| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Registrierungsreparatur nach TrojanerbefallWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
25.05.2012, 11:17
| #28 |
 |  Registrierungsreparatur nach Trojanerbefall Combofix: [code] Combofix Logfile: Code:
ATTFilter ComboFix 12-05-25.02 - --- 25/05/2012 11:28:06.5.1 - x86
Running from: c:\users\---\Desktop\ComboFix.exe
Command switches used :: c:\users\---\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2012-04-25 to 2012-05-25 )))))))))))))))))))))))))))))))
.
.
2012-05-25 09:57 . 2012-05-25 09:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-25 08:45 . 2012-05-25 08:45 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B925106A-176E-4833-9007-DA752802C034}\offreg.dll
2012-05-24 06:32 . 2012-05-24 20:11 -------- d-----w- C:\FRST
2012-05-24 02:34 . 2012-05-24 20:10 -------- d-----w- C:\Boot
2012-05-23 20:48 . 2012-05-25 09:57 -------- d-----w- c:\users\---\AppData\Local\Temp
2012-05-23 13:54 . 2012-05-23 13:55 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-23 13:54 . 2012-05-23 13:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-22 13:12 . 2012-05-22 13:12 -------- d-----w- c:\users\---\AppData\Roaming\GlarySoft
2012-05-22 13:04 . 2012-05-22 13:04 -------- d-----w- c:\program files\Uniblue
2012-05-22 12:21 . 2012-05-22 12:21 -------- d-----w- c:\program files\Glarysoft
2012-05-21 10:12 . 2012-05-21 10:12 -------- d-----w- c:\program files\Passcape
2012-05-18 11:58 . 2012-05-18 12:03 -------- d-----w- c:\users\---\AppData\Roaming\Profiles
2012-05-18 11:58 . 2012-05-18 11:58 -------- d-----w- c:\users\---\AppData\Roaming\Skins
2012-05-18 11:58 . 2012-05-18 11:58 -------- d-----w- c:\users\---\AppData\Roaming\Settings
2012-05-18 11:58 . 2012-05-18 11:58 -------- d-----w- c:\users\---\AppData\Roaming\Language
2012-05-10 20:37 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-10 20:37 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\journal.dll
2012-05-10 20:37 . 2012-03-31 04:30 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-10 20:37 . 2012-03-31 04:29 989184 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-10 20:37 . 2012-03-31 04:29 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-10 20:37 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-10 20:37 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 20:37 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-10 20:36 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-10 20:36 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-02 18:50 . 2012-05-02 18:50 -------- d-sh--w- c:\program files\KGB
2012-04-30 21:37 . 2012-04-30 21:37 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-04-30 21:36 . 2012-02-29 23:59 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-04-30 21:36 . 2012-02-29 23:59 19444544 ----a-w- c:\windows\system32\nvoglv32.dll
2012-04-30 21:36 . 2012-02-29 23:59 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-04-28 17:09 . 2012-04-28 17:09 -------- d-----w- c:\users\---\AppData\Roaming\HD Tune Pro
2012-04-28 17:06 . 2012-04-28 17:09 -------- d-----w- c:\program files\HDTune
2012-04-28 16:44 . 2012-04-28 16:44 -------- d-----w- c:\users\---\AppData\Local\Western Digital
2012-04-28 16:36 . 2012-04-28 16:36 -------- d-----w- c:\users\---\AppData\Roaming\BinarySense
2012-04-28 16:35 . 2012-04-28 16:35 -------- d-----w- c:\program files\HdLife
2012-04-28 16:35 . 2012-04-28 16:35 -------- d-----w- c:\program files\Common Files\BinarySense
2012-04-28 15:41 . 2001-08-29 19:00 59904 ----a-w- c:\windows\system32\wbemdisp.tlb
2012-04-28 15:41 . 1998-07-21 22:00 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2012-04-28 15:41 . 2012-04-28 15:47 -------- d-----w- c:\program files\lg_fwupdate
2012-04-28 15:41 . 2012-04-28 15:43 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2012-04-28 15:41 . 1998-06-23 22:00 115016 ----a-w- c:\windows\system32\MSINET.OCX
2012-04-28 15:41 . 2001-09-05 01:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2012-04-28 15:41 . 2001-09-05 01:18 225280 ------w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
2012-04-28 15:41 . 2001-09-05 01:14 176128 ------w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2012-04-28 15:41 . 2001-09-05 01:13 32768 ------w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2012-04-28 15:41 . 2006-01-10 21:35 614532 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2012-04-28 15:32 . 2012-04-28 15:32 -------- d-----w- c:\program files\DVD Genie
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-22 13:26 . 2009-07-13 23:40 249856 ----a-w- c:\windows\system32\uxtheme.dll
2012-05-22 13:26 . 2011-10-29 15:48 2755072 ----a-w- c:\windows\system32\themeui.dll
2012-05-22 13:26 . 2009-07-13 23:39 37376 ----a-w- c:\windows\system32\themeservice.dll
2012-05-10 06:54 . 2012-04-17 16:54 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-10 06:54 . 2011-10-29 18:01 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-08 16:35 . 2012-03-24 11:40 60416 ----a-w- c:\windows\ALCFDRTM.VER
2012-04-04 13:56 . 2011-10-29 20:31 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-27 12:54 . 2012-02-06 14:09 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-03-27 12:54 . 2012-02-06 14:09 567696 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-24 11:40 . 2012-03-24 11:40 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2012-03-07 20:40 . 2012-03-07 20:40 1010720 --s---r- c:\windows\system32\MSCHRT20.OCX
2012-03-01 05:46 . 2012-04-12 14:39 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-12 14:39 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-12 14:39 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 14:39 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 23:59 . 2011-11-26 23:10 61248 ----a-w- c:\windows\system32\OpenCL.dll
2012-02-29 23:59 . 2011-11-26 23:10 5892928 ----a-w- c:\windows\system32\nvcuda.dll
2012-02-29 23:59 . 2011-11-26 23:10 2517312 ----a-w- c:\windows\system32\nvcuvid.dll
2012-02-29 23:59 . 2011-11-26 23:10 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-02-29 23:59 . 2011-11-26 23:10 2301248 ----a-w- c:\windows\system32\nvapi.dll
2012-02-29 23:59 . 2011-11-26 23:10 17543488 ----a-w- c:\windows\system32\nvcompiler.dll
2012-02-29 23:59 . 2011-11-26 23:10 10819392 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-02-29 23:59 . 2009-06-10 21:19 15009600 ----a-w- c:\windows\system32\nvd3dum.dll
2012-02-29 20:56 . 2011-11-26 23:10 3881792 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-29 20:55 . 2011-11-26 23:10 2719040 ----a-w- c:\windows\system32\nvsvc.dll
2012-02-29 20:53 . 2011-11-26 23:10 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-29 20:53 . 2011-11-26 23:10 645440 ----a-w- c:\windows\system32\nvvsvc.exe
2012-02-29 20:53 . 2011-11-26 23:10 62272 ----a-w- c:\windows\system32\nvshext.dll
2012-02-28 01:18 . 2012-04-12 14:42 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 14:42 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 14:42 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 14:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 15:14 152160 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\Alwil Software\Avast5\AvastUI.exe" [2010-09-07 2838912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 12:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0ROBoot \??\c:\windows\system32\ASOROSet.bin
.
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [2010-09-07 119200]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 aswArKrn;aswArKrn;c:\users\---\AppData\Local\Temp\aswArKrn.sys [x]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
R3 HH10Help.sys;HH10Help.sys;c:\windows\system32\drivers\HH10Help.sys [2008-11-06 18432]
R3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\DRIVERS\KMWDFILTER.sys [2009-04-29 25088]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
R3 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-11-01 137600]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-11-01 8576]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
R3 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-02-29 2348352]
R3 PAC7311;Trust Webcam 14839;c:\windows\system32\DRIVERS\PA707UCM.SYS [2005-10-18 154752]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-11 7408]
R3 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-06 3027840]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-07 10064]
R3 VC10SecS;Virtual CD v10 Management Service;c:\program files\Virtual CD v10\System\VC10SecS.exe [2010-02-24 144712]
R4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-07-04 238952]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2010-09-07 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-11 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-11 74480]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2011-12-16 25088]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
IE: Download with FileServe Manager - c:\program files\FileServe Manager\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: Interfaces\{177994D8-96D5-4F24-AA0A-66B749006129}: NameServer = 208.67.222.222,208.67.220.220
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-25 12:03:18
ComboFix-quarantined-files.txt 2012-05-25 10:03
.
Pre-Run: 38,443,749,376 bytes free
Post-Run: 38,367,154,176 bytes free
.
- - End Of File - - 58942FF680F7EB4799245B3A4F4D31D7
Otl:  nach dem combofix war der windows startbutton unten links wieder auf standardfarbe, ich hatte mit dem tool "reshack" die farbe geandert gehabt, falls die info was hilft. |
| Themen zu Registrierungsreparatur nach Trojanerbefall |
| 00000008.@, ansicht, appdata, aufrufe, aufrufen, avast, code, einstellung, embedded, explorer, folge, folgende, frage, fragen, gespeichert, interne, internet, manuell, neustart, platte, problem, registry, roaming, schädlinge, speichern, standard, windos7, windows, ändern |
Baum-Darstellung