Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Probleme mit Trojaner

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML

Antwort
Alt 28.04.2009, 09:38   #1
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



hallo,

seit gestern bekomme ich von avira dauernt trojaner meldungen.
hier die drei die ich gemeldet bekomme.
TR/Dropper.Gen, TR/Drop.Agent.amnc, TR/Crcpt.XPACK.Gen ich drücke immer auf löschen aber es funzt nicht. so wie es aussieht erstellen die drei temp dateinen immer wieder aufs neue. ich lösche diese zwar ständig aber die kommen immer wieder neu. folgende ordner sind sind laut avira betroffen c:windows/temp oder system32.
bitte um rat ich werde nicht herr der lage

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:15, on 28.04.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Program DJ\Wireless Switch\wlss.exe
C:\Program Files\Program DJ\Green Charger\GCTray.exe
C:\Program Files\Program DJ\Wow Video&Audio\WVAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Internet\Internet\uTorrent\uTorrent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Antispy\Tmas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Thunderbird\thunderbird.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Altap Salamander 2.5\salamand.exe
C:\Program Files\Mozilla Firefox 3.0\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
D:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 91.121.97.18 mininova.org
O1 - Hosts: 91.121.97.18 www.mininova.org
O1 - Hosts: 91.121.97.18 thepiratebay.org
O1 - Hosts: 91.121.97.18 www.thepiratebay.org
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Program DJ\Wireless Switch\WLSS.exe
O4 - HKLM\..\Run: [GCTray] C:\Program Files\Program DJ\Green Charger\GCTray.exe
O4 - HKLM\..\Run: [Wow Video&Audio] C:\Program Files\Program DJ\Wow Video&Audio\WVAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [uTorrent] "D:\Internet\Internet\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ICQ] "D:\Programme\Programme\icq6\ICQ6.5\ICQ.exe" silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [A00FEAF9F.exe] C:\Windows\TEMP\_A00FEAF9F.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00FEAF9F.exe] C:\Windows\TEMP\_A00FEAF9F.exe (User 'Default user')
O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Antispy\Tmas.exe
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Download with GetRight - D:\Programme\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Programme\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\Programme\icq6\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\Programme\icq6\ICQ6.5\ICQ.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - D:\Programme\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - D:\Programme\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lightuning Encrypt Watching Service (LTT_ENCRYPT_WATCHING) - Unknown owner - C:\Windows\system32\EncryptWatchingService.exe
O23 - Service: Lightuning UAC Controller Service (LTT_UAC_CTRL) - Unknown owner - C:\Windows\system32\SVC_LTT.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Programme\SiSoftware Sandra Lite 2009\RpcAgentSrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 9644 bytes

Alt 28.04.2009, 13:48   #2
Chris4You
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Hi,

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
ATTFilter
C:\Windows\TEMP\_A00FEAF9F.exe
C:\Windows\system32\SVC_LTT.exe
C:\Windows\system32\EncryptWatchingService.exe
         
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:



2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")


Code:
ATTFilter
Files to delete:
C:\Windows\TEMP\_A00FEAF9F.exe
         
3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!
Code:
ATTFilter
O4 - HKUS\S-1-5-18\..\Run: [A00FEAF9F.exe] C:\Windows\TEMP\_A00FEAF9F.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00FEAF9F.exe] C:\Windows\TEMP\_A00FEAF9F.exe (User 'Default user')
         
Danach bitte MAM:
Malwarebytes Antimalware (MAM).
Anleitung&Download hier: http://www.trojaner-board.de/51187-m...i-malware.html
Fullscan und alles bereinigen lassen! Log posten.
Alternativer Download: http://filepony.de/download-malwarebytes_anti_malware/, http://www.gt500.org/malwarebytes/mbam.jsp

Chris
__________________

__________________

Alt 28.04.2009, 22:53   #3
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



hi,

habe alles so eingestellt wie in der anleitung beschrieben war.
der eintrag in C:\Windows\TEMP\_A00FEAF9F.exe gibts bei mir nicht.
somit konnte ich Avenger nicht nutzen.
__________________

Alt 28.04.2009, 22:54   #4
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



zu C:\Windows\system32\SVC_LTT.exe


Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.101 2009.04.28 -
AhnLab-V3 5.0.0.2 2009.04.28 -
AntiVir 7.9.0.156 2009.04.28 -
Antiy-AVL 2.0.3.1 2009.04.28 -
Authentium 5.1.2.4 2009.04.27 -
Avast 4.8.1335.0 2009.04.28 -
AVG 8.5.0.287 2009.04.28 -
BitDefender 7.2 2009.04.28 -
CAT-QuickHeal 10.00 2009.04.28 -
ClamAV 0.94.1 2009.04.28 -
Comodo 1140 2009.04.28 -
DrWeb 4.44.0.09170 2009.04.28 -
eSafe 7.0.17.0 2009.04.27 -
eTrust-Vet 31.6.6480 2009.04.28 -
F-Prot 4.4.4.56 2009.04.27 -
F-Secure 8.0.14470.0 2009.04.28 -
Fortinet 3.117.0.0 2009.04.28 -
GData 19 2009.04.28 -
Ikarus T3.1.1.49.0 2009.04.28 -
K7AntiVirus 7.10.717 2009.04.27 -
Kaspersky 7.0.0.125 2009.04.28 -
McAfee 5599 2009.04.28 -
McAfee+Artemis 5599 2009.04.28 -
McAfee-GW-Edition 6.7.6 2009.04.28 -
Microsoft 1.4602 2009.04.28 -
NOD32 4040 2009.04.28 -
Norman 6.00.06 2009.04.28 -
nProtect 2009.1.8.0 2009.04.28 -
Panda 10.0.0.14 2009.04.28 -
PCTools 4.4.2.0 2009.04.28 -
Prevx1 3.0 2009.04.28 -
Rising 21.27.12.00 2009.04.28 -
Sophos 4.41.0 2009.04.28 -
Sunbelt 3.2.1858.2 2009.04.28 -
Symantec 1.4.4.12 2009.04.28 -
TheHacker 6.3.4.1.315 2009.04.28 -
TrendMicro 8.700.0.1004 2009.04.28 -
VBA32 3.12.10.3 2009.04.28 -
ViRobot 2009.4.28.1712 2009.04.28 -
VirusBuster 4.6.5.0 2009.04.28 -
weitere Informationen
File size: 184320 bytes
MD5...: a526bd3fc2939e2d94a913e833c77d0c
SHA1..: 0c8d1523f356f410e683a84764fc36b695dd0a96
SHA256: c2b2baab1bebeacac763deb488049bdb4e82b31ed9e50ad7815f9d296605ae81
SHA512: eab63ab61a255ca64bb92066f48bbabd94c4dd60b528ac7aac3de104e402fc09
6ab39c9ac642b814e73cd06c72718225902a8b8c48cc1bff114b8a5c2c747afe
ssdeep: 3072:A/ORiBalCCT7NR00yQKxPE8FfRSKStdZTy/:QORiZCPNR0gKxMUfRXWs
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xd43f
timedatestamp.....: 0x485b264b (Fri Jun 20 03:38:51 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1d5a6 0x1e000 6.61 2b2fce1c81f9eb429d203a2a95c258c3
.rdata 0x1f000 0x7290 0x8000 4.67 4c3a36a1966416a0f256423d40941129
.data 0x27000 0x5938 0x2000 3.69 17c4036781878f31f6bd88655d8741d6
.rsrc 0x2d000 0x3bb0 0x4000 3.89 367d7ecf8c929e80b0869bb0d476cd42

( 9 imports )
> KERNEL32.dll: GlobalFlags, GlobalAddAtomA, GlobalGetAtomNameA, GetThreadLocale, GetVersionExA, lstrcmpW, GlobalFindAtomA, ReadFile, WriteFile, SetFilePointer, FlushFileBuffers, GetCurrentProcess, CreateFileA, GetCPInfo, GetOEMCP, HeapAlloc, HeapFree, HeapReAlloc, VirtualAlloc, RtlUnwind, GetProcessHeap, RaiseException, ExitProcess, HeapSize, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, WritePrivateProfileStringA, CloseHandle, InterlockedIncrement, InterlockedDecrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, LoadLibraryA, lstrcmpA, FreeLibrary, GlobalDeleteAtom, GetModuleHandleA, GetProcAddress, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, FindResourceA, LoadResource, LockResource, SizeofResource, SetLastError, lstrcpyA, GetCommandLineA, CreateToolhelp32Snapshot, Process32First, Process32Next, WaitForSingleObject, Sleep, GetModuleFileNameA, lstrlenA, lstrcmpiA, CompareStringA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InterlockedExchange
> USER32.dll: ShowWindow, DestroyMenu, GetCapture, GetClassLongA, SetPropA, GetPropA, RemovePropA, IsWindow, GetForegroundWindow, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, DefWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, IsIconic, GetWindowPlacement, UnregisterClassA, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ClientToScreen, GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameA, PtInRect, SetWindowTextA, SetCursor, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, wsprintfA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, LoadCursorA, GetSystemMetrics, RegisterWindowMessageA, LoadIconA, CallWindowProcA, WinHelpA, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, PostQuitMessage, PostMessageA, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageA, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxA, GetWindowTextA
> ADVAPI32.dll: SetServiceStatus, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyA, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, RegCloseKey, ControlService, QueryServiceStatus, DeleteService, OpenSCManagerA, OpenServiceA, CreateServiceA, StartServiceA, CloseServiceHandle
> SHELL32.dll: ShellExecuteExA
> SHLWAPI.dll: PathFindExtensionA
> OLEACC.dll: LresultFromObject, CreateStdAccessibleObject
> GDI32.dll: CreateBitmap, DeleteObject, SaveDC, RestoreDC, GetStockObject, DeleteDC, ScaleWindowExtEx, SetWindowExtEx, SetBkColor, SetTextColor, SetMapMode, GetClipBox, ExtTextOutA, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, GetDeviceCaps, TextOutA, RectVisible, PtVisible, Escape
> WINSPOOL.DRV: DocumentPropertiesA, OpenPrinterA, ClosePrinter
> OLEAUT32.dll: -, -, -

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set



zu C:\Windows\system32\EncryptWatchingService.exe


Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.101 2009.04.28 -
AhnLab-V3 5.0.0.2 2009.04.28 -
AntiVir 7.9.0.156 2009.04.28 -
Antiy-AVL 2.0.3.1 2009.04.28 -
Authentium 5.1.2.4 2009.04.27 -
Avast 4.8.1335.0 2009.04.28 -
AVG 8.5.0.287 2009.04.28 -
BitDefender 7.2 2009.04.28 -
CAT-QuickHeal 10.00 2009.04.28 -
ClamAV 0.94.1 2009.04.28 -
Comodo 1140 2009.04.28 -
DrWeb 4.44.0.09170 2009.04.28 -
eSafe 7.0.17.0 2009.04.27 -
eTrust-Vet 31.6.6480 2009.04.28 -
F-Prot 4.4.4.56 2009.04.27 -
F-Secure 8.0.14470.0 2009.04.28 -
Fortinet 3.117.0.0 2009.04.28 -
GData 19 2009.04.28 -
Ikarus T3.1.1.49.0 2009.04.28 -
K7AntiVirus 7.10.717 2009.04.27 -
Kaspersky 7.0.0.125 2009.04.28 -
McAfee 5599 2009.04.28 -
McAfee+Artemis 5599 2009.04.28 -
McAfee-GW-Edition 6.7.6 2009.04.28 -
Microsoft 1.4602 2009.04.28 -
NOD32 4040 2009.04.28 -
Norman 6.00.06 2009.04.28 -
nProtect 2009.1.8.0 2009.04.28 -
Panda 10.0.0.14 2009.04.28 -
PCTools 4.4.2.0 2009.04.28 -
Prevx1 3.0 2009.04.28 -
Rising 21.27.12.00 2009.04.28 -
Sophos 4.41.0 2009.04.28 -
Sunbelt 3.2.1858.2 2009.04.28 -
Symantec 1.4.4.12 2009.04.28 -
TheHacker 6.3.4.1.315 2009.04.28 -
TrendMicro 8.700.0.1004 2009.04.28 -
VBA32 3.12.10.3 2009.04.28 -
ViRobot 2009.4.28.1712 2009.04.28 -
VirusBuster 4.6.5.0 2009.04.28 -
weitere Informationen
File size: 200704 bytes
MD5...: db6ea58229d49ff973b826af537c09b8
SHA1..: 00bb1b82388a5f3845fdf05cc51f2a06488e1970
SHA256: 1d7d623777535bf7190bdb76624eada5bf0cd515b9f1dac0a32c230591ef77e6
SHA512: 7c3b1bbde9021f88af8689c72fe02d702e7d73bc00a3c59111f2c3658559af26
20326bdb5b1c41a8cd37cde0ba0a35419ded7c279bb64a53e1f3f75de7139876
ssdeep: 3072:72HVCb/Gj7TaRxnIE1mP2Vw7/qkyD22byTQTV+PzNwr73ZCC9tOZIVMTY/:
721Cb/i3aRxIEEP2Vmqi2byU+dZIV3
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xf288
timedatestamp.....: 0x485b3d5f (Fri Jun 20 05:17:19 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x21586 0x22000 6.60 39a42550347b10e902a358f497f6373e
.rdata 0x23000 0x7b12 0x8000 4.88 6adddc158418d8a1eea7ff857ed3ed20
.data 0x2b000 0x5dbc 0x2000 3.68 b06355312037d3c3f4ff0380261e2487
.rsrc 0x31000 0x3c1c 0x4000 3.87 0fc0a4b67309badecf1a267a83561671

( 11 imports )
> KERNEL32.dll: HeapFree, HeapAlloc, GetProcessHeap, RtlUnwind, RaiseException, ExitProcess, HeapReAlloc, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, GetACP, GetOEMCP, LCMapStringA, LCMapStringW, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, VirtualAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, GetFileAttributesW, GetCurrentProcess, FlushFileBuffers, SetFilePointer, GetThreadLocale, GlobalFindAtomW, LoadLibraryA, GetVersionExA, GetModuleHandleA, GlobalAddAtomW, GlobalFlags, WritePrivateProfileStringW, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, InterlockedDecrement, InterlockedIncrement, SetErrorMode, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetVersion, EnumResourceLanguagesW, GetLocaleInfoW, LoadLibraryW, WideCharToMultiByte, InterlockedExchange, lstrcmpW, FreeLibrary, GlobalDeleteAtom, GetProcAddress, SetLastError, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageW, lstrlenW, MultiByteToWideChar, FindResourceW, LoadResource, LockResource, SizeofResource, OpenProcess, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, WTSGetActiveConsoleSessionId, GetCurrentProcessId, ProcessIdToSessionId, GetVersionExW, ExitThread, ResumeThread, LocalAlloc, GetTempFileNameW, GetTempPathW, LocalFree, DeleteFileW, GetProfileStringW, TerminateThread, ReadDirectoryChangesW, GetTickCount, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, lstrcmpiW, GetModuleHandleW, GetCommandLineW, lstrcatW, GetModuleFileNameW, GetLastError, SetEvent, Sleep, CreateThread, CreateEventW, WaitForSingleObject, QueryDosDeviceW, ReadFile, CloseHandle, WriteFile, GetStartupInfoA, CreateFileW
> USER32.dll: ShowWindow, RegisterWindowMessageW, LoadIconW, WinHelpW, GetCapture, GetClassLongW, SetPropW, GetPropW, RemovePropW, IsWindow, GetForegroundWindow, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetMenu, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, AdjustWindowRectEx, CopyRect, DefWindowProcW, CallWindowProcW, SetWindowLongW, SystemParametersInfoA, IsIconic, GetWindowPlacement, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, ClientToScreen, GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameW, PtInRect, GetWindowTextW, SetWindowTextW, SetCursor, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, GetFocus, ModifyMenuW, EnableMenuItem, CheckMenuItem, DestroyMenu, GetClientRect, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageW, GetCursorPos, ValidateRect, GetWindowThreadProcessId, SendMessageW, GetParent, GetWindowLongW, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxW, UnhookWindowsHookEx, LoadCursorW, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, PostMessageW, PostQuitMessage, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, wsprintfW, SetWindowPos, UnregisterClassA
> GDI32.dll: RectVisible, PtVisible, GetStockObject, DeleteDC, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutW, GetClipBox, SetMapMode, GetDeviceCaps, CreateBitmap, DeleteObject, SaveDC, RestoreDC, SetBkColor, SetTextColor, TextOutW
> WINSPOOL.DRV: ClosePrinter, DocumentPropertiesW, OpenPrinterW
> ADVAPI32.dll: RegQueryValueW, RegEnumKeyW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegOpenKeyW, RegCloseKey, CreateProcessAsUserW, AdjustTokenPrivileges, SetTokenInformation, DuplicateTokenEx, LookupPrivilegeValueW, OpenProcessToken, StartServiceW, QueryServiceStatus, DeleteService, ControlService, CloseServiceHandle, CreateServiceW, OpenServiceW, OpenSCManagerW, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, SetSecurityDescriptorDacl, InitializeSecurityDescriptor
> SHLWAPI.dll: PathFindExtensionW, PathIsDirectoryW, PathFindFileNameW
> OLEAUT32.dll: -, -, -
> WTSAPI32.dll: WTSQueryUserToken
> LogFileMgr.dll: WriteLogW
> FileFilterServicDLL.dll: IsInFileFilterW
> EncryptLib.dll: IsInLTTEncryptDirectoryW

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set

Alt 28.04.2009, 22:56   #5
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



hier der scan von MAM:

Malwarebytes' Anti-Malware 1.36
Datenbank Version: 2056
Windows 6.0.6001 Service Pack 1

28.04.2009 23:40:17
mbam-log-2009-04-28 (23-40-17).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 232409
Laufzeit: 32 minute(s), 0 second(s)

Infizierte Speicherprozesse: 2
Infizierte Speichermodule: 2
Infizierte Registrierungsschlüssel: 89
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 7
Infizierte Verzeichnisse: 9
Infizierte Dateien: 138

Infizierte Speicherprozesse:
C:\Program Files\Antispy\Tmas.exe (Rogue.AntiSpy) -> Unloaded process successfully.
C:\Windows\System32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Infizierte Speichermodule:
C:\Program Files\Antispy\en-us.dll (Rogue.AntiSpy) -> Delete on reboot.
C:\Program Files\Antispy\ssengine.dll (Rogue.AntiSpy) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\TypeLib\{204b1584-0186-4437-a3bd-c906d1bcf14c} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{03c43b29-e2be-4026-ab67-4d120664787e} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0412eeb8-5b5d-404f-9d5e-1d86650442a1} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04f8cefc-5408-4a86-945f-a3cf86bfc925} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{12f30b98-a09e-4325-b7e3-6394f0bfea4f} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{13cd3add-680b-4f4a-9b1f-d729634dd104} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1ab00f7a-51b7-4e30-aad5-6a2797fb974c} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{253d7b09-53b7-4bd8-9087-421fc31c0850} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{26c47809-2a15-4855-94ad-6e6841110b62} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2ae20efd-f14a-4977-abaa-8d77e84534e6} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2f3ada02-1a37-4d7b-af15-f662476e109e} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2fe26629-181f-4200-bc82-f4a500d64d95} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{33873e20-51fa-45e3-9405-ef4219bdbf7b} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{41510d4c-88ee-447d-bb5d-fecfb676c1dc} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{45f4de86-24af-46c0-b878-219efb2f06f5} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4daef14e-6c31-400a-86cc-60569686f1d7} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{510321d5-596d-4b3d-843d-d18cf370d95f} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{54787499-116b-48c5-816b-931999be9218} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{675e0c83-38c4-404f-b6b1-e7b4d36602e2} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{67ee568a-6122-43a5-8708-be0ade20d576} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{69fe2113-788b-42dc-b7bf-df70774870cb} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{70594eb2-fb91-4e27-a6d6-f53553755137} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{77b25ed3-0f60-4231-970b-092825832483} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7947cb81-91ea-4637-9c77-7cbb16850b02} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{79b22e45-dab8-42fa-90fd-7f3d89fd9e4a} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7deff114-1fc4-48af-a92b-00087453a480} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{831ca9ed-e683-40f8-9784-5a4e31eb8b3e} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{86aed898-a474-47bf-9031-c0a75458c91a} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{884044d2-96a8-4864-bf5b-c7201cdeaf99} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{902aa599-38c4-4fb2-bfe9-18c47ece4b5d} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{949da914-a97f-4ca0-bfcd-86d2c47e62e1} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{98decb51-c432-405f-aa26-671df705bdb8} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{995c5801-548d-4f5d-820f-71c326830259} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a4323003-581e-41d0-a7c3-4c92ddee5c43} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b0b7d131-c23f-4146-a8db-906894c4a75b} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b4b36233-074a-4b02-9bd2-3d931530e206} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cb087bf7-35c4-49c6-869a-8165a8349058} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d0a390b3-745b-4827-b8b5-37088d874c7a} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dbd409f9-14af-4d72-95e3-3e3e34231015} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e1a2bff1-fa4d-4751-a8f3-ad08feac3f08} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e5fadfaf-f846-4287-b61d-33e7c5788819} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e793edd0-1f48-49e7-82b7-ebac16d4756c} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ee5065d0-cb02-4d7b-8754-b54a0bcbcf1c} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f8d8714e-ab4e-48ae-a451-e37998ab87b2} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe833532-2d3e-4a9a-8120-ff5c973bc279} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07593fe0-91a2-4de2-b52d-b20a45f2b76c} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{10789882-b27b-4a9f-81fa-4c063a9cccdc} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{135833b7-a91e-4717-b37e-4a83c95627cd} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1b11469e-028c-46d8-8ef4-bb6e2d4d17a7} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e605b18-54c3-4f6e-b8c1-99f00fe63ffd} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{21afb7d3-e1a8-4b36-9be4-442f49112040} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3af090bf-630e-4e72-81b6-95971fe2bb3f} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{40d0e0dc-4014-4571-bc93-84e84b00e338} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4fd85b64-417a-470f-a318-db5c79f9629f} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{50ff5331-0775-48e4-8f70-ea92a66700a2} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{567a4726-bf39-4d03-9638-ed2cfe66ec24} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6da8fdc9-dc0c-4d14-8c82-82a25418e6b5} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6faa3531-473f-4699-81be-c1572eb9864c} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{724a3aca-9793-4582-b8fe-e432af70dd9d} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{728e2f89-c3e2-4b08-962f-4ae9ce62dbd4} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{79ecba8e-56c2-429d-b8bd-c31b16775ca0} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7b89a5b0-7d32-4ecb-8590-bac4275b8abf} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{875675c7-be70-49b6-8663-e4bcec9fe3c9} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87fe4356-63a3-41c3-8eeb-6532b3b60509} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8cf33fd4-ff01-4d36-9895-791f41177892} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{958ca8ae-b8cd-4945-8c29-45a5e7b9422f} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{976cf62f-f258-4378-a15b-908bb498bbb9} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9e30ccb4-3c4f-4706-8b11-25742ca52c6e} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ae9bb703-5149-4039-9244-d0b13ea20dff} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b68e5d87-2c1e-42b3-a2e9-16a6b43f650a} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bd1ab38b-788c-4bc4-a94a-352c6b4946cb} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c30c6ead-cc24-4bc8-b3b9-12aefcb2d7e3} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c745fb88-5e5a-47fd-805e-864aa8366578} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca88c6e9-5f08-4084-9065-1ded88391b08} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cb8364a5-880c-454d-aaed-4b6518fb3e5b} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc793bcc-c7c4-4906-8a5d-710019da59ed} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d0cdb539-1894-49a1-b851-02bcdda92dc6} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d4ac2fc2-8ae4-4092-b45e-8b5b4f6be86d} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8182f2c-ced7-4026-8b9e-ae4981462a6b} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e9ba403b-d5e5-49f9-a404-badd0dee81f3} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ea454523-1adc-4247-b46b-84ecaa74e050} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eadde710-fd35-417f-957e-fd2f10b142e2} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{edb85ba7-c733-4173-8a0a-73993f3f325e} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ee1e561e-0181-49ca-9d21-c72d00230c5b} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f31c06df-d052-4651-b336-9b5fdf817e16} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3ab95d9-f416-4152-96a5-00fb605edef4} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fa8a8e87-0854-4f0a-a304-9ae1dd339a7e} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{49750331-e6d0-4e91-a002-f56af37ec4c5} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03a80b1d-5c6a-42c2-9dfb-81b6005d8023} (Rogue.AntiSpy) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{03a80b1d-5c6a-42c2-9dfb-81b6005d8023} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{03a80b1d-5c6a-42c2-9dfb-81b6005d8023} (Rogue.AntiSpy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


Alt 28.04.2009, 22:57   #6
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



hier der rest:



Infizierte Verzeichnisse:
C:\Windows\System32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antispy (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Backup (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Help (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default (Rogue.AntiSpy) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\$Recycle.Bin\S-1-5-21-2714959321-1763349613-1932945215-1000\$RS7K35J.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\winglsetup.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Downloads\SetupAntivirusXP.exe (Rogue.XPAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Antispyware.log (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\crack.exe (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\cwshredder.dll (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\en-us.dll (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Install.log (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\readme.txt (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\SpUninst.exe (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\spyware.bak (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\spyware.dat3 (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\ssengine.dll (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\sshook.dll (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\ssmsg.exe (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Tmas.exe (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Tmas.exe.BAK (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\usrbl.dat (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\usrwl.dat (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\WebRegister.exe (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Backup\Clean Session - 1222965848.ssb (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Backup\VST Clean Session - 1240857165.ssb (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Help\en-us.chm (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\cl2.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\cl3.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\cl4.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\cld.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\sc1.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\sc11.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\sc2.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\sc3.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\sc4.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\sc5.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\sc6.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Pinball\scd.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\cl2.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\cl3.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\cl4.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\cld.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc1.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc10.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc11.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc12.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc3.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc4.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc6.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc7.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\sc8.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Sounds\Tomcat\scd.wav (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\bg_common.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\bg_main.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\bg_messagedlg.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_activate.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_add.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_allow.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_bigdelete.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_bigdetails.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_bighelp.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_bigupdates.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_buy.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_cancel.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_clean.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_cleanprivacy.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_clear.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_config.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_cws.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_dbupdate.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_deny.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_details.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_disable.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_feedback.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_help.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_home.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_ok.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_options.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_remove.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_restore.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_save.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_scan.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_selecttoggle.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_start.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_stop.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_updates.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\btn_viewlog.ico (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\copyright.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\DetailsTemplate.htm (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_check_blank.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_check_finished.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_check_off.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_check_on.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_check_working.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_adv_scanners.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_cleaning.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_general.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_scanner.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_scanners.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_scheduling.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_sounds.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_config_vst.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_bad.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_error.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_good.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_info.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_question.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_uncertain.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_verybad.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_msg_warning.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_cookie.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_folder.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_none.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_process.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_regykey.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_regyval.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_shortcutlink.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_suspect.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_scanner_winfile.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_std_check_off.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_std_check_on.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_threat_3.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_vst_manage.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_vst_threatgraph_0.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_vst_threatgraph_100.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_vst_threatgraph_25.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_vst_threatgraph_50.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_vst_threatgraph_75.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\icon_vst_warning.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\ProductLogo.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\splash.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\SplashBASIC.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\SplashPRO.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\SplashTRIAL.bmp (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Program Files\Antispy\Themes\Default\theme.ini (Rogue.AntiSpy) -> Quarantined and deleted successfully.
C:\Windows\System32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\ovfsth.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\msb.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.





Nach der löschung der 250 funde habe ich neugebootet.
die meldungen kommen dennoch.
was kann ich noch tun?
Gruß

ps: hoffentlich hab ich das nicht missverstanden das ich alle infos hier posten soll. ist doch eine menge.

Alt 29.04.2009, 06:30   #7
Chris4You
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Hi,

bitte trotzdem Avenger wie beschrieben laufen lassen und auch den Fix mit HJ durchführen...

Combofix
Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.
Weitere Anleitung unter:http://www.bleepingcomputer.com/comb...x-benutzt-wird
Hinweis: unter : C:\WINDOWS\erdnt
wird ein Backup angelegt.
Alternative downloads: http://subs.geekstogo.com/ComboFix.exe

prevx:
http://www.prevx.com/freescan.asp
Falls das Tool was findet, nicht das Log posten sondern einen Screenshot des dann angezeigten Fensters...

?C:\Program Files\Antispy\crack.exe?

Dann noch eine Info am Rande, die aber nicht sehr gut ist:
ftp_non_crp.exe
...
This Process is a file infector which modifies program files to include a copy of the infection
...
D. h. im Falle des Falles -> Neuaufsetzen...

chris
__________________
Don't bring me down
Vor dem posten beachten!
Spenden
(Wer spenden will, kann sich gerne melden )

Alt 29.04.2009, 18:09   #8
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



hi,

avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthxvmhrynvt" found!
ImagePath: \systemroot\system32\drivers\ovfsthxrwoqxplg.sys
Start Type: 1 (System)

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Wed Apr 29 18:58:54 2009

18:58:54: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Wed Apr 29 18:59:25 2009

18:59:25: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Wed Apr 29 18:59:35 2009

18:59:35: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthxvmhrynvt" found!
ImagePath: \systemroot\system32\drivers\ovfsthxrwoqxplg.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: file "C:\Windows\TEMP\_A00FEAF9F.exe" not found!
Deletion of file "C:\Windows\TEMP\_A00FEAF9F.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Alt 29.04.2009, 19:04   #9
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



dieser ComboFix hat jetzt dreimal einen bluescreen verursacht.
keine log datei. muss ich den vielleicht im abgesicherten modus machen?

Alt 29.04.2009, 19:44   #10
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Zitat:
Zitat von Primusmaximus Beitrag anzeigen
dieser ComboFix hat jetzt dreimal einen bluescreen verursacht.
keine log datei. muss ich den vielleicht im abgesicherten modus machen?


so auch im abgesicherten modus gibts einen bluescreen.

Alt 29.04.2009, 20:50   #11
Chris4You
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Hi,

da ist ein Rootkit am Werk...

Gmer:
http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html
Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein.

chris
__________________
Don't bring me down
Vor dem posten beachten!
Spenden
(Wer spenden will, kann sich gerne melden )

Alt 29.04.2009, 20:57   #12
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Zitat:
Zitat von Chris4You Beitrag anzeigen
Hi,

da ist ein Rootkit am Werk...

Gmer:
http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html
Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein.

chris

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-04-29 21:54:55
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 87A1E110 ZwEnumerateKey
Code 879CD110 ZwFlushInstructionCache
Code 879DC10D IofCallDriver
Code 876BE076 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 869301F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\ovfsthxrwoqxplg.sys (*** hidden *** ) [SYSTEM] ovfsthxvmhrynvt <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Alt 29.04.2009, 21:08   #13
Chris4You
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Hi,

shit, mal sehen wie lange der Akku vom Notebook noch mitmacht...

Wir rücken ihm mit Avenger auf den Pelz...

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:



2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")


Code:
ATTFilter
Drivers to delete:
ovfsthxvmhrynvt

Files to delete:
C:\Windows\system32\drivers\ovfsthxrwoqxplg.sys
         
3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Danach bitte sofort MAM hinterherjagen:
Malwarebytes Antimalware (MAM).
Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html
Fullscan und alles bereinigen lassen! Log posten.
Alternativer Download: http://filepony.de/download-malwarebytes_anti_malware/, http://www.gt500.org/malwarebytes/mbam.jsp

Poste beide Logs und noch ein neues Log von Gmer...

Dann probieren wir nochmal Combofix...

chris
__________________
Don't bring me down
Vor dem posten beachten!
Spenden
(Wer spenden will, kann sich gerne melden )

Alt 29.04.2009, 21:16   #14
Primusmaximus
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ovfsthxvmhrynvt" found!
ImagePath: \systemroot\system32\drivers\ovfsthxrwoqxplg.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "ovfsthxvmhrynvt" deleted successfully.
File "C:\Windows\system32\drivers\ovfsthxrwoqxplg.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


MAM scan läuft. schließ bitte dein netzteil an:-) ich brauch dich noch.

Alt 29.04.2009, 21:19   #15
Chris4You
 
Probleme mit Trojaner - Standard

Probleme mit Trojaner



Hi,

gut, ev. fängt jetzt schon Avira an zu motzen...
Mache den Rest wie beschrieben und poste die Logs...

Bis morgen, Akku ist fertig...

chris
__________________
Don't bring me down
Vor dem posten beachten!
Spenden
(Wer spenden will, kann sich gerne melden )

Antwort

Themen zu Probleme mit Trojaner
adobe, agere systems, antivir, antivirus, avg, avira, bho, browser, c:\windows\temp, disk director, encrypt, explorer, firefox, hijack, hijackthis, hkus\s-1-5-18, immer wieder, internet, internet explorer, löschen, mozilla, nvidia, ordner, pdf, plug-in, programme, rundll, software, system, temp, trojane, trojaner, tuneup.defrag, tuprogst.exe, vista, windows sidebar, windows\temp



Ähnliche Themen: Probleme mit Trojaner


  1. Windows 7: Verdacht auf Trojaner (Probleme über Probleme)
    Log-Analyse und Auswertung - 18.03.2014 (10)
  2. Probleme mit dem 50€ Trojaner
    Plagegeister aller Art und deren Bekämpfung - 17.02.2012 (1)
  3. Probleme mit Trojaner
    Plagegeister aller Art und deren Bekämpfung - 20.09.2010 (28)
  4. Probleme mit dem Pc - Trojaner?
    Log-Analyse und Auswertung - 04.05.2010 (2)
  5. System Probleme nach Trojaner/ Trojaner wirklich besiegt?
    Plagegeister aller Art und deren Bekämpfung - 28.10.2009 (3)
  6. Probleme mit trojaner
    Plagegeister aller Art und deren Bekämpfung - 30.07.2009 (4)
  7. Trojaner probleme!
    Mülltonne - 18.12.2008 (0)
  8. Probleme mit Trojaner TR/BHO.Gen
    Plagegeister aller Art und deren Bekämpfung - 25.11.2008 (18)
  9. Re:Probleme mit Trojaner
    Mülltonne - 03.07.2008 (1)
  10. Probleme mit IE bzw. mit Trojaner
    Log-Analyse und Auswertung - 16.02.2007 (8)
  11. Probleme mit trojaner !!
    Log-Analyse und Auswertung - 25.12.2006 (3)
  12. trojaner probleme
    Log-Analyse und Auswertung - 17.09.2006 (1)
  13. Probleme mit Trojaner etc.
    Log-Analyse und Auswertung - 30.05.2006 (16)
  14. Trojaner Probleme
    Plagegeister aller Art und deren Bekämpfung - 08.04.2006 (6)
  15. Probleme mit Trojaner
    Plagegeister aller Art und deren Bekämpfung - 07.08.2005 (8)
  16. Probleme mit Trojaner
    Log-Analyse und Auswertung - 19.05.2005 (1)
  17. Probleme mit Trojaner
    Log-Analyse und Auswertung - 12.12.2004 (17)

Zum Thema Probleme mit Trojaner - hallo, seit gestern bekomme ich von avira dauernt trojaner meldungen. hier die drei die ich gemeldet bekomme. TR/Dropper.Gen, TR/Drop.Agent.amnc, TR/Crcpt.XPACK.Gen ich drücke immer auf löschen aber es funzt nicht. so - Probleme mit Trojaner...
Archiv
Du betrachtest: Probleme mit Trojaner auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.