| |
| |||||||
Log-Analyse und Auswertung: BKA Trojaner 3.04Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
04.04.2012, 18:09
| #1 |
 |  BKA Trojaner 3.04 Eine sehr gute Freundin hat sich auch den BKA Trojaner 3.04 eingefangen. Sie hat Ihr Notebook nach der Infizierung sofort mit Gewalt abgeschalten quasi "abgewürgt" als es sich nicht mehr herunterfahren ließ und mir gegeben ich startete das Notebook dann mit einer nagelneuen AntiVir Rescue CD also war selbst nicht mehr im Betriebssystem was meiner Meinung auch am besten war und er hat 5 Viren gefunden die ich entfernen ließ. Erst danach habe ich am anderen Tag nochmal mit der AntiVir Rescue CD und diesmal mit Internetzugang über LAN (damit ich auch die aktuellsten Antiviren Signaturen downloaden konnte) einen zweiten Suchlauf gestartet. Leider habe ich die LOG-Datei nach einem zweiten Scan überschreiben lassen, deshalb habe ich diese nicht mehr zur Verfügung  . Es war aber beim ERSTEN Suchlauf unter anderem die typische skypePM.exe dabei, daran kann ich mich erinnern. Beim ZWEITEN Suchlauf zeigt er nur an das 5 CAB Dateien nicht untersucht werden können, ein Virus usw. wurde aber nicht entdeckt - die LOG Datei schreibt folgendes: Code:
ATTFilter WARNING: [Bad compressed data] /media/Devices/sda2/ProgramData/Microsoft/eHome/Packages/MCEClientUX/UpdateableMarkup-2.cab
WARNING: [Bad compressed data] /media/Devices/sda2/ProgramData/Microsoft/eHome/Packages/MCEClientUX/UpdateableMarkup-3.cab
WARNING: [Bad compressed data] /media/Devices/sda2/ProgramData/Microsoft/eHome/Packages/MCEClientUX/UpdateableMarkup-4.cab
WARNING: [Bad compressed data] /media/Devices/sda2/ProgramData/Microsoft/eHome/Packages/MCEClientUX/UpdateableMarkup-5.cab
WARNING: [Bad compressed data] /media/Devices/sda2/ProgramData/Microsoft/eHome/Packages/MCEClientUX/UpdateableMarkup.cab
 Zumindestens konnte Sie die dargestellte Meldung eindeutig indentifizieren !? Bevor ich das Notebook wieder vom eigentlichen Betriebssystem booten werde, habe ich mit der OTLPE CD die unten angegeben LOG's erstellt. Ich bitte jemanden vom Team sich diese anzusehen was er dazu meint und was man noch alles tun sollte um das Notebook von den "Plagegeistern" einschliesslich evtl. erstellter "Rootkits" zu befreien. Ich habe oft gelesen es nutzt nur die Festplatte zu clonen bzw. die "virenfreien" Dateien zu sichern, dann die infizierte Festplatte mit einem "Shredder Tool" sicher zu löschen, dann das Betriebssystem neu zu installieren und die "virenfreien" Dateien wieder auf das frisch installierte Betriebssystem zurück zu kopieren !? Davor scheue ich mich aber noch und hoffe die schnelle Reaktion von uns beiden hat das Schlimmste vermieden !? Und wie soll mit den oben angegeben CAB Dateien verfahren, denke schon das dies unveränderte Systemdateien sind, bin mir aber unsicher !? Habe den Benutzernamen wie in eurer Anleitung beschrieben mit *** ersetzt. Mir sind dadurch die Einträge in der OTL.Txt LOG-Datei mit am Anfang IE - HKU\***_ON_D aufgefallen was hat dieses _ON_D vor dem Benutzernamen zu bedeuten ??? Hier nun die OTL.Txt : Code:
ATTFilter OTL logfile created on: 4/4/2012 8:11:42 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 75.87 Mb Free Space | 75.87% Space Free | Partition Type: NTFS
Drive D: | 111.69 Gb Total Space | 71.18 Gb Free Space | 63.73% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
========== Win32 Services (SafeList) ==========
SRV:64bit: - [2010/05/07 13:45:16 | 000,197,976 | ---- | M] (Logitech Inc.) [Auto] -- D:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe -- (LVPrcS64)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- D:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/10/11 08:59:49 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- D:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/11 08:59:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- D:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/06/29 09:59:18 | 000,155,344 | ---- | M] (Avanquest Software) [On_Demand] -- D:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe -- (Sony Ericsson PCCompanion)
SRV - [2010/03/18 07:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- D:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- D:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
========== Driver Services (SafeList) ==========
DRV:64bit: - [2012/02/16 08:03:35 | 000,132,320 | ---- | M] (Avira GmbH) [Kernel | System] -- D:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2011/10/11 09:00:01 | 000,097,312 | ---- | M] (Avira GmbH) [File_System | Auto] -- D:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2011/10/11 09:00:01 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System] -- D:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/07/27 03:14:24 | 006,465,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\lvuvc64.sys -- (LVUVC64) Logitech Webcam 500(UVC)
DRV:64bit: - [2010/07/27 03:12:16 | 000,339,040 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\lvrs64.sys -- (LVRS64)
DRV:64bit: - [2010/05/07 13:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand] -- D:\Windows\System32\drivers\LVPr2M64.sys -- (LVPr2Mon)
DRV:64bit: - [2010/05/07 13:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand] -- D:\Windows\System32\drivers\LVPr2M64.sys -- (LVPr2M64)
DRV:64bit: - [2009/09/23 13:23:02 | 006,180,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/07/07 18:45:50 | 002,769,400 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\BCMWL664.SYS -- (BCM43XX)
DRV:64bit: - [2009/06/10 17:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 17:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 17:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- D:\Windows\System32\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- D:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- D:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\***_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.yahoo.com/
IE - HKU\***_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
IE - HKU\***_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\***_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D3 1B 2B 65 3E 6D CB 01 [binary data]
IE - HKU\***_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/ShockwavePlayer: D:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Google.com/GoogleEarthPlugin: D:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: D:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: D:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@playstation.com/PsndlCheck,version=1.00: D:\Program Files (x86)\Sony\PLAYSTATION Network Downloader\nppsndl.dll (Sony Computer Entertainment Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@SonyCreativeSoftware.com/Media Go,version=1.0: D:\Program Files (x86)\Sony\Media Go\npmediago.dll (Sony Network Entertainment International LLC)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - D:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O4 - HKLM..\Run: [avgnt] D:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [LWS] D:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKU\***_ON_D..\Run: [ccleaner] D:\Program Files (x86)\CCleaner\ccleaner.exe (Piriform Ltd)
O4 - HKU\***_ON_D..\Run: [SkypePM] File not found
O4 - HKU\***_ON_D..\Run: [Sony Ericsson PC Companion] D:\Program Files (x86)\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe (Sony Ericsson)
O4 - HKU\LocalService_ON_D..\Run: [Sidebar] D:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_D..\Run: [Sidebar] D:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_D..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_D..\RunOnce: [mctadmin] File not found
O4 - Startup: D:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\***_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - D:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Geräteerkennung)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - D:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{788aa147-0d85-11e1-91a5-001a6b79b0ca}\Shell - "" = AutoRun
O33 - MountPoints2\{788aa147-0d85-11e1-91a5-001a6b79b0ca}\Shell\AutoRun\command - "" = E:\Startme.exe
O33 - MountPoints2\{7ea3cb60-889e-11e0-b375-001a6b79b0ca}\Shell - "" = AutoRun
O33 - MountPoints2\{7ea3cb60-889e-11e0-b375-001a6b79b0ca}\Shell\AutoRun\command - "" = E:\LGAutoRun.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2012/03/28 14:34:14 | 000,000,000 | ---D | C] -- D:\Windows\Sun
[2012/03/14 14:55:53 | 005,559,152 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\ntoskrnl.exe
[2012/03/14 14:55:52 | 003,968,368 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\ntkrnlpa.exe
[2012/03/14 14:55:51 | 003,913,584 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\ntoskrnl.exe
[2012/03/14 13:02:29 | 001,544,192 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\DWrite.dll
[2012/03/14 13:02:29 | 001,077,248 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\DWrite.dll
[2012/03/13 15:24:45 | 000,149,504 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\rdpcorekmts.dll
[2012/03/13 15:24:45 | 000,077,312 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\rdpwsx.dll
[2012/03/13 15:24:45 | 000,009,216 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\rdrmemptylst.exe
[2012/03/13 15:24:43 | 001,031,680 | ---- | C] (Microsoft Corporation) -- D:\Windows\System32\rdpcore.dll
[2012/03/13 15:24:43 | 000,826,880 | ---- | C] (Microsoft Corporation) -- D:\Windows\SysWow64\rdpcore.dll
[2004/11/24 15:25:52 | 000,335,872 | ---- | C] ( ) -- D:\Windows\SysWow64\drvc.dll
========== Files - Modified Within 30 Days ==========
[2012/04/03 07:18:58 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2012/04/03 06:30:16 | 000,001,108 | ---- | M] () -- D:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/03 04:40:57 | 000,014,784 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/03 04:40:57 | 000,014,784 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/03 04:39:38 | 000,657,910 | ---- | M] () -- D:\Windows\System32\perfh007.dat
[2012/04/03 04:39:38 | 000,619,146 | ---- | M] () -- D:\Windows\System32\perfh009.dat
[2012/04/03 04:39:38 | 000,131,250 | ---- | M] () -- D:\Windows\System32\perfc007.dat
[2012/04/03 04:39:38 | 000,107,466 | ---- | M] () -- D:\Windows\System32\perfc009.dat
[2012/04/03 04:32:29 | 000,001,104 | ---- | M] () -- D:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/03 04:31:29 | 2408,148,992 | -HS- | M] () -- D:\hiberfil.sys
[2012/04/03 04:27:04 | 000,419,280 | ---- | M] () -- D:\Windows\System32\FNTCACHE.DAT
[2012/04/02 19:02:50 | 000,003,240 | ---- | M] () -- D:\bootsqm.dat
[2012/03/25 13:43:08 | 000,007,098 | ---- | M] () -- D:\scheduler.hist
[2012/03/25 13:43:08 | 000,000,294 | ---- | M] () -- D:\Windows\tasks\Defraggler Volume C Task.job
[2012/03/25 13:15:06 | 000,002,344 | ---- | M] () -- D:\Users\Public\Desktop\Google Chrome.lnk
[2012/03/12 15:25:31 | 000,001,137 | ---- | M] () -- D:\Users\***\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
========== Files Created - No Company Name ==========
[2012/04/02 19:02:50 | 000,003,240 | ---- | C] () -- D:\bootsqm.dat
[2011/02/26 12:10:07 | 000,252,928 | ---- | C] () -- D:\Windows\SysWow64\DShowRdpFilter.dll
[2011/01/23 09:04:36 | 000,002,003 | ---- | C] () -- D:\Windows\DIR-615.bin
[2010/11/03 15:03:15 | 000,000,056 | -H-- | C] () -- D:\Windows\SysWow64\ezsidmv.dat
[2010/10/16 14:46:55 | 000,035,837 | ---- | C] () -- D:\Users\***\AppData\Roaming\Kommagetrennte Werte (Windows).ADR
[2010/10/01 01:57:39 | 001,526,948 | ---- | C] () -- D:\Windows\SysWow64\PerfStringBackup.INI
[2010/07/27 03:03:20 | 010,829,656 | ---- | C] () -- D:\Windows\SysWow64\LogiDPP.dll
[2010/07/27 03:03:20 | 000,102,744 | ---- | C] () -- D:\Windows\SysWow64\LogiDPPApp.exe
[2010/07/27 03:03:18 | 000,290,648 | ---- | C] () -- D:\Windows\SysWow64\DevManagerCore.dll
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- D:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- D:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- D:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- D:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- D:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 18:25:04 | 000,197,632 | ---- | C] () -- D:\Windows\SysWow64\ir32_32.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- D:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- D:\Windows\SysWow64\mlang.dat
[2008/12/19 11:15:58 | 004,338,246 | ---- | C] () -- D:\Windows\SysWow64\libavcodec.dll
[2008/12/17 13:41:18 | 000,884,237 | ---- | C] () -- D:\Windows\SysWow64\ff_x264.dll
[2008/12/17 13:22:58 | 000,093,184 | ---- | C] () -- D:\Windows\SysWow64\ff_wmv9.dll
[2008/12/17 13:22:48 | 000,057,344 | ---- | C] () -- D:\Windows\SysWow64\ff_vfw.dll
[2008/12/17 13:17:34 | 000,239,247 | ---- | C] () -- D:\Windows\SysWow64\ff_theora.dll
[2008/12/17 12:59:54 | 000,560,802 | ---- | C] () -- D:\Windows\SysWow64\libmplayer.dll
[2006/11/02 12:10:16 | 000,080,912 | ---- | C] () -- D:\Windows\SysWow64\sherlock2.exe
[2004/10/03 13:50:54 | 000,129,024 | ---- | C] () -- D:\Windows\SysWow64\ff_mpeg2enc.dll
========== LOP Check ==========
[2010/09/29 03:15:11 | 000,000,000 | -HSD | M] -- D:\ProgramData\Anwendungsdaten
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Application Data
[2011/01/08 11:06:08 | 000,000,000 | ---D | M] -- D:\ProgramData\CanonBJ
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Desktop
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Documents
[2010/09/29 03:15:11 | 000,000,000 | -HSD | M] -- D:\ProgramData\Dokumente
[2010/09/29 03:15:11 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favoriten
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Favorites
[2010/10/02 06:23:46 | 000,000,000 | ---D | M] -- D:\ProgramData\MSScanAppDataDir
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Start Menu
[2010/09/29 03:15:11 | 000,000,000 | -HSD | M] -- D:\ProgramData\Startmenü
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- D:\ProgramData\Templates
[2010/09/29 03:15:12 | 000,000,000 | -HSD | M] -- D:\ProgramData\Vorlagen
[2012/03/25 13:43:08 | 000,000,294 | ---- | M] () -- D:\Windows\Tasks\Defraggler Volume C Task.job
[2011/07/21 13:06:13 | 000,032,632 | ---- | M] () -- D:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
< End of report >
Code:
ATTFilter OTL Extras logfile created on: 4/4/2012 8:11:43 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 75.87 Mb Free Space | 75.87% Space Free | Partition Type: NTFS
Drive D: | 111.69 Gb Total Space | 71.18 Gb Free Space | 63.73% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- D:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- D:\Windows\System32\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- D:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- D:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"ffdshow64_is1" = ffdshow x64 v1.1.3866 [2011-05-30]
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E3DAF3D-FF69-345A-A99E-1FED304CA083}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0407-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (German) 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"ffdshow64_is1" = ffdshow x64 v1.1.3866 [2011-05-30]
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack
< End of report >
Für Eure Mühen bedanke ich mich schon mal im voraus !!!  Info zum Screenshot: Quelle: botfrei.de - Die BKA-Trojaner Galerie Geändert von W.V (04.04.2012 um 18:52 Uhr) |
| Themen zu BKA Trojaner 3.04 |
| anfang, anleitung, antivir, betriebssystem, bka trojaner 3.04, dateien, entfernen, festplatte, folge, google earth, herunterfahren, infizierte, install.exe, kopieren, lan, langs, log's, log-datei, lws.exe, löschen, meldung, nicht mehr, nicht untersucht, notebook, plagegeister, plug-in, reaktion, rescue cd, rootkits, scan, screenshot, systemdateien, tool, trojaner, updateablemarkup, version=1.0, viren, virus |
Baum-Darstellung