainment

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-05 19:06 . 2010-11-05 19:06	281760 begin_of_the_skype_highlighting**************06 281760******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************06 281760******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************06 281760******end_of_the_skype_highlighting	----a-w-	c:\windows\system32\drivers\atksgt.sys
2010-11-05 19:06 . 2010-11-05 19:06	25888	----a-w-	c:\windows\system32\drivers\lirsgt.sys
2010-11-05 18:50 . 2009-10-11 15:19	691696	----a-w-	c:\windows\system32\drivers\sptd.sys
2009-09-25 16:41 . 2009-09-25 16:41	1044480	----a-w-	c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41	200704	----a-w-	c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-21 13683816]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-\mbam.exe" [2010-12-20 963976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"MobileConnect"=%programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-05 691696]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 135664]
R2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2010-11-22 718072]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2009-09-11 9216]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-06-29 112128]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2009-06-29 102912]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000-Serie - Adaptertreiber für Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 R5U870FLx86;R5U870 UVC Lower Filter  ;c:\windows\system32\Drivers\R5U870FLx86.sys [2006-10-27 72704]
R3 R5U870FUx86;R5U870 UVC Upper Filter  ;c:\windows\system32\Drivers\R5U870FUx86.sys [2006-10-27 43904]
R3 RTCore32;RTCore32;c:\program files\RMClock\RTCore32.sys [2005-05-25 4608]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-11-06 227328]


--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile	REG_MULTI_SZ   	wcescomm rapimgr
LocalServiceRestricted	REG_MULTI_SZ   	WcesComm RapiMgr
.
Inhalt des "geplante Tasks" Ordners

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 15:11]

2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 15:11]
.
.
------- Zusätzlicher Suchlauf -------
.
IE: add to &BOM - c:\\PROGRA~1\\BIET-O~1\\\\AddToBOM.hta
LSP: bmnet.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Chrissy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ew6rxa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
 
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'lsass.exe'(472)
c:\windows\system32\bmnet.dll
.
Zeit der Fertigstellung: 2011-01-08  23:22:54
ComboFix-quarantined-files.txt  2011-01-08 22:22
ComboFix2.txt  2011-01-08 22:07

Vor Suchlauf: 15 Verzeichnis(se), 24.563.515.392 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 24.185.823.232 Bytes frei

- - End Of File - - E87C859D286659F7F5FBF7C7B4832D02

--- --- ---

Malwarebytes:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 5485

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

08.01.2011 22:51:20
mbam-log-2011-01-08 (22-51-20).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Durchsuchte Objekte: 215312
Laufzeit: 36 Minute(n), 1 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Users\Chrissy\AppData\Local\Temp\a1vcwtl4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Die Logs habe ich alle im abgesicherten Modus erstellt weil im normalern er die Programme abundzu nicht startet.

Evtl Trojaner Befall / Rootkit / a1vcwtl4.exe

Log-Analyse und Auswertung: Evtl Trojaner Befall / Rootkit / a1vcwtl4.exe

Evtl Trojaner Befall / Rootkit / a1vcwtl4.exe

Ähnliche Themen: Evtl Trojaner Befall / Rootkit / a1vcwtl4.exe