| polopter | 13.01.2014 14:55 |
Windows 7, Trojan-Downloader.Win32.Agent.hdtd?, Firefox ferngesteuert
Liste der Anhänge anzeigen (Anzahl: 2) Hallo,
Problem: im Firefox Browser lassen sich die Einstellungen nicht mehr speichern. Folge ist, das jedes mal beim Start sich 6 Tabs öffnen von FF und Addons, auch die Suchmaschine bleibt Google. Im FF-Forum gelesen, das ein Trojaner im Spiel ist.
Vorab: Weil gestern die Addition.txt fehlte, habe ich heute den FRST64-Scan neu gestartet, ist aber hängen geblieben und habe ich abgebrochen.
Angestrebte Lösungen, s. auch angehängte Berichte: 1.AdwCleaner, ohne Erfolg 2. KIS 2013 Volluntersuchung, gefunden Trojan-Downloader.Win32.Agent.hdtd und gelöscht, sonst ohne Erfolg. 3. Hijackthis gefahren, ohne Erfolg. 4. Trojaner-Board-Scans am 12.1.2014 nach Anleitung ausgeführt und jetzt bitte ich um eine Durchsicht.
Ergänzend: im Moment verwende ich die Foxit PDF-Reader 611.1025.
Im voraus herzlichen Dank, Jan Code:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:16 on 12/01/2014 (PC-Adminstrator)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-01-2014 01
Ran by PC-Adminstrator (administrator) on JAN-PC on 13-01-2014 10:24:29
Running from C:\Users\PC-Adminstrator\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\psia.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(TomTom) C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
() C:\Program Files (x86)\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe
() C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM-x32\...\Run: [HOSTS Anti-Adware_PUPs] - C:\Program Files (x86)\Hosts_Anti_Adwares_PUPs\HOSTS_Anti-Adware_main.exe [302961 2013-01-28] ()
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe [611872 2010-08-04] ()
HKLM-x32\...\Run: [AVP] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe [356128 2013-12-25] (Kaspersky Lab ZAO)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [MyDriveConnect.exe] - C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe [473496 2013-11-29] (TomTom)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-07-29] ()
Startup: C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Analoguhr.lnk
ShortcutTarget: Analoguhr.lnk -> C:\Users\PC-Adminstrator\AppData\Local\Temp\Temp1_clock.zip\CLOCK.EXE (No File)
Startup: C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {95BAC19C-64B2-4F51-90A1-D892ADA97AA6} URL = hxxp://startpage.com/do/search?query={searchTerms}&cat=web&pl=ie&nossl=1&language=deutsch
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {11FA3227-BDD3-41DD-80CA-E44FE6260543} URL = hxxp://de.wikipedia.org/w/index.php?title=Spezial:Suche&search={searchTerms}
SearchScopes: HKCU - {95BAC19C-64B2-4F51-90A1-D892ADA97AA6} URL = hxxp://startpage.com/do/search?query={searchTerms}&cat=web&pl=ie&nossl=1&language=deutsch
BHO: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
BHO-x32: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
Code:
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2014-01-12 13:18:49
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.80.0 931,51GB
Running: gmer_2.1.19163.exe; Driver: C:\Users\PC-ADM~2\AppData\Local\Temp\kfldypow.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fc1000 47 bytes [0F, BA, 2D, 38, 95, 11, 00, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 576 fffff80002fc1030 24 bytes [8B, 4F, 10, 48, 3B, CD, 75, ...]
---- Threads - GMER 2.1 ----
Thread C:\Windows\System32\svchost.exe [996:2428] 000007fef3816b8c
Thread C:\Windows\System32\svchost.exe [996:236] 000007fef3811d88
Thread C:\Windows\System32\svchost.exe [384:3308] 000007fef46aa2b0
Thread C:\Windows\system32\svchost.exe [1288:2724] 000007fefaeabd88
Thread C:\Windows\system32\svchost.exe [1288:3620] 000007fef8e55170
Thread C:\Windows\system32\svchost.exe [1288:1672] 000007fefac05124
Thread C:\Windows\System32\spoolsv.exe [1416:2132] 000007fef54910c8
Thread C:\Windows\System32\spoolsv.exe [1416:2624] 000007fef5456144
Thread C:\Windows\System32\spoolsv.exe [1416:2620] 000007fef97d5fd0
Thread C:\Windows\System32\spoolsv.exe [1416:2680] 000007fef5433438
Thread C:\Windows\System32\spoolsv.exe [1416:2600] 000007fef97d63ec
Thread C:\Windows\System32\spoolsv.exe [1416:2608] 000007fef5745e5c
Thread C:\Windows\System32\spoolsv.exe [1416:2616] 000007fef5775074
Thread C:\Windows\System32\spoolsv.exe [1416:3616] 000007fef57e2288
Thread C:\Windows\system32\svchost.exe [1452:1624] 000007fef9d535c0
Thread C:\Windows\system32\svchost.exe [1452:1644] 000007fef9d55600
Thread C:\Windows\system32\svchost.exe [1452:3000] 000007fef4b32940
Thread C:\Windows\system32\svchost.exe [1452:2344] 000007fef4b12888
Thread C:\Windows\system32\svchost.exe [1452:2540] 000007fef4b12a40
Thread C:\Windows\system32\svchost.exe [1604:1716] 000007fef97d5fd0
Thread C:\Windows\system32\svchost.exe [1604:1720] 000007fef97d63ec
Thread C:\Windows\system32\svchost.exe [1604:3708] 000007fef7578470
Thread C:\Windows\system32\svchost.exe [1604:3080] 000007fef7582418
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{140C3DDB-846F-44E8-B6BE-3E7B2878A7FF}@InterfaceName isatap.{09F587B6-CEB9-4CF1-9A48-7F30A89E7E15}
Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{140C3DDB-846F-44E8-B6BE-3E7B2878A7FF}@ReusableType 0
---- EOF - GMER 2.1 ----
[Kaspersky KIS 2013 Untersuchungsbericht]
FoxitReader602.04131_enu_Setup.exe Gelöscht C:\Documents and Settings\PC-Adminstrator\Documents\
08.01.2014 18:56:28
Trojan-Downloader.Win32.Agent.hdtd Gelöscht C:\Documents and Settings\PCAdminstrator\Documents\FoxitReader602.04131_enu_Setup.exe// 08.01.2014 18:56:28
Trojan-Downloader.Win32.Agent.hdtd Gelöscht C:\Documents and Settings\PCAdminstrator\Documents\FoxitReader602.04131_enu_Setup.exe//data0490//# 08.01.2014 18:40:40
[/CODE] | 