TR/Kazy/WTR /CCC /verschwundene Dateien

sch8mid · 03.05.2011, 12:12

Bin wohl gestern von allen symptomen (WTR Loader-CCC funktioniert nicht-
bis zu verschwundenen Dateien und Desktopordnern) befallen worden.
nachdem ich ein paar Stunden recht idiotisch mit dem Microsoft security zeugs
und mit AVira rumgesandelt habe ,bin ich gottseidank auf eure excellente seite gestossen.

OTL-systemscan gemacht , mit malwarebyte gescannt (2 böse sachen )
brachten mir den desktop wieder , "unhide" auch die verschwundenen dateien.

combofix installiert .Mit Antivir gescannt.

Alle scheint wieder in Ordnung .

ich würde jetzt gerne ein komplettes backup von C machen und hätte hierbei die passende frage :

"Ist alles o.k wenn ein komplettscan mit Antivir nichts mehr entdeckt und
ein durchlauf von combofix so aussieht" :

Danke

Armin

Combofix Logfile:

Code:

ATTFilter

ComboFix 11-05-02.04 - armin schmid 03.05.2011  11:14:51.3.8 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.3582.2697 [GMT 2:00]
ausgeführt von:: c:\users\armin schmid\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-04-03 bis 2011-05-03  ))))))))))))))))))))))))))))))
.
.
2011-05-03 09:17 . 2011-05-03 09:17	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-05-03 05:26 . 2011-05-03 05:26	--------	d-----w-	c:\users\armin schmid\AppData\Roaming\Malwarebytes
2011-05-03 05:26 . 2010-12-20 16:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-03 05:26 . 2011-05-03 05:26	--------	d-----w-	c:\programdata\Malwarebytes
2011-05-03 05:26 . 2010-12-20 16:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-05-03 04:53 . 2011-05-03 04:53	--------	d-----w-	c:\programdata\ATI
2011-05-03 04:53 . 2011-05-03 04:53	--------	d-----w-	c:\program files\Common Files\ATI Technologies
2011-05-03 04:51 . 2011-05-03 04:51	--------	d-----w-	c:\program files\ATI
2011-05-02 19:44 . 2011-04-10 22:04	7071056	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{91466CAA-D81F-4EB0-BC13-2C100CC45872}\mpengine.dll
2011-05-02 19:35 . 2011-03-04 14:11	137656	----a-w-	c:\windows\system32\drivers\avipbb.sys
2011-05-02 19:35 . 2011-03-04 12:36	61960	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2011-05-02 18:11 . 2011-05-02 18:11	--------	d-----w-	c:\users\armin schmid\AppData\Roaming\Avira
2011-05-02 18:06 . 2011-05-02 18:06	--------	d-----w-	c:\programdata\Avira
2011-05-02 18:06 . 2011-05-02 18:06	--------	d-----w-	c:\program files\Avira
2011-04-30 12:46 . 2011-05-02 18:09	--------	d-----w-	c:\users\armin schmid\AppData\Roaming\Ylomo
2011-04-30 12:46 . 2011-05-02 18:02	--------	d-----w-	c:\users\armin schmid\AppData\Roaming\Ecykc
2011-04-28 18:44 . 2011-04-28 18:45	--------	d-----w-	c:\program files\Google
2011-04-28 18:44 . 2011-04-28 18:44	--------	d-----w-	c:\users\armin schmid\AppData\Local\Google
2011-04-24 08:19 . 2011-02-24 05:38	288256	----a-w-	c:\windows\system32\XpsGdiConverter.dll
2011-04-24 08:19 . 2011-02-19 06:30	805376	----a-w-	c:\windows\system32\FntCache.dll
2011-04-24 08:19 . 2011-02-19 06:30	1076736	----a-w-	c:\windows\system32\DWrite.dll
2011-04-24 08:19 . 2011-02-19 06:30	739840	----a-w-	c:\windows\system32\d2d1.dll
2011-04-05 22:33 . 2011-01-27 08:57	439632	------w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7B59513-F2DE-45A6-8BCE-FBB10EA8BCF3}\gapaengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-25 15:51 . 2011-02-25 15:51	3584	----a-r-	c:\users\armin schmid\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2011-02-25 07:58 . 2009-07-14 02:05	152576	----a-w-	c:\windows\system32\msclmd.dll
2011-02-03 05:54 . 2011-02-13 02:18	219008	----a-w-	c:\windows\system32\drivers\dxgmms1.sys
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YAAC"="c:\program files\Tools&More\YAAC\YAAC.exe" [2004-10-25 327680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2010-02-04 289368]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"avgnt"="d:\dienstprogramme\AVIRA\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"Malwarebytes' Anti-Malware (reboot)"="d:\dienstprogramme\Malware\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\windows\System32\DriverStore\FileRepository\atiilhag.inf_x86_neutral_1d882551ede2c65b"="del" [X]
"c:\windows\System32\DriverStore\FileRepository\cl106232.inf_x86_neutral_885970445255996f"="del" [X]
"c:\windows\System32\DriverStore\FileRepository\cw106232.inf_x86_neutral_6cf75ba43cfe598c"="del" [X]
"c:\windows\System32\DriverStore\FileRepository\cw112250.inf_x86_neutral_fd10f2c7f2f1a821"="del" [X]
"c:\windows\System32\DriverStore\FileRepository\cw_98768.inf_x86_neutral_a142c167d8a0e4ff"="del" [X]
"c:\windows\winsxs\x86_atiilhag.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a33bc4f3705f38f0"="del" [X]
"c:\windows\winsxs\x86_atiilhag.inf_31bf3856ad364e35_6.1.7600.16385_none_a574bbd4a69c292d"="del" [X]
"c:\windows\winsxs\x86_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_a7a5cf9ca38aacc7"="del" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^armin schmid^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CPU-Tweaker.exe.lnk]
path=c:\users\armin schmid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CPU-Tweaker.exe.lnk
backup=c:\windows\pss\CPU-Tweaker.exe.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07	932288	----a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-06-28 20:50	75048	----a-w-	c:\program files\Cyberlink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
2010-03-03 18:16	284696	----a-w-	c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NUSB3MON]
2010-04-27 02:09	113288	----a-w-	c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 09:17	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2010-02-02 22:08	87336	------w-	d:\video_hd\PowerDVD_10\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" /auto
"Adobe Reader Speed Launcher"="d:\dienstprogramme\Adobe_Reader\Reader\Reader_sl.exe"
"iTunesHelper"="d:\video_hd\iTunes\iTunesHelper.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
R1 MpKsl1db77c7b;MpKsl1db77c7b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BFA813D4-59DC-4936-A235-D8F3E0BB999C}\MpKsl1db77c7b.sys [x]
R1 MpKsl4f13dc28;MpKsl4f13dc28;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5D7EB594-C3D3-41E9-831F-2BAEC59C9391}\MpKsl4f13dc28.sys [x]
R2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ALSysIO;ALSysIO;c:\users\ARMINS~1\AppData\Local\Temp\ALSysIO.sys [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2010-11-17 101392]
R3 cpuz130;cpuz130;c:\users\ARMINS~1\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft-Netzwerkinspektion;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
R4 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-03 13336]
R4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S0 MDFSYSNT;MacDrive file system driver; [x]
S0 MDPMGRNT;MacDrive partition driver; [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-10-04 691696]
S1 CBDisk;CBDisk;c:\windows\system32\drivers\CBDisk.sys [2010-01-13 57800]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2010/09/21 19:06];d:\video_hd\PowerDVD_10\PowerDVD10\NavFilter\000.fcl [2010-06-28 20:50 87536]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 172032]
S2 AntiVirSchedulerService;Avira AntiVir Planer;d:\dienstprogramme\AVIRA\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 MacDrive8Service;MacDrive 8 service;c:\program files\Mediafour\MacDrive 8\MacDrive8Service.exe [2010-01-07 192512]
S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-07 5430272]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-07 157184]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-07-27 60800]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-07-27 140672]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-22 278560]
S3 ttBudget2;TechnoTrend BDA/DVB (BDA);c:\windows\system32\drivers\ttBudget2.sys [2010-08-22 457472]
S3 vadspdif;vadspdif;c:\windows\system32\DRIVERS\vadspdif.sys [2010-01-28 35512]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\armin schmid\AppData\Roaming\Mozilla\Firefox\Profiles\sj6h9k6k.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\d:\video_hd\PowerDVD_10\PowerDVD10\NavFilter\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2011-05-03  11:18:35
ComboFix-quarantined-files.txt  2011-05-03 09:18
.
Vor Suchlauf: 10 Verzeichnis(se), 41.843.265.536 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 41.790.877.696 Bytes frei
.
- - End Of File - - F953237D41D6581D549C2495F0ACC53D

--- --- ---

TR/Kazy/WTR /CCC /verschwundene Dateien

Log-Analyse und Auswertung: TR/Kazy/WTR /CCC /verschwundene Dateien

TR/Kazy/WTR /CCC /verschwundene Dateien

Ähnliche Themen: TR/Kazy/WTR /CCC /verschwundene Dateien