TR/Vundo.Gen !! Bitte um einen geschulten Blick auf die Log-File

Frando Fantastico · 31.07.2008, 21:54

Hier nun Teil 3: ComboFix.txt

((((((((((((((((((((((( Dateien erstellt von 2008-07-28 bis 2008-08-31 ))))))))))))))))))))))))))))))
.

2008-08-31 22:25 . 2008-08-31 22:25 <DIR> d-------- C:\Program Files\CCleaner
2008-08-31 22:23 . 2008-08-31 22:23 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-31 17:53 . 2008-08-31 17:53 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\Malwarebytes
2008-08-31 17:52 . 2008-08-31 17:52 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-31 17:52 . 2008-08-31 17:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-31 17:52 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-31 17:52 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-29 21:01 . 2008-08-29 21:01 <DIR> d-------- C:\VundoFix Backups
2008-08-29 16:57 . 2008-07-28 00:39 <DIR> d-------- C:\SDFix
2008-08-29 16:37 . 2008-08-29 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 16:28 . 2008-04-26 10:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-08-29 16:28 . 2008-04-26 10:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-08-29 16:28 . 2008-04-26 10:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-08-29 16:28 . 2008-04-12 05:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-08-29 16:28 . 2008-05-10 05:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-08-29 16:28 . 2008-04-05 03:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-08-29 16:28 . 2008-04-05 05:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
2008-08-29 15:21 . 2008-05-08 23:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-08-29 15:21 . 2008-05-08 23:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-08-29 15:21 . 2008-05-08 23:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-08-29 15:21 . 2008-05-08 23:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-08-29 15:21 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-08-29 15:21 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-08-29 15:21 . 2008-05-08 23:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-21 22:43 . 2008-07-21 22:43 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\ScreenSeven
2008-07-21 22:43 . 2008-07-23 21:29 <DIR> d-------- C:\Program Files\DEUTSCHLAND SPIELT
2008-07-20 21:12 . 2008-07-20 21:12 <DIR> d-------- C:\ProgramData\eMule
2008-07-18 20:48 . 2008-07-21 22:29 <DIR> d-------- C:\ProgramData\Zylom
2008-07-14 21:23 . 2008-07-14 21:23 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\SpinTop
2008-07-14 21:17 . 2008-07-22 21:04 <DIR> d-------- C:\Program Files\eMule
2008-07-12 12:02 . 2008-07-12 12:02 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\Zylom
2008-07-11 12:59 . 2008-01-19 09:35 4,497,408 --a------ C:\Windows\System32\NlsData0019.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 20:40 --------- d---a-w C:\ProgramData\TEMP
2008-08-31 20:29 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-08-31 18:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-31 18:02 --------- d-----w C:\ProgramData\Google Updater
2008-08-29 18:13 45,056 ----a-w C:\Windows\System32\acovcnt.exe
2008-07-25 13:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-24 21:16 --------- d-----w C:\Program Files\Bluefish Games
2008-07-24 20:37 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-21 20:42 --------- d-----w C:\Program Files\OXXOGames
2008-07-18 13:34 --------- d-----w C:\Users\Dagiputz\AppData\Roaming\BOM
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-05-25 16:40 141,834 ----a-w C:\Users\Dagiputz\AppData\Roaming\mdb.bin
2008-02-01 19:05 112,344 ----a-w C:\Users\Dagiputz\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-10-20 14:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-05-01 22:08 174 --sha-w C:\Program Files\desktop.ini
2007-09-14 13:50 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-14 13:50 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-14 13:50 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-31_22.16.34.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-31 17:55:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-31 20:39:14 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-31 17:55:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-31 20:39:14 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-31 17:59:25 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-31 20:43:48 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-31 17:59:19 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-31 20:43:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-31 17:55:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-31 17:55:45 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-31 17:55:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-31 17:55:45 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-31 17:55:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-31 17:55:45 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-31 17:58:56 10,516 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-86957554-3768365177-1958328448-1000_UserData.bin
+ 2008-08-31 20:44:03 10,516 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-86957554-3768365177-1958328448-1000_UserData.bin
- 2008-08-31 17:58:56 67,272 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-31 20:44:01 67,382 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-31 17:58:47 57,450 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-31 20:43:26 57,732 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 21:35 90112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-14 14:35 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"PhonostarAgent"="C:\Program Files\phonostar\ps_agent.exe" [2007-12-05 16:10 98304]
"PhonostarTimer"="C:\Program Files\phonostar\ps_timer.exe" [2007-12-05 16:14 126976]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-26 20:50 149040]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2008-05-11 13:19 5423104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 22:43 729088]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-26 21:12 161328]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-03-26 20:42 1057328]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 15:27 815104]
"AVMWlanClient"="C:\Program Files\avmwlanstick\wlangui.exe" [2006-12-28 02:02 1454080]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-14 14:39 1836544]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 16:23 266497]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 08:35 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55 1103240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-22 20:41 185896]
" Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-07-30 20:07 1187448]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 11:07 4390912 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 13:44:06 29696]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-12-05 20:14:28 421888]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-14 14:35:23 126136]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6D74064E-E926-4075-84F4-4D75312EC1D4}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{7C892769-857B-42A0-8820-1329DECCC9B6}"= UDP:C:\Program Files\Zugspitze3D\zugspitze3d.exe:Zugspitze3D
"{A8AF7B47-C2A4-49C2-808C-98A7FB62B93F}"= TCP:C:\Program Files\Zugspitze3D\zugspitze3d.exe:Zugspitze3D
"{52645A98-7A1A-4C42-BFEF-31CBC941B884}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{C26330B5-EFAB-4B8D-BE87-0D02D762CF85}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{A8DCE179-3ABE-439B-9A6A-EEB1ED8A6EBD}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{105D1306-A591-44C2-898B-F272A935B381}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{461122E3-57C1-4CA1-897A-8157236E8357}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{2A4B9376-8FF2-495A-8427-A98DD0EF6C98}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"TCP Query User{BEA68575-8437-4EA1-AFFB-52988DC89E02}\\\\frando-0b894591\\frando (f)\\homepage\\internetstudio 6.1\\jre\\bin\\javaw.exe"= UDP:\\frando-0b894591\frando (f)\homepage\internetstudio 6.1\jre\bin\javaw.exe:javaw.exe
"UDP Query User{2BF225CC-8DC1-488D-B70B-66E8C07E8F9C}\\\\frando-0b894591\\frando (f)\\homepage\\internetstudio 6.1\\jre\\bin\\javaw.exe"= TCP:\\frando-0b894591\frando (f)\homepage\internetstudio 6.1\jre\bin\javaw.exe:javaw.exe
"TCP Query User{259DA247-34B3-4D8D-A3A6-46CA6484F7F6}\\\\frando-0b894591\\frando (f)\\programme\\esel\\emule\\emule.exe"= UDP:\\frando-0b894591\frando (f)\programme\esel\emule\emule.exe:emule.exe
"UDP Query User{BBC39836-8A91-4A1F-A645-4BA2284CBE82}\\\\frando-0b894591\\frando (f)\\programme\\esel\\emule\\emule.exe"= TCP:\\frando-0b894591\frando (f)\programme\esel\emule\emule.exe:emule.exe
"TCP Query User{77F98668-3D84-4CF7-8A8B-A0F15BDA1EB6}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{0F7D3ECD-CB32-49E3-AB5C-F8AFD25009AF}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{33F890C7-C1A8-4DE9-8518-410790F0BAF1}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F8C81EE5-CC82-4E2A-996C-C4FEC21EB74B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{998C7F47-F59D-4111-8EFE-F5AFE09BED8F}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{3076C2ED-719A-4A11-90B3-F474AC7B3A24}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\fotobuch.de AG\\Designer 2.0\\Designer.exe"= C:\Program Files\fotobuch.de AG\Designer 2.0\Designer.exe:*

esigner.exe

R3 WCPU;WCPU;C:\Program Files\P4G\WCPU.sys [2007-01-03 00:37]
S3 avmeject;AVM Eject;C:\Windows\system32\drivers\avmeject.sys [2006-12-28 02:02]
S3 FWLANUSB;AVM FRITZ!WLAN;C:\Windows\system32\DRIVERS\fwlanusb.sys [2006-12-28 02:02]
S3 PAC7311;Trust Webcam 14839;C:\Windows\system32\DRIVERS\PA707UCM.SYS [2005-10-18 19:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8235f94a-61e6-11dc-b5d4-001d6050f13e}]
\shell\AutoRun\command - F:\pushinst.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f41a68fa-6c2f-11dc-8f76-001d6050f13e}]
\shell\Auto\command - xmsqubxan.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL xmsqubxan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb
.
Inhalt des "geplante Tasks" Ordners

2008-07-25 C:\Windows\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Users\Dagiputz\AppData\Roaming\Mozilla\Firefox\Profiles\wmt14ijk.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.de

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 22:46:19
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-08-31 22:52:28
ComboFix-quarantined-files.txt 2008-08-31 20:51:54
ComboFix2.txt 2008-08-31 20:18:50

Pre-Run: 17 Verzeichnis(se), 15,398,428,672 Bytes frei
Post-Run: 23 Verzeichnis(se), 15,375,970,304 Bytes frei

196 --- E O F --- 2008-08-30 13:18:29

TR/Vundo.Gen !! Bitte um einen geschulten Blick auf die Log-File

Log-Analyse und Auswertung: TR/Vundo.Gen !! Bitte um einen geschulten Blick auf die Log-File

TR/Vundo.Gen !! Bitte um einen geschulten Blick auf die Log-File

Ähnliche Themen: TR/Vundo.Gen !! Bitte um einen geschulten Blick auf die Log-File