| |
| |||||||
Log-Analyse und Auswertung: Windows recovery trojaner weg?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
| |
25.04.2011, 20:42
| #1 |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  Windows recovery trojaner weg? Dann bitte jetzt CF ausführen: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
26.04.2011, 15:00
| #2 |
 | Windows recovery trojaner weg? Hier das Log-file von combofix:
__________________Code:
ATTFilter ComboFix 11-04-25.02 - julsch 26.04.2011 13:24:12.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.3032.1893 [GMT 2:00]
ausgeführt von:: c:\users\julsch\Desktop\cofi.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((( Dateien erstellt von 2011-03-26 bis 2011-04-26 ))))))))))))))))))))))))))))))
.
.
2011-04-26 11:28 . 2011-04-26 11:28 -------- d-----w- c:\users\julsch\AppData\Local\temp
2011-04-26 11:28 . 2011-04-26 11:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-25 17:23 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6F638301-4229-42BD-B55C-54EB1AE0594E}\mpengine.dll
2011-04-24 06:54 . 2011-04-24 06:54 -------- d-----w- C:\_OTL
2011-04-24 06:41 . 2011-04-24 06:41 -------- d-----w- c:\windows\Internet Logs
2011-04-16 17:56 . 2010-01-05 09:31 9216 ----a-w- c:\windows\system32\drivers\massfilter.sys
2011-04-16 17:56 . 2010-01-05 09:31 114688 ----a-w- c:\windows\system32\drivers\ZTEusbnet.sys
2011-04-16 17:56 . 2010-01-05 09:31 105088 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
2011-04-16 17:56 . 2010-01-05 09:31 105088 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
2011-04-16 17:56 . 2010-01-05 09:31 105088 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
2011-04-16 17:56 . 2011-04-16 17:56 -------- d-----w- c:\windows\system32\SupportAppCB
2011-04-16 17:56 . 2011-04-16 17:57 -------- d-----w- c:\program files\Join Air
2011-04-15 06:55 . 2011-04-15 06:56 -------- d-----w- C:\temp
2011-04-13 16:13 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-10 21:30 . 2011-04-10 21:30 -------- d-----w- c:\users\julsch\AppData\Roaming\Malwarebytes
2011-04-10 21:28 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-10 21:28 . 2011-04-10 21:28 -------- d-----w- c:\programdata\Malwarebytes
2011-04-10 21:28 . 2011-04-10 22:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-10 21:28 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-29 19:24 . 2011-03-29 19:24 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-29 19:24 . 2011-03-29 19:24 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-29 19:24 . 2011-03-29 19:24 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-29 19:24 . 2011-03-29 19:24 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-29 19:24 . 2011-03-29 19:24 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-29 19:24 . 2011-03-29 19:24 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-29 19:24 . 2011-03-29 19:24 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-29 19:24 . 2011-03-29 19:24 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-16 18:16 . 2009-06-19 10:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-22 14:13 . 2011-03-23 19:23 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 19:23 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 19:23 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-02 16:11 . 2009-12-11 13:37 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-29 19:24 . 2011-03-29 19:24 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-07-28 16:47 . 2010-07-28 16:47 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"TomTomHOME.exe"="c:\programme\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECDeject"="c:\progra~1\ECDeject\CDeject.exe" [2008-07-01 371208]
"FSCRecovery"="c:\program files\Fujitsu Siemens Computers\Fujitsu Siemens Computers Recovery\FSCRecoveryReminder.exe" [2008-06-18 268096]
"OSD"="c:\program files\OEM\OSD_1.16\osd.exe" [2008-06-18 376832]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-20 7625248]
"PDFPrint"="c:\program files\pdf24\pdf24.exe" [2010-03-11 208528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"UIExec"="c:\program files\Join Air\UIExec.exe" [2010-04-27 138072]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - d:\julsch programme\Word 2002\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 21:10 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-28 16:47 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google EULA Launcher]
2008-05-28 11:40 20480 ----a-w- c:\program files\Google\Google EULA\GoogleEULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhonostarAgent]
2009-05-13 16:33 98304 ----a-w- c:\program files\phonostar\ps_agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhonostarTimer]
2009-05-13 16:35 126976 ----a-w- c:\program files\phonostar\ps_timer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 09:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-28 15:32 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9c7585d398cd5;Google Update Service (gupdate1c9c7585d398cd5);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 133104]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-06-22 100736]
R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-01-05 9216]
R3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\Drivers\usb2vcom.sys [2006-07-17 30368]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 zlportio;zlportio;c:\program files\UltraStar Deluxe\zlportio.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-12 691696]
S1 ECDejectPortIO;ECS ECDeject Port I/O;c:\progra~1\ECDeject\ECDejectIO.sys [2008-06-30 20104]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-07 135336]
S2 OsdService;OSD Service;c:\program files\OEM\OSD_1.16\OsdService.exe [2008-02-22 94208]
S2 TomTomHOMEService;TomTomHOMEService;c:\programme\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
S2 UI Assistant Service;UI Assistant Service;c:\program files\Join Air\AssistantServices.exe [2010-04-27 247152]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-15 224384]
S3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [2008-06-17 7168]
S3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [2008-03-31 8192]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-07 85136]
S3 NETw5v32;Intel(R) Wireless WiFi Link Adaptertreiber für Windows Vista 32-Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-05-01 3660800]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Inhalt des "geplante Tasks" Ordners
.
2011-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 16:50]
.
2011-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 16:50]
.
2011-02-26 c:\windows\Tasks\Norton Security Scan for julsch.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-08-15 07:48]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.newversionchecker.com/?redr=www.easiestutils.com
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=FUJD&bmod=FUJD
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Nach Microsoft &Excel exportieren - d:\julsch~1\WORD20~1\OFFICE11\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\julsch\AppData\Roaming\Mozilla\Firefox\Profiles\gn71tj6a.default\
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - user.js: yahoo.homepage.dontask - true
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKU-Default-Run-fsc-reg - c:\fsc-reg\fscreg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-04-26 13:28
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-4277230104-2431832393-3335920314-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:0a,9b,aa,9f,bc,61,04,0d,6a,10,e4,8c,79,63,58,eb,d7,97,ca,36,ff,
b0,0d,9b,56,41,ea,e3,9c,f1,6e,34,0e,b4,43,31,1f,a1,db,94,e4,f9,5c,bd,81,66,\
"rkeysecu"=hex:10,d6,b9,9f,b0,e6,f4,e7,2a,be,dc,26,c8,10,a4,d0
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{0a768961-f322-4e8b-9c44-cc27116f4786}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:100016ea
"Dhcpv6State"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{40685c80-81aa-45fd-b5c8-48f188fd03fb}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:17020054
"Dhcpv6State"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{5a88f94d-5c63-4254-9338-8de99611111a}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:15001644
"Dhcpv6State"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{8420a3ba-d7cd-420a-af1c-d7c06c0dc783}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0d00030d
"Dhcpv6State"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ba32a50a-3d27-4fae-8591-5916311409be}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c001422
"Dhcpv6State"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f70a361f-6437-4fcc-91a4-cd88d468d91b}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0e001422
"Dhcpv6State"=dword:00000000
.
Zeit der Fertigstellung: 2011-04-26 13:30:50
ComboFix-quarantined-files.txt 2011-04-26 11:30
.
Vor Suchlauf: 24 Verzeichnis(se), 42.194.718.720 Bytes frei
Nach Suchlauf: 26 Verzeichnis(se), 42.120.085.504 Bytes frei
.
- - End Of File - - AECE0D4CA49F5FD64A1A212198865298
|
|
| Themen zu Windows recovery trojaner weg? |
| .dll, 0x00000001, adobe, antivir, avgntflt.sys, avira, bho, ccsetup, defender, desktop, downloader, error, excel, excel.exe, explorer, firefox, frage, helper, home, intranet, location, log-file, logfile, mozilla, nicht sicher, oldtimer, otl.exe, pdf, plug-in, registry, scan, sched.exe, searchplugins, software, sptd.sys, staropen, start menu, system wiederherstellung, trojaner, vista, windows |
Hybrid-Darstellung
