Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   xupdate.exe (https://www.trojaner-board.de/59455-xupdate-exe.html)

Gordonyde 08.09.2008 17:11

xupdate.exe
 
Liebe Community,


hier ein log-Post von einem Rechner eines Bekannten. Irgendwie beschleicht mich das Gefühl, dass hier jede Menge nach Hause telefoniert. Kann ein geschultes Auge mal drübersehen? Habe wie man sieht, Kaspersky drauf, leider find der nix.

Vielen Dank :sword2:


StartupList report, 08.09.2002, 18:08:43
StartupList version: 1.52.2
Started from : C:\Dokumente und Einstellungen\Gerdi\Desktop\hijackthis1982\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\isnotify.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\T-ONLINE\BSW4\ToDuCAlC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Gerdi\Desktop\hijackthis1982\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

nwiz = nwiz.exe /install
AVPCC = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
Adobe Photo Downloader = "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

swg = C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {0A668F4C-A122-00FA-5836-168541A3E4C7}
(no name) - (no file) - {14cd0a41-89bc-498e-92bd-ae1b62975a9e}
(no name) - (no file) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A}
(no name) - C:\Programme\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Programme\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
(no name) - (no file) - {c3703265-4671-4858-92a4-cba6a7b3bb45}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{24311111-1111-1121-1111-111191113457}]
CODEBASE = file://c:\eied_s7.cab

[{33331111-1111-1111-1111-611111193423}]

[{33331111-1111-1111-1111-611111193429}]

[{33331111-1111-1111-1111-611111193457}]
CODEBASE = file://c:\ex.cab

[{33331111-1111-1111-1111-611111193458}]
CODEBASE = file://c:\ex.cab

[{33331111-1111-1111-1111-615111193427}]

[{33331111-1111-1111-1111-622221193458}]
CODEBASE = file://c:\ex.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1105186082671

[{64311111-1111-1121-1111-111191113457}]
CODEBASE = file://c:\eied_s7.cab

[{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}]
CODEBASE = http://xscanner.spyshredderscanner.com/setup/webinst_de.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
SystemCheck2: *Registry key not found*

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*windows update = wuaurlt.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*windows update = wuaurlt.exe
ishost.exe = ishost.exe
kernel32.dll = C:\WINDOWS\System32\isnotify.exe
issearch.exe = issearch.exe

--------------------------------------------------

End of report, 6.071 bytes
Report generated in 0,078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Franz1968 08.09.2008 17:35

Sag deinem Bekannten, dass höchstwahrscheinlich ein RBot nach Hause telefoniert: CastleCops® windows update wuaurlt.exe Startup and file information
Er soll neu aufsetzen und sein Windows stets aktuell halten. Es gibt nämlich inzwischen das Service Pack 3.

Gordonyde 11.09.2008 12:24

Zitat:

Zitat von Franz1968 (Beitrag 370431)
Sag deinem Bekannten, dass höchstwahrscheinlich ein RBot nach Hause telefoniert: CastleCops® windows update wuaurlt.exe Startup and file information
Er soll neu aufsetzen und sein Windows stets aktuell halten. Es gibt nämlich inzwischen das Service Pack 3.


Danke für deine Hilfe :)


Alle Zeitangaben in WEZ +1. Es ist jetzt 22:33 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131