Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   kazy.mekml.1 Verdacht (https://www.trojaner-board.de/98370-kazy-mekml-1-verdacht.html)

magolves 28.04.2011 09:11
kazy.mekml.1 Verdacht
 
Hab ebenfalls einen "Blackscreen". Zunächst waren die Dateien auf dem Desktop zur Hälfte unsichtbar, Rest weg, habe dann versucht die wichtigen noch auf eine externe zu retten, jetzt sind alle weg, ebenfalls aus dem Startmenü. Unter "alle programme" sind nur noch leere Ordner. Benutze win7 64bit

OTL hab ich laufen lassen

All processes killed
========== OTL ==========
No active process named UEBeSifOsb.exe was found!
File rity] not found.
File PTYFLASH] not found.
File ptytemp] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.22.3 log created on 04282011_100016

Files\Folders moved on Reboot...

Das Movedfiles.rar lade ich jetzt hoch. Will nur sichergehen, dass ich nicht das falsche anwende, sollte es doch was anderes als der Trojaner sein, da ich nicht viel ahnung von derlei dingen habe.

markusg 28.04.2011 09:14
ja, deswegen tippt man ja auch nicht irgendwelche fixes ab sondern postet erst mal die otl logfiles :-)
klicke auf scan poste otl logs.

magolves 28.04.2011 09:28
ist das so korrekt? :)

markusg 28.04.2011 10:14
yes.
• Starte bitte die OTL.exe
• Kopiere nun das Folgende in die Textbox.

:OTL
O4 - HKCU..\Run: [LtuBJrJRDEvvaD] C:\ProgramData\LtuBJrJRDEvvaD.exe (WinTrust)
[2011/04/28 10:03:11 | 000,000,184 | -H-- | M] () -- C:\ProgramData\~44949256
[2011/04/28 10:03:11 | 000,000,144 | -H-- | M] () -- C:\ProgramData\~44949256r
[2011/04/28 02:05:30 | 000,000,392 | -H-- | M] () -- C:\ProgramData\44949256
:Files
C:\Users\kAfflerbach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery
C:\Users\kAfflerbach\Desktop\Windows Recovery.lnk


:Commands
[purity]
[EMPTYFLASH]
[emptytemp]
[Reboot]

• Schliesse bitte nun alle Programme.
• Klicke nun bitte auf den Fix Button.
• OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
• Nach dem Neustart findest Du ein Textdokument, dessen inhalt in deiner nächsten antwort hier reinkopieren.

lade unhide:
http://filepony.de/download-unhide/
doppelklicken, dateien werden sichtbar
öffne computer, öffne C: dann _OTL
dort rechtsklick auf moved files
wähle zu moved files.rar oder zip hinzufügen.
http://www.trojaner-board.de/54791-a...ner-board.html

magolves 28.04.2011 10:35
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\LtuBJrJRDEvvaD deleted successfully.
C:\ProgramData\LtuBJrJRDEvvaD.exe moved successfully.
C:\ProgramData\~44949256 moved successfully.
C:\ProgramData\~44949256r moved successfully.
C:\ProgramData\44949256 moved successfully.
File rity] not found.
File PTYFLASH] not found.
File ptytemp] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.22.3 log created on 04282011_112417

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


---
unhide.exe hab ich gestartet, wird aber nichts sichtbar, steht nur "please be patient while your files are made visible again Processing C:\"

ist das normal/dauert das relativ lange? habe manuell das versteckt aus dem otl ordner genommen und lade die movedfiles jetzt in den upload

magolves 28.04.2011 10:39
muss mich korrigieren, dauert scheinbar echt eine weile, die zuletzt auf dem desktop verschwundenen ordner sind wieder sichtbar :)

markusg 28.04.2011 11:04
was machst du denn mit dem script, warum kopierst du das letzte nicht mehr richtig ab?
versteckt ists nicht mehr, unhide dauert n bissel.
füre das otl script aber noch mal aus und diesmal kopiere es komplett.
poste das neue log, upload ist aber nicht mehr nötig.

magolves 28.04.2011 14:24
das war das gesamte log, diesmal sieht es nicht umfangreicher aus:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\LtuBJrJRDEvvaD not found.
File C:\ProgramData\LtuBJrJRDEvvaD.exe not found.
File C:\ProgramData\~44949256 not found.
File C:\ProgramData\~44949256r not found.
C:\ProgramData\44949256.exe moved successfully.
File rity] not found.
File PTYFLASH] not found.
File ptytemp] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.22.3 log created on 04282011_151922

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

markusg 28.04.2011 14:26
du machst da irgendwas falsch.
du kopierst nicht das gesammte script.
kopierst du das wort :commants auch mit?
und laut otl wurde die malware jtzt auch noch mal entfernt, obwols laut erstem scan schon hätte klappen müssen

magolves 28.04.2011 14:39
ok, hab die commands mal aus nem anderen topic mit dem problem kopiert und es war dann in dem fenster bisschen anders formatmäßig. Glaub das hat geholfen:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\LtuBJrJRDEvvaD not found.
File C:\ProgramData\LtuBJrJRDEvvaD.exe not found.
File C:\ProgramData\~44949256 not found.
File C:\ProgramData\~44949256r not found.
File C:\ProgramData\44949256 not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 56502 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: kAfflerbach
->Flash cache emptied: 246288 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: kAfflerbach
->Temp folder emptied: 596306787 bytes
->Temporary Internet Files folder emptied: 269519443 bytes
->Java cache emptied: 21193242 bytes
->FireFox cache emptied: 101360814 bytes
->Opera cache emptied: 6889510 bytes
->Flash cache emptied: 456 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 31882370 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes
RecycleBin emptied: 5726858669 bytes

Total Files Cleaned = 6,441.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04282011_153022

Files\Folders moved on Reboot...
C:\Users\kAfflerbach\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\mcmsc_TjcWuuprmRC1OaT not found!

Registry entries deleted on Reboot...

markusg 28.04.2011 14:50
bitte erstelle und poste ein combofix log.
Ein Leitfaden und Tutorium zur Nutzung von ComboFix

magolves 28.04.2011 16:41
Combofix Logfile:
Code:
ComboFix 11-04-27.03 - kAfflerbach 04/28/2011  16:30:11.1.2 - x64
Microsoft Windows 7 Home Premium  6.1.7600.0.1252.49.1031.18.3997.2596 [GMT 2:00]
ausgeführt von:: c:\users\kAfflerbach\Desktop\ComboFix.exe
FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\coachsoffice\CoachsOffice.exe
C:\install.exe
c:\users\kAfflerbach\AppData\Roaming\cacaoweb
c:\users\kAfflerbach\AppData\Roaming\cacaoweb\adstorage.db
c:\users\kAfflerbach\AppData\Roaming\cacaoweb\cacaoweb.exe
c:\users\kAfflerbach\AppData\Roaming\cacaoweb\storage.db
c:\users\kAfflerbach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery
c:\users\kAfflerbach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
c:\users\kAfflerbach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
c:\users\kAfflerbach\Desktop\Windows Recovery.lnk
c:\users\kAfflerbach\OTL.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\jusched.exe
c:\windows\SysWow64\bszip.dll
.
.
(((((((((((((((((((((((  Dateien erstellt von 2011-03-28 bis 2011-04-28  ))))))))))))))))))))))))))))))
.
.
2011-04-28 15:09 . 2011-04-28 15:09        --------        d-----w-        c:\users\Default\AppData\Local\temp
2011-04-28 08:00 . 2011-04-28 14:27        --------        d-----w-        C:\_OTL
2011-04-27 06:04 . 2011-02-18 06:33        31232        ----a-w-        c:\windows\system32\prevhost.exe
2011-04-27 06:04 . 2011-02-18 05:33        31232        ----a-w-        c:\windows\SysWow64\prevhost.exe
2011-04-26 09:42 . 2011-04-11 08:21        8802128        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{4643C2E6-139A-4CF3-A2E8-4401A6F401C1}\mpengine.dll
2011-04-22 07:52 . 2011-04-25 22:55        --------        d-----w-        c:\users\kAfflerbach\AppData\Local\S2
2011-04-21 11:44 . 2011-04-21 11:44        --------        d-----w-        c:\program files (x86)\Ubisoft
2011-04-19 14:57 . 2011-03-03 06:17        182272        ----a-w-        c:\windows\system32\dnsrslvr.dll
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 07:33 . 2010-06-24 09:33        18328        ----a-w-        c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-19 06:37 . 2011-03-14 22:06        1135104        ----a-w-        c:\windows\system32\FntCache.dll
2011-02-19 06:37 . 2011-03-14 22:06        1540608        ----a-w-        c:\windows\system32\DWrite.dll
2011-02-19 06:36 . 2011-03-14 22:06        902656        ----a-w-        c:\windows\system32\d2d1.dll
2011-02-19 05:32 . 2011-03-14 22:06        1074176        ----a-w-        c:\windows\SysWow64\DWrite.dll
2011-02-19 05:32 . 2011-03-14 22:06        739840        ----a-w-        c:\windows\SysWow64\d2d1.dll
2011-02-18 15:36 . 2011-02-18 15:36        51712        ----a-w-        c:\windows\system32\drivers\usbaapl64.sys
2011-02-18 15:36 . 2011-02-18 15:36        4184352        ----a-w-        c:\windows\system32\usbaaplrc.dll
2011-02-02 16:11 . 2011-03-20 12:57        270720        ------w-        c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0002ee26-8c11-49eb-9cdf-56eeffef664f}"= "c:\program files (x86)\HotSpot_International\tbHot0.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{0002ee26-8c11-49eb-9cdf-56eeffef664f}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0002ee26-8c11-49eb-9cdf-56eeffef664f}]
2010-10-18 10:26        3908192        ----a-w-        c:\program files (x86)\HotSpot_International\tbHot0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{0002ee26-8c11-49eb-9cdf-56eeffef664f}"= "c:\program files (x86)\HotSpot_International\tbHot0.dll" [2010-10-18 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{0002ee26-8c11-49eb-9cdf-56eeffef664f}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"AlienwareOn-ScreenDisplay"="c:\program files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe" [2009-12-31 1245184]
"FATrayAlert"="c:\program files\Alienware\Command Center\AlienSense\FATrayMon.exe" [2009-12-19 95560]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-04-29 75048]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"mcagent_exe"="c:\program files (x86)\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-01 421160]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2010-09-30 560128]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\kAfflerbach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
Registration Die Siedler II - Die n„chste Generation.LNK - c:\program files (x86)\Ubisoft\Funatics\Die Siedler II - Die n„chste Generation\bin\RegistrationReminder.exe [2006-7-17 868352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2009-12-19 18:36        140616        ----a-w-        c:\program files\Alienware\Command Center\AlienSense\FALogNot.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages        REG_MULTI_SZ          kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
R0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\DRIVERS\facap.sys [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R4 Brdtvsm2ebu;Brdtvsm2ebu;c:\windows\system32\auditpol.exe [2009-07-14 64000]
R4 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2010-06-24 92008]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdflt.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/03/04 19:34];c:\program files (x86)\CyberLink\PowerDVD8\000.fcl [2009-04-16 05:28 146928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-12-29 98208]
S2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\AlienFusionService.exe [2009-12-28 14648]
S2 FAService;FAService;c:\program files\Alienware\Command Center\AlienSense\FAService.exe [2009-12-19 2389320]
S2 ICQ Service;ICQ Service;c:\program files (x86)\ICQ6Toolbar\ICQ Service.exe [2010-09-06 247096]
S2 InstallFilterService;FF Install Filter Service;c:\program files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2009-12-19 59904]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Acceler.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Inhalt des "geplante Tasks" Ordners
.
2009-05-30 c:\windows\Tasks\McDefragTask.job
- c:\progra~2\mcafee\mqc\QcConsol.exe [2010-04-07 10:22]
.
2009-05-30 c:\windows\Tasks\McQcTask.job
- c:\progra~2\mcafee\mqc\QcConsol.exe [2010-04-07 10:22]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF18355.cfxxe" [X]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-29 9643040]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2463232]
"AlienFX Controller"="c:\program files\Alienware\Command Center\AlienwareAlienFXController.exe" [2010-01-08 61256]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-04 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-04 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-04 365592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-28 16414824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.icq.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Bild an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Free YouTube to Mp3 Converter - c:\users\kAfflerbach\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Seite an &Bluetooth-Gerät senden... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - c:\program files (x86)\ICQ7.4\ICQ.exe
FF - ProfilePath - c:\users\kAfflerbach\AppData\Roaming\Mozilla\Firefox\Profiles\qrhwyokn.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.1.9&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: ICQ Toolbar: {800b5000-a755-47e1-992b-48a1c1357f07} - %profile%\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{ece24dcf-8548-4655-b392-47a388721482} - (no file)
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-ICQ - c:\program files (x86)\ICQ7.1\ICQ.exe
Wow6432Node-HKLM-Run-FAStartup - (no file)
SafeBoot-MCODS
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll
Toolbar-Locked - (no file)
WebBrowser-{0002EE26-8C11-49EB-9CDF-56EEFFEF664F} - (no file)
WebBrowser-{ECE24DCF-8548-4655-B392-47A388721482} - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-(Standard) - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD8\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-2067968310-2625120857-3849213262-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:90,7a,99,a2,21,fd,1f,3e,69,18,84,2c,19,c1,4a,1c,be,7d,7a,d5,a0,18,56,
  ab,38,0b,f2,0d,34,bc,0b,9b,fb,f9,0d,93,cf,e0,07,5e,6d,ec,b6,87,4d,70,01,d7,\
"??"=hex:cf,54,27,3c,41,97,d6,03,b0,3f,40,de,14,74,bd,54
.
[HKEY_USERS\S-1-5-21-2067968310-2625120857-3849213262-1001\Software\SecuROM\License information*]
"datasecu"=hex:f5,ed,70,43,67,ac,1d,04,ce,0f,79,2e,5e,9b,e9,96,34,b5,3c,79,4f,
  98,f1,90,ad,c7,c8,2b,1d,aa,72,03,e2,6b,53,91,1c,a6,fc,ea,a4,9a,7d,13,94,68,\
"rkeysecu"=hex:57,a8,68,c1,dc,49,37,81,58,e1,89,7a,da,56,7e,e2
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
  00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\McAfee\MPF\MPFSrv.exe
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\Toaster.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files\Alienware\Command Center\AlienSense\FATrayAlert.exe
c:\progra~2\McAfee\MSC\mcmscsvc.exe
c:\program files\Alienware\Command Center\AlienFXHook32Mngr.exe
c:\program files\Alienware\Command Center\AlienFusionController.exe
c:\progra~2\COMMON~1\mcafee\mna\mcnasvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-04-28  17:37:50 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2011-04-28 15:37
.
Vor Suchlauf: 19 Verzeichnis(se), 264,832,946,176 Bytes frei
Nach Suchlauf: 21 Verzeichnis(se), 264,533,061,632 Bytes frei
.
- - End Of File - - 6EC3F80EC7E75593FCFD0D42F5CB7916
--- --- ---

markusg 28.04.2011 17:25
öffne computer c: qoobox rechtsklick auf quarantain, mit winrar oder zip packen hochladen.
http://www.trojaner-board.de/54791-a...ner-board.html

magolves 28.04.2011 17:35
erledigt :)

markusg 28.04.2011 18:15
machst du onlinebanking einkäufe oder sonst was wichtiges mit dem pc


Alle Zeitangaben in WEZ +1. Es ist jetzt 04:15 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55