|
Log-Analyse und Auswertung: win32/olmarik.ajl - combofix.logWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
17.05.2011, 11:52 | #1 |
| win32/olmarik.ajl - combofix.log hi habe mich schonmal ein bissel durchs board geklickt und ein wenig vorarbeit geleistet. den virus habe ich mir am wochenende auf ner lan eingefangen vermute ich. mein sys möchte auch nur ungern neu aufsetzen. hoffe ihr könnt etwas mit der combofix log anfangen combofix.txt Code:
ATTFilter ComboFix 11-05-15.04 - apeXX 16.05.2011 11:15:49.1.2 - x64 Microsoft Windows 7 Enterprise 6.1.7600.0.1252.49.1031.18.4094.2722 [GMT 2:00] ausgeführt von:: c:\users\apeXX\Desktop\confi.exe AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5} SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Neuer Wiederherstellungspunkt wurde erstellt . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files (x86)\mm.BOT c:\program files (x86)\mm.BOT\Logs\_STATS.ini c:\users\apeXX\AppData\Roaming\Adobe\plugs c:\users\apeXX\AppData\Roaming\Adobe\plugs\mmc1692015.txt c:\users\apeXX\AppData\Roaming\Adobe\shed c:\users\apeXX\AppData\Roaming\Adobe\shed\thr1.chm c:\windows\SysWow64\AdmDll.dll c:\windows\SysWow64\raddrv.dll . . ((((((((((((((((((((((( Dateien erstellt von 2011-04-16 bis 2011-05-16 )))))))))))))))))))))))))))))) . . 2011-05-16 09:19 . 2011-05-16 09:19 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-05-16 08:52 . 2011-05-16 08:52 -------- d-----w- c:\program files\CCleaner 2011-05-11 15:15 . 2011-05-12 07:44 -------- d-----w- c:\users\apeXX\AppData\Roaming\TeamViewer 2011-05-11 14:54 . 2011-05-11 14:54 -------- d-----w- c:\program files (x86)\TeamViewer 2011-04-30 17:19 . 2011-04-30 17:19 -------- d-----w- c:\program files (x86)\Logitech 2011-04-30 17:19 . 2003-09-03 00:28 724992 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iKernel.dll 2011-04-30 17:19 . 2003-09-03 00:27 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\ctor.dll 2011-04-30 17:19 . 2003-09-03 00:26 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iscript.dll 2011-04-30 17:19 . 2003-09-03 00:26 192512 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iuser.dll 2011-04-30 17:19 . 2003-09-03 00:25 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\DotNetInstaller.exe 2011-04-30 17:19 . 2011-04-30 17:19 311428 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\Setup.dll 2011-04-30 17:19 . 2011-04-30 17:19 184452 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\00\Intel32\iGdi.dll 2011-04-30 17:19 . 2001-09-05 02:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll 2011-04-30 17:19 . 2001-09-05 02:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll 2011-04-30 17:19 . 2001-09-05 02:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll 2011-04-30 17:19 . 2001-09-05 02:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll 2011-04-26 09:18 . 2011-04-26 09:22 -------- d-----w- c:\program files (x86)\Microsoft Games 2011-04-20 20:39 . 2011-04-20 20:39 -------- d-----w- c:\programdata\Blizzard 2011-04-17 18:15 . 2011-04-17 18:16 -------- d-----w- c:\users\apeXX\AppData\Roaming\WRM . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-15 18:30 . 2010-11-06 21:02 280768 ----a-w- c:\windows\SysWow64\PnkBstrB.exe 2011-05-15 18:30 . 2010-11-06 21:02 280768 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr 2011-05-15 18:21 . 2010-11-06 21:02 215128 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0 2011-05-10 16:49 . 2009-07-13 23:28 6656 ----a-w- c:\windows\system32\lpcio.dll 2011-04-26 09:15 . 2009-08-18 10:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll 2011-04-26 09:15 . 2009-08-18 09:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2011-03-20 21:39 . 2011-03-20 21:37 2829 ----a-w- c:\windows\War3Unin.pif 2011-03-20 21:39 . 2011-03-20 21:37 139264 ----a-w- c:\windows\War3Unin.exe 2011-02-22 22:17 . 2011-02-22 21:54 21840 ----atw- c:\windows\SysWow64\SIntfNT.dll 2011-02-22 22:17 . 2011-02-22 21:54 17212 ----atw- c:\windows\SysWow64\SIntf32.dll 2011-02-22 22:17 . 2011-02-22 21:54 12067 ----atw- c:\windows\SysWow64\SIntf16.dll 2011-02-22 21:51 . 2011-02-22 21:51 2829 ----a-w- c:\windows\DIIUnin.pif 2011-02-22 21:51 . 2011-02-22 21:51 102400 ----a-w- c:\windows\DIIUnin.exe 2011-02-15 17:39 . 2010-11-06 21:02 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe 2011-02-15 15:29 . 2010-11-11 13:12 3360624 ----a-w- c:\windows\SysWow64\pbsvc.exe . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696] "AlcoholAutomount"="c:\program files (x86)\Alcohol Soft\Alcohol 52\axcmd.exe" [2009-04-24 203928] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-04-01 15145352] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "LogitechVideoRepair"="c:\program files (x86)\Logitech\Video\ISStart.exe" [2004-12-14 458752] "LogitechVideoTray"="c:\program files (x86)\Logitech\Video\LogiTray.exe" [2004-12-14 217088] . c:\users\apeXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ CurseClientStartup.ccip [2011-4-24 0] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R3 cpuz130;cpuz130;c:\users\apeXX\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x] R3 ENTECH64;ENTECH64;c:\windows\system32\DRIVERS\ENTECH64.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x] R3 VSPerfDrv100;Performance Tools Driver 10.0;g:\microsoft visual studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-17 68440] R3 WSDPrintDevice;WSD-Druckunterstützung durch UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x] R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2005-09-23 4476096] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x] S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x] S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [x] S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x] S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2010-02-22 810120] S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-16 369256] S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-04-15 2280312] S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x] S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760] S3 RTL8167;Realtek 8167 NT-Treiber;c:\windows\system32\DRIVERS\Rt64win7.sys [x] . . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-02-22 2837256] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Zusätzlicher Suchlauf ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 LSP: %SystemRoot%\system32\PrxerDrv.dll LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll TCP: {BEA49E4B-ABD1-4BB6-91AF-FB13DB6E8A98} = 192.168.0.1 FF - ProfilePath - c:\users\apeXX\AppData\Roaming\Mozilla\Firefox\Profiles\xcsmjml2.default\ FF - prefs.js: network.proxy.socks - nutte:fl0w@85.214.239.199 FF - prefs.js: network.proxy.socks_port - 48800 FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} FF - Ext: TweakMDB: {15a82062-5139-4855-9706-130a8a4be80c} - %profile%\extensions\{15a82062-5139-4855-9706-130a8a4be80c} FF - Ext: <?xmlversion=1.0?><RDF xmlns=hxxp://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=hxxp://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{ba2430e0-5b72-4cac-bc9e-7d1aaca75d3d}: {ba2430e0-5b72-4cac-bc9e-7d1aaca75d3d} - %profile%\extensions\{ba2430e0-5b72-4cac-bc9e-7d1aaca75d3d} FF - Ext: eBay Sidebar for Firefox: {62760FD6-B943-48C9-AB09-F99C6FE96088} - %profile%\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088} FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca} . - - - - Entfernte verwaiste Registrierungseinträge - - - - . AddRemove-mIRC - e:\_ownage\__progz\mIRC\mirc.exe AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe AddRemove-PlugY Update - l:\diablo ii\Uninstal.exe . . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_USERS\S-1-5-21-3500177894-3310607779-1424330107-1001\Software\SecuROM\License information*] "datasecu"=hex:3e,fc,f2,72,ce,27,0e,c2,6d,3e,f1,20,ef,29,61,09,67,0a,d2,15,ba, ea,6b,e0,81,01,35,33,31,8a,b4,7e,31,09,7d,d0,41,25,72,97,a1,ef,3f,83,1b,0f,\ "rkeysecu"=hex:6e,36,60,8e,71,36,8f,b7,11,3f,f3,51,39,28,58,02 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Zeit der Fertigstellung: 2011-05-16 11:21:52 ComboFix-quarantined-files.txt 2011-05-16 09:21 . Vor Suchlauf: 9.031.675.904 Bytes frei Nach Suchlauf: 9.045.110.784 Bytes frei . - - End Of File - - C634EE20294452D29A6E9993E5F07000 mfg |
17.05.2011, 12:26 | #2 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | win32/olmarik.ajl - combofix.log Bitte beachten => http://www.trojaner-board.de/95173-b...es-posten.html und http://www.trojaner-board.de/69886-a...-beachten.html
__________________Einen ganz klaren Hinweis gibt es auch zu http://www.trojaner-board.de/95175-combofix.html Zitat:
__________________ |
Themen zu win32/olmarik.ajl - combofix.log |
adblock, adobe, antivirus, combofix, dateien, defender, desktop, ebay, eset nod32, firefox, hex, lan, log, mozilla, neu, nvidia, office, performance, realtek, remote, securom, service.exe, software, sptd.sys, start menu, studio, system, system32, syswow64, virus, visual studio, windows |