PUM.Hijack.StartMenu & Trojan.FakeAlert in der registry

Hamlon · 06.03.2012, 00:13

Combofix scheint was gefunden zu haben. Zumindest hats was gelöscht; mein Keepass :-/ . Man kanns ja zum Glück neu installieren.

Combofix Logfile:

Code:

ATTFilter

ComboFix 12-03-04.02 - HP 05.03.2012  23:05:07.1.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.49.1031.18.2813.1838 [GMT 1:00]
ausgeführt von:: c:\users\HP\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\KeePass Password Safe 2\KeePass.exe
c:\users\HP\AppData\Local\assembly\tmp
.
.
(((((((((((((((((((((((   Dateien erstellt von 2012-02-05 bis 2012-03-05  ))))))))))))))))))))))))))))))
.
.
2012-03-04 19:06 . 2012-03-05 21:34	--------	d-----w-	c:\users\HP\AppData\Roaming\.purple
2012-03-04 19:03 . 2012-03-04 19:03	--------	d-----w-	c:\program files (x86)\Pidgin
2012-03-03 12:47 . 2012-03-03 12:47	--------	d-----w-	C:\_OTL
2012-02-29 17:07 . 2012-02-29 17:07	--------	d-----w-	c:\program files (x86)\ESET
2012-02-26 22:16 . 2012-02-26 22:16	--------	d-----w-	c:\program files\Recuva
2012-02-26 17:47 . 2012-02-26 17:48	--------	d-----w-	c:\users\******
2012-02-25 22:43 . 2012-02-25 22:43	--------	d-----w-	c:\users\HP\AppData\Roaming\gnupg
2012-02-25 22:43 . 2012-02-25 22:43	--------	d-----w-	c:\program files (x86)\GNU
2012-02-25 22:37 . 2012-02-25 22:37	--------	d-----w-	c:\users\HP\AppData\Local\Lupinho.Net
2012-02-25 22:36 . 2012-02-25 22:36	--------	d-----w-	c:\program files\Lupinho.Net
2012-02-25 21:53 . 2012-01-04 10:44	509952	----a-w-	c:\windows\system32\ntshrui.dll
2012-02-25 21:53 . 2012-01-04 08:58	442880	----a-w-	c:\windows\SysWow64\ntshrui.dll
2012-02-25 21:53 . 2011-12-30 06:26	515584	----a-w-	c:\windows\system32\timedate.cpl
2012-02-25 21:53 . 2011-12-30 05:27	478720	----a-w-	c:\windows\SysWow64\timedate.cpl
2012-02-25 18:47 . 2012-02-25 18:47	414368	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-25 17:51 . 2011-12-10 14:24	23152	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-02-25 17:51 . 2012-02-25 17:51	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-22 20:32 . 2012-02-22 20:33	--------	d-----w-	c:\program files (x86)\Oracle
2012-02-22 20:31 . 2012-02-22 20:31	--------	d-----w-	c:\program files (x86)\Common Files\Java
2012-02-22 20:30 . 2012-01-10 12:57	637848	----a-w-	c:\windows\SysWow64\npdeployJava1.dll
2012-02-17 15:29 . 2012-02-17 15:29	--------	d-----w-	C:\opt
2012-02-15 09:28 . 2012-01-14 04:06	3145728	----a-w-	c:\windows\system32\win32k.sys
2012-02-15 09:28 . 2011-12-28 03:59	498688	----a-w-	c:\windows\system32\drivers\afd.sys
2012-02-15 09:28 . 2011-12-16 08:46	634880	----a-w-	c:\windows\system32\msvcrt.dll
2012-02-15 09:28 . 2011-12-16 07:52	690688	----a-w-	c:\windows\SysWow64\msvcrt.dll
2012-02-13 19:48 . 2012-03-05 20:48	--------	d-----w-	c:\users\HP\AppData\Roaming\Vidalia
2012-02-13 19:48 . 2012-03-05 11:04	--------	d-----w-	c:\users\HP\AppData\Roaming\tor
2012-02-13 19:32 . 2012-02-03 02:10	--------	d-----w-	c:\program files (x86)\Tor
2012-02-12 00:11 . 2012-02-12 00:19	--------	d-----w-	c:\users\HP\AppData\Roaming\JonDo
2012-02-11 22:57 . 2012-02-11 22:57	--------	d-----w-	c:\program files (x86)\JonDo
2012-02-08 22:52 . 2012-02-17 18:09	--------	d-----w-	c:\users\HP\AppData\Local\Eclipse
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 09:29 . 2011-11-11 08:37	207008	----a-w-	c:\programdata\Microsoft\VBExpress\10.0\1031\ResourceCache.dll
2012-01-10 12:57 . 2010-06-14 22:35	567696	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-12-30 10:02 . 2011-12-30 10:02	74752	----a-w-	c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-12-30 10:02 . 2011-12-30 10:02	161792	----a-w-	c:\windows\SysWow64\msls31.dll
2011-12-30 10:02 . 2011-12-30 10:02	86528	----a-w-	c:\windows\SysWow64\iesysprep.dll
2011-12-30 10:02 . 2011-12-30 10:02	76800	----a-w-	c:\windows\SysWow64\SetIEInstalledDate.exe
2011-12-30 10:02 . 2011-12-30 10:02	74752	----a-w-	c:\windows\SysWow64\iesetup.dll
2011-12-30 10:02 . 2011-12-30 10:02	63488	----a-w-	c:\windows\SysWow64\tdc.ocx
2011-12-30 10:02 . 2011-12-30 10:02	48640	----a-w-	c:\windows\SysWow64\mshtmler.dll
2011-12-30 10:02 . 2011-12-30 10:02	367104	----a-w-	c:\windows\SysWow64\html.iec
2011-12-30 10:02 . 2011-12-30 10:02	110592	----a-w-	c:\windows\SysWow64\IEAdvpack.dll
2011-12-30 10:02 . 2011-12-30 10:02	420864	----a-w-	c:\windows\SysWow64\vbscript.dll
2011-12-30 10:02 . 2011-12-30 10:02	35840	----a-w-	c:\windows\SysWow64\imgutil.dll
2011-12-30 10:02 . 2011-12-30 10:02	23552	----a-w-	c:\windows\SysWow64\licmgr10.dll
2011-12-30 10:02 . 2011-12-30 10:02	152064	----a-w-	c:\windows\SysWow64\wextract.exe
2011-12-30 10:02 . 2011-12-30 10:02	150528	----a-w-	c:\windows\SysWow64\iexpress.exe
2011-12-30 10:02 . 2011-12-30 10:02	142848	----a-w-	c:\windows\SysWow64\ieUnatt.exe
2011-12-30 10:02 . 2011-12-30 10:02	11776	----a-w-	c:\windows\SysWow64\mshta.exe
2011-12-30 10:02 . 2011-12-30 10:02	101888	----a-w-	c:\windows\SysWow64\admparse.dll
2011-12-30 10:02 . 2011-12-30 10:02	91648	----a-w-	c:\windows\system32\SetIEInstalledDate.exe
2011-12-30 10:02 . 2011-12-30 10:02	89088	----a-w-	c:\windows\system32\RegisterIEPKEYs.exe
2011-12-30 10:02 . 2011-12-30 10:02	49664	----a-w-	c:\windows\system32\imgutil.dll
2011-12-30 10:02 . 2011-12-30 10:02	48640	----a-w-	c:\windows\system32\mshtmler.dll
2011-12-30 10:02 . 2011-12-30 10:02	222208	----a-w-	c:\windows\system32\msls31.dll
2011-12-30 10:02 . 2011-12-30 10:02	173056	----a-w-	c:\windows\system32\ieUnatt.exe
2011-12-30 10:02 . 2011-12-30 10:02	135168	----a-w-	c:\windows\system32\IEAdvpack.dll
2011-12-30 10:02 . 2011-12-30 10:02	12288	----a-w-	c:\windows\system32\mshta.exe
2011-12-30 10:02 . 2011-12-30 10:02	114176	----a-w-	c:\windows\system32\admparse.dll
2011-12-30 10:02 . 2011-12-30 10:02	85504	----a-w-	c:\windows\system32\iesetup.dll
2011-12-30 10:02 . 2011-12-30 10:02	76800	----a-w-	c:\windows\system32\tdc.ocx
2011-12-30 10:02 . 2011-12-30 10:02	603648	----a-w-	c:\windows\system32\vbscript.dll
2011-12-30 10:02 . 2011-12-30 10:02	448512	----a-w-	c:\windows\system32\html.iec
2011-12-30 10:02 . 2011-12-30 10:02	30720	----a-w-	c:\windows\system32\licmgr10.dll
2011-12-30 10:02 . 2011-12-30 10:02	165888	----a-w-	c:\windows\system32\iexpress.exe
2011-12-30 10:02 . 2011-12-30 10:02	160256	----a-w-	c:\windows\system32\wextract.exe
2011-12-30 10:02 . 2011-12-30 10:02	111616	----a-w-	c:\windows\system32\iesysprep.dll
2011-12-23 17:26 . 2011-12-23 17:26	230864	----a-w-	c:\windows\system32\drivers\truecrypt.sys
2011-12-15 00:46 . 2011-12-23 17:11	222904	----a-w-	c:\windows\system32\drivers\keyscrambler.sys
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-02-07 666384]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2011-12-23 1517520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-04 98304]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2010-12-21 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-22 136176]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-22 136176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-27 136360]
S2 DirMngr;DirMngr;c:\program files (x86)\GNU\GnuPG\dirmngr.exe [2011-03-02 224256]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2010-12-21 987704]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2010-12-21 399416]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2011-12-14 2984832]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - WS2IFSL
.
Inhalt des "geplante Tasks" Ordners
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-22 15:52]
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-22 15:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="c:\program files (x86)\Analog Devices\SoundMAX\soundmax.exe" [2009-05-18 3866624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = 
mLocal Page = 
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: secunia.com\psi
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\HP\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\
FF - prefs.js: browser.search.selectedEngine - Startingpage HTTPS - Deutsch
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=a2d1ece1398370b0e8129333d0592721
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.gopher - 
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 1
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-KeePass Password Safe 2 - c:\program files (x86)\KeePass Password Safe 2\KeePass.exe
Wow6432Node-HKLM-Run-KeePass 2 PreLoad - c:\program files (x86)\KeePass Password Safe 2\KeePass.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ðƒA*]
"7040110900063D11C8EF10054038389C"="C?\\Windows\\SysWOW64\\FM20ENU.DLL"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-03-05  23:23:37 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2012-03-05 22:23
.
Vor Suchlauf: 14 Verzeichnis(se), 107.998.781.440 Bytes frei
Nach Suchlauf: 20 Verzeichnis(se), 107.842.879.488 Bytes frei
.
- - End Of File - - 6DF81294670BB63F54CC8BF893720A7C

--- --- ---

Das "assembly\tmp" Ding das da noch gelöscht wurde sagt mir nichts. Auch habe ich an keinem der im Log auftretenden registry Einträge selber Hand angelegt, zumindest nicht bewusst. Anderes ist mir da nicht aufgefallen (außer, dass ich mich wundere warum googleupdate zwei Tasks bei mir plant und Apple für die Erkennung seiner Geräte nen extra Prozess braucht).

Liebe Grüße
Hamlon

PUM.Hijack.StartMenu & Trojan.FakeAlert in der registry

Log-Analyse und Auswertung: PUM.Hijack.StartMenu & Trojan.FakeAlert in der registry

PUM.Hijack.StartMenu & Trojan.FakeAlert in der registry

Ähnliche Themen: PUM.Hijack.StartMenu & Trojan.FakeAlert in der registry