Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: trojan-spy.win32.greenscreen

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 14.10.2008, 10:29   #1
MarcusLehman
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



Hallo Trojanerexperten,

ich habe mir den trojaner trojan-spy.win32.greenscreen eingefangen.
oder auch dieses xp antispy 2009.
es meldet zumindest ein weißes kreuz in rotem kreis in der symbolleiste.
ich habe antivir, a-squared, spybot, adaware und pestpatrol das system checken lassen und alles gefundene entfernt.
auch habe ich den hier empfohlenen CCleaner angewendet.(tolles programm für shareware!)
da ich aber im forum einen ähnlichen fall entdeckt habe,

http://www.trojaner-board.de/59949-t...grundbild.html

und dieser user berichtet, dass meine verwendeten programme nicht ausreichend wären, würd ich euch bitten einen kurzen blick auf mein log file zu werfen, ob das system wirklich sauber ist; ich also ein wiederherstellungspunkt setzten kann.


viel dank für das tolle engagement auf dieser seite

system: MS XP professinal version 2002 service pack 2
2.51GHz (Core Duo), 3.25 GB RAM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:31, on 14.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

[edit]
Bitte editiere zukünftig deine Links, wie es dir u.a. hier angezeigt wird:
http://www.trojaner-board.de/22771-a...tml#post171958

Danke.
Sunny
[/edit]

Geändert von MarcusLehman (14.10.2008 um 10:59 Uhr)

Alt 14.10.2008, 12:21   #2
Chris4You
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



Hi,

Du hast Dich nicht an die Boardregeln gehalten und Deine Links/pers. Infos nicht "unkenntlich" gemacht!
Aktive Links und persönliche Informationen in HJT Log-Files (http://www.trojaner-board.de/22771-aktive-links-und-persoenliche-informationen-hjt-log-files.html#post171958)

Das hier sieht interessant aus:
O20 - AppInit_DLLs: 72.dll

Das File sollte in C:\WINDOWS\system32 liegen, sonst suchen!

Bitte folgendes File prüfen:

Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
ATTFilter
C:\WINDOWS\system32\72.dll
         
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

chris
__________________

__________________

Alt 15.10.2008, 11:54   #3
MarcusLehman
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



hey chris,

vielen dank für die schnelle antwort,
verzeihung für die unachtsamkeit mit den links, kommt nicht mehr vor.
leider ist diese datei nicht zufinden,
im ordner selber und mit der such funktion, ich habe auch C danach durchsuchen lassen, leider nichts.
im logfile ist sie aber immer noch vorhanden
wie soll ich nun weiter vorgehn?
und wie genau erhalte ich die Hashwerte?
ist das einer der werte unter filesize bei virus total?
MD5...:
SHA1..:
SHA256:
SHA512:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:23, on 15.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\a-squared free\a2service.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\OpenOffice.org 2.4\program\soffice.exe
C:\Programme\OpenOffice.org 2.4\program\soffice.BIN
C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\VideoLAN\VLC\vlc.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.microsoft.com/default.aspx?scid=kb;en-us;281336
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programme\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{315AC~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{315AC~1\reboot.ini -l0x7
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\RunOnce: [StartMSu] C:\Programme\Creative\MediaSource5\Startmsu.exe /s
O4 - HKCU\..\RunOnce: [CMSRegOu] C:\Programme\Creative\MediaSource5\CMSRegOu.exe /r
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Programme\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76422F0F-5D23-47AF-B9A0-DAA3185B0E75}: NameServer = 192.168.178.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: 72.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programme\a-squared free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

--
End of file - 7973 bytes
__________________

Alt 15.10.2008, 16:35   #4
Chris4You
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



Hi,

abgesicherter Modus (F8 beim Booten), dort mit HJ den Eintrag:
O20 - AppInit_DLLs: 72.dll
fixen:
Öffne das HijackThis -- Button "scan" -- vor den unten genannten Einträge(n) Häkchen setzen -- Button "Fix checked" -- PC neustarten
Achtung: Alle Anwendungen bis auf HJ müssen geschlossen sein, ein eventuell aktiver Teatimer von Spybot muss unbedingt deaktiviert sein!)

Dann normal booten, neues HJ-Log und prüfen ob der Eintrag weg ist;

MAM (Malwarebytes Antimalware)
Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html

Fullscan und alles bereinigen lassen, Log posten...

chris
__________________
Don't bring me down
Vor dem posten beachten!
Spenden
(Wer spenden will, kann sich gerne melden )

Alt 16.10.2008, 19:04   #5
MarcusLehman
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



hey chirs,

danke für die anleitung, habe alles befolgt und hat funktioniert,
punkt 20 im log ist weg
nur nach dem scan im abgesicherten modus und neustart,
war der admin bei den benutzern dabei und in meinem benutzer war das desgin auf klassik gestellt und die netzwerk nicht mehr vorhanden(auch kein internet)
auch nach erneutem start das gleich,
also habe ich "das letzte funktionierene" system gestartet,
war da noch irgendwie der abgesicherte modus aktiv

vielen dank für die hilfe:aplaus::aplaus:

Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1263
Windows 5.1.2600 Service Pack 2

16.10.2008 18:52:19
mbam-log-2008-10-16 (18-52-19).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 260981
Laufzeit: 1 hour(s), 0 minute(s), 1 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini104552663.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:55:47, on 16.10.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\a-squared free\a2service.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\PowerISO\PWRISOVM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe
C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\OpenOffice.org 2.4\program\soffice.exe
C:\Programme\OpenOffice.org 2.4\program\soffice.BIN
C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTPdeSrv.exe
c:\progra~1\gemein~1\instal~1\update~1\isuspm.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\agent.exe
C:\Programme\Malwarebytes' Anti-Malware\mbam.exe
C:\Programme\Microsoft Visual Studio 8\Common7\IDE\devenv.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.microsoft.com/default.aspx?scid=kb;en-us;281336
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programme\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Programme\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76422F0F-5D23-47AF-B9A0-DAA3185B0E75}: NameServer = 192.168.178.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programme\a-squared free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

--
End of file - 7405 bytes


Alt 17.10.2008, 07:35   #6
Chris4You
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



Hi,

das Log sieht soweit gut aus.

Wir schauen noch mal etwas tiefer in's System:

SilentRunner:
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip

Die brastk.exe ist ein Trojaner-Downloader/Backdoor und war nicht in den Logs zu finden, da gibt es jetzt zwei Möglichkeiten:
- ist neu nach den Logs draufgekommen
- ein Rootkit ist aktiv

Aktualisiere Antivir, stelle dein Antivir ein, wie hier beschrieben:
http://www.trojaner-board.de/54192-a...tellungen.html und führe einen Fullscan durch...

Avira-Antirootkit
Downloade Avira Antirootkit und Scanne dein system, poste das logfile.
http://dl.antivir.de/down/windows/antivir_rootkit.zip

Poste die Logs;

chris
__________________
--> trojan-spy.win32.greenscreen

Alt 18.10.2008, 14:20   #7
MarcusLehman
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



hey chirs,

danke für die anleitung!
ich habe die von antivir gefungen objekte in quarantäne gestellt,
welche davon sind nun zu löschen?

beste grüße
marcus

antivir root kit hat nichts gefungen.


"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTSyncU.exe" = ""C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe"" [empty string]
"(Default)" = "(empty string)" [file not found]
"Veoh" = ""C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"TerraTec Remote Control" = ""C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"" ["TerraTec Electronic GmbH"]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"PWRISOVM.EXE" = "C:\Programme\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"pdfSaver3" = "(empty string)" [file not found]
"ISUSPM Startup" = "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"ASUSGamerOSD" = "C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [file not found]
"ISUSScheduler" = ""C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start" ["InstallShield Software Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer"
-> {HKLM...CLSID} = "NOMAD Explorer"
\InProcServer32\(Default) = "C:\Programme\Creative\Creative Zen Touch\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook"
-> {HKLM...CLSID} = "VPCHostCopyHook"
\InProcServer32\(Default) = "C:\Programme\Microsoft Virtual PC\VPCShExH.DLL" [MS]
"{4AFB2C17-9D16-4478-AEF4-C3FC539961E4}" = "ZEN Media Explorer"
-> {HKLM...CLSID} = "ZEN Media Explorer"
\InProcServer32\(Default) = "C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\SHCTMTP.dll" ["Creative Technology Ltd"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk-Zeichnungsvorschau"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk, Inc."]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Symbol-Overlay-Steuerprogramm fE AutoCAD Digitale Signaturen"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk, Inc."]
"{8A0BC933-7552-42E2-A228-3BE055777227}" = "AutoCAD-DWG-Spalten-Steuerprogramm"
-> {HKLM...CLSID} = "AcColumnHandler"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"]
"{5800AD5B-72C1-477B-9A08-CA112DF06D97}" = "AutoCAD-DWG-InfoTipp-Steuerprogramm"
-> {HKLM...CLSID} = "AcInfoTipHandler"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"]
"{ADC46291-D8A1-4486-A24C-86FFB392AEFA}" = "Autodesk Dgn File Preview"
-> {HKLM...CLSID} = "AcDgnImageExtractor"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcDgnCOM17.dll" ["Autodesk"]
"{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"
\InProcServer32\(Default) = "C:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"relog_ap"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{8A0BC933-7552-42E2-A228-3BE055777227}\(Default) = "AutoCAD DWG column info"
-> {HKLM...CLSID} = "AcColumnHandler"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Autodesk.DWF.ContextMenu\(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}"
-> {HKLM...CLSID} = "DWFShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\Dwf Common\DWFShellExtension.dll" ["Autodesk, Inc."]
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
HexWorkshopContextMenu\(Default) = "{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA}"
-> {HKLM...CLSID} = "Hex Workshop Shell Extension"
\InProcServer32\(Default) = "C:\Programme\BreakPoint Software\Hex Workshop 4.2\hwext.dll" ["BreakPoint Software, Inc."]
moveonboot_delete\(Default) = "{12B23346-6BD8-4812-BF8C-75E7C386ACB8}"
-> {HKLM...CLSID} = "MoveOnBootBootPopupMenuShlExt Class"
\InProcServer32\(Default) = "C:\Programme\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll" ["Gibin Software House (http://www.gibinsoft.net)"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
InventorMenu\(Default) = "{6FDE7A70-351B-11d6-988B-0010B57A8BB7}"
-> {HKLM...CLSID} = "Autodesk Inventor Part"
\InProcServer32\(Default) = "C:\Programme\Autodesk\Inventor 2008\Bin\DT.dll" ["Autodesk, Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\system32\notepad.exe" "%1"" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Studium\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

CTMTPHandler\
"Provider" = "Creative Media Explorer"
"ProgID" = "CTMtpAut.CTMtpEventHandler"
"InitCmdLine" = "OrganizeUsingZME"
HKLM\SOFTWARE\Classes\CTMtpAut.CTMtpEventHandler\CLSID\(Default) = "{9F40AC21-F4D1-477C-AC95-7A935224220F}"
-> {HKLM...CLSID} = "CTMtpEventHandler Class"
\LocalServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CTMtpAut.exe" ["Creative Technology Ltd."]

CTPlayAudioOnArrival\
"Provider" = "@C:\Programme\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

CTPlayAudioOnArrivalu\
"Provider" = "Creative MediaSource 5 Player"
"InvokeProgID" = "CTAutoPLu.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPLu.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource5\CTCMSu.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

CTPlayMusicFilesOnArrival\
"Provider" = "@C:\Programme\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.MusicFilesPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource\CTCMS.exe" /Organizer" ["Creative Technology Ltd"]

CTPlayMusicFilesOnArrivalu\
"Provider" = "Creative MediaSource 5 Player"
"InvokeProgID" = "CTAutoPLu.MusicFilesPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPLu.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource5\CTCMSu.exe" /PlayNow "%L"" ["Creative Technology Ltd"]

DVDDecrypterPlayDVDMovieOnArrival\
"Provider" = "DVD Decrypter"
"InvokeProgID" = "DVDDecrypter"
"InvokeVerb" = "PlayDVDMovieOnArrival_Decrypt"
HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command\(Default) = ""C:\Programme\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1"" ["LIGHTNING UK!"]

MSPictureItViewOnArrival\
"Provider" = "Microsoft Picture It! Express 7.0"
"InvokeProgID" = "Microsoft.Picture.It.7.AutoPlay"
"InvokeVerb" = "AutoPlay"
HKLM\SOFTWARE\Classes\Microsoft.Picture.It.7.AutoPlay\shell\AutoPlay\Command\(Default) = ""C:\Programme\Microsoft Picture It! 7\pip.exe" /invoke={D0551EC1-5A78-11cf-9DBE-00AA00A70BB5}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --one-instance-when-started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --one-instance-when-started-from-file dvd:%1" ["VideoLAN Team"]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "Studium" & "All Users" startup folders:
---------------------------------------------------------

C:\Dokumente und Einstellungen\Studium\Startmenü\Programme\Autostart
"OpenOffice.org 2.4" -> shortcut to: "C:\Programme\OpenOffice.org 2.4\program\quickstart.exe" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]


Enabled Scheduled Tasks:
------------------------

"Uniblue SpyEraser Nag" -> launches: "C:\Programme\Uniblue\SpyEraser\SpyEraser.exe -ynag" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

a-squared Free Service, a2free, ""c:\programme\a-squared free\a2service.exe"" ["Emsi Software GmbH"]
Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Acronis Try And Decide Service, TryAndDecideService, ""C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe"" [null data]
AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
Backbone Service, BBDemon, "C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe -service" ["Dassault Systemes"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
SecuROM User Access Service, UserAccess, "C:\WINDOWS\system32\UAService.exe" [null data]
SQL Server (SQLEXPRESS), MSSQL$SQLEXPRESS, ""C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS" [MS]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
PDF-XChange\Driver = "C:\WINDOWS\system32\pxc25pm.dll" ["Tracker Software"]


---------- (launch time: 2008-10-17 12:19:58)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 32 seconds, including 11 seconds for message boxes)

Alt 18.10.2008, 14:24   #8
MarcusLehman
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



Avira AntiVir Personal
Report file date: Samstag, 18. Oktober 2008 12:50

Scanning for 1692263 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CYBER-CARL

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 12.08.2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 17.07.2008 21:26:38
AVSCAN.DLL : 8.1.4.0 40705 Bytes 17.07.2008 21:26:38
LUKE.DLL : 8.1.4.5 164097 Bytes 17.07.2008 21:26:38
LUKERES.DLL : 8.1.4.0 12033 Bytes 17.07.2008 21:26:38
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 09:26:13
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24.06.2008 21:51:16
ANTIVIR2.VDF : 7.0.7.12 4066816 Bytes 08.10.2008 18:04:25
ANTIVIR3.VDF : 7.0.7.58 315904 Bytes 17.10.2008 10:49:34
Engineversion : 8.2.0.5
AEVDF.DLL : 8.1.0.6 102772 Bytes 17.10.2008 09:23:32
AESCRIPT.DLL : 8.1.1.9 319867 Bytes 17.10.2008 09:23:31
AESCN.DLL : 8.1.1.3 123252 Bytes 17.10.2008 09:23:30
AERDL.DLL : 8.1.1.2 438644 Bytes 19.09.2008 07:27:00
AEPACK.DLL : 8.1.2.4 369014 Bytes 17.10.2008 09:23:30
AEOFFICE.DLL : 8.1.0.28 196987 Bytes 17.10.2008 09:23:28
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 19.09.2008 07:26:58
AEHELP.DLL : 8.1.1.2 115062 Bytes 17.10.2008 09:23:27
AEGEN.DLL : 8.1.0.41 319861 Bytes 17.10.2008 09:23:27
AEEMU.DLL : 8.1.0.9 393588 Bytes 17.10.2008 09:23:25
AECORE.DLL : 8.1.2.6 172406 Bytes 17.10.2008 09:23:24
AEBB.DLL : 8.1.0.3 53618 Bytes 17.10.2008 09:23:23
AVWINLL.DLL : 1.0.0.12 15105 Bytes 17.07.2008 21:26:38
AVPREF.DLL : 8.0.2.0 38657 Bytes 17.07.2008 21:26:38
AVREP.DLL : 8.0.0.2 98344 Bytes 02.08.2008 08:44:10
AVREG.DLL : 8.0.0.1 33537 Bytes 17.07.2008 21:26:38
AVARKT.DLL : 1.0.0.23 307457 Bytes 21.04.2008 22:04:35
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 17.07.2008 21:26:38
SQLITE3.DLL : 3.3.17.1 339968 Bytes 21.04.2008 22:04:35
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 17.07.2008 21:26:38
NETNT.DLL : 8.0.0.1 7937 Bytes 21.04.2008 22:04:35
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 17.07.2008 21:26:37
RCTEXT.DLL : 8.0.52.0 86273 Bytes 17.07.2008 21:26:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\programme\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: off
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: high
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Samstag, 18. Oktober 2008 12:50

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'LingoPad.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'CTPdeSrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'UAService.exe' - '1' Module(s) have been scanned
Scan process 'TrueImageTryStartService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'CATSysDemon.exe' - '1' Module(s) have been scanned
Scan process 'AdskScSrv.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'schedul2.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.EXE' - '1' Module(s) have been scanned
Scan process 'soffice.bin' - '1' Module(s) have been scanned
Scan process 'soffice.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'CTSyncU.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'Reader_SL.exe' - '1' Module(s) have been scanned
Scan process 'PWRISOVM.EXE' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'TTTVRC.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '52' files ).


Starting the file scan:

Begin scan in 'C:\' <Lokaler Datenträger Eugen>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\RECYCLER\S-1-5-21-1645522239-602609370-682003330-1006\Dc7\Reboot.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
[NOTE] The file was moved to '495bcdc6.qua'!
C:\RECYCLER\S-1-5-21-1645522239-602609370-682003330-1006\Dc7\restart.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
[NOTE] The file was moved to '496ccdc9.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP290\A0080408.exe
[DETECTION] Is the TR/Pakes.kzv Trojan
[NOTE] The file was moved to '4929ce5a.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP290\A0080617.exe
[DETECTION] Is the TR/FraudPack.alk Trojan
[NOTE] The file was moved to '4929ce61.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP292\A0082324.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4929ce76.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP292\A0082325.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4929ce78.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082358.exe
[DETECTION] Is the TR/Dldr.Obfuscated.dtl Trojan
[NOTE] The file was moved to '4929ce7d.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082360.exe
[0] Archive type: RAR SFX (self extracting)
--> SmitfraudFix\Reboot.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
--> SmitfraudFix\restart.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
[NOTE] The file was moved to '4929ce81.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082379.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program
[NOTE] The file was moved to '4929ce85.qua'!
C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082380.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program
[NOTE] The file was moved to '4929ce87.qua'!
C:\WINDOWS\system32\sdenavyp.exe
[DETECTION] Is the TR/Obfuscated.GX.2662 Trojan
[NOTE] The file was moved to '495ecfc4.qua'!
C:\WINDOWS\system32\drivers\dtscsi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd4461.sys
[WARNING] The file could not be opened!


End of the scan: Samstag, 18. Oktober 2008 13:59
Used time: 1:08:58 Hour(s)

The scan has been done completely.

17869 Scanning directories
904446 Files were scanned
12 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
11 files were moved to quarantine
0 files were renamed
4 Files cannot be scanned
904430 Files not concerned
8220 Archives were scanned
6 Warnings
11 Notes

Alt 19.10.2008, 00:41   #9
Chris4You
 
trojan-spy.win32.greenscreen - Standard

trojan-spy.win32.greenscreen



Hi,

einige Sachen die Avira gefunden hat, gehören zu den benutzten Tools,
andere sind in der Systemwiederherstellung ...

Daher:
Systemwiederherstellung löschen
http://www.systemwiederherstellung-deaktivieren.de/windows-xp.html
Wenn der Rechner einwandfrei läuft abschließend alle Systemwiederherstellungspunkte löschen lassen(das sind die: C:\System Volume Information\_restore - Dateien die gefunden wurden, d.h. der Trojaner wurde mit gesichert und wenn Du auf einen Restorepunkt zurück gehen solltest, dann ist er wieder da) wie folgt:

Arbeitsplatz ->rechte Maus -> Eigenschaften -> Systemwiederherstellung ->
anhaken: "Systemwiederherstellung auf allen Laufwerken deaktivieren" -> Übernehmen -> Sicherheitsabfrage OK -> Fenster mit OK schliessen -> neu Booten;

Dann das gleiche nochmal nur das Häkchen entfernen (dann läuft sie wieder).

Einen ersten Restorepunkt setzten:
Start->Programme->Zubehör->Systemprogramme->Systemwiederherstellung->einen Wiederherstellungspunkt erstellen->weiter, Beschreibung ausdenken->Erstellen

Die Quarantäne von Avira würde ich erstmal bestehen lassen, wenn sicher ist dass alles Läuft kann immer noch gelöscht werden!

chris
__________________
Don't bring me down
Vor dem posten beachten!
Spenden
(Wer spenden will, kann sich gerne melden )

Antwort

Themen zu trojan-spy.win32.greenscreen
adaware, antivir, ccleaner, checken, file, forum, hijack, hijackthis, links, log, log file, mein log, micro, programm, programme, screen, seite, service, sp2, spybot, system, trend, version, windows, windows xp, xp antispy



Ähnliche Themen: trojan-spy.win32.greenscreen


  1. 2 Trojaner eingefangen durch E-Mail-Anhänge // Trojan-Banker.Win32.Agent.ubo und Trojan.Win32.Yakes.ghny
    Log-Analyse und Auswertung - 19.07.2015 (28)
  2. Kaspersky findet Backdoor.Win32.Zaccess, Trojan-Ransom.Win32.Gimeno, Trojan.Win32.Inject
    Log-Analyse und Auswertung - 01.02.2014 (17)
  3. Windows 8.1: Trojan:Win32/Meredrop, Trojan:Win32/Malagent, Trojan:Win32/Matsnu.L und Worm:Win32/Ainslot.A
    Log-Analyse und Auswertung - 19.01.2014 (5)
  4. Desinfizierung durch Kaspersky nicht möglich: Trojan.Win32.Bromngr.k, HEUR:Trojan.Win32.Generic, Trojan-Downloader.Win32.MultiDL.I
    Plagegeister aller Art und deren Bekämpfung - 28.11.2013 (1)
  5. Trojan:Win32/Alureon.FL | PWS:Win32/Fareit.A | Trojan:Win32/Sirefef.P....Auch MBR infiziert?
    Plagegeister aller Art und deren Bekämpfung - 06.01.2012 (7)
  6. Trojan-Spy.Win32.Pophot.gzv / Trojan.Win32.Buzus.alwl / Virus.Win32.Virut.ce
    Plagegeister aller Art und deren Bekämpfung - 19.02.2009 (1)
  7. trojan-spy.win32.greenscreen usw.
    Plagegeister aller Art und deren Bekämpfung - 15.10.2008 (1)
  8. Mehrere Trojaner gefunden "trojan-spy.win32.greenscreen"....
    Plagegeister aller Art und deren Bekämpfung - 13.10.2008 (38)
  9. Dropper.Gen,Trojan-Spy.Win32.GreenScreen:Bitte um Hilfe!
    Log-Analyse und Auswertung - 11.10.2008 (0)
  10. Trojaner: Win32.KeyLogger, Win32.GreenScreen,Win32.Agent, Win32Tiny, HTML.Bankfraud
    Log-Analyse und Auswertung - 29.09.2008 (1)
  11. FakeAlert Trojan-Spy.Win32.GreenScreen etc.
    Plagegeister aller Art und deren Bekämpfung - 18.09.2008 (8)
  12. Trojan-Spy.Win32.GreenScreen
    Mülltonne - 16.09.2008 (0)
  13. trojan-spy.win32.greenscreen öffnet pop ups und ändert hintergrundbild
    Plagegeister aller Art und deren Bekämpfung - 16.09.2008 (3)
  14. Mehrer Trojaner gefunden "Trojan-Spy.Win32.GreenScreen" ...
    Plagegeister aller Art und deren Bekämpfung - 14.09.2008 (3)
  15. Trojan-Spy.Win32.GreenScreen
    Plagegeister aller Art und deren Bekämpfung - 04.09.2008 (7)
  16. Windows Security Alert / Mehrere Trojaner gefunden u.a. Trojan-Spy.Win32.GreenScreen
    Plagegeister aller Art und deren Bekämpfung - 01.09.2008 (12)
  17. brauch hilfe bei: Win32/Oleloa.gen!, Trojan.Win32.Golid.g, Trojan.Win32.Small.ev
    Plagegeister aller Art und deren Bekämpfung - 29.11.2005 (1)

Zum Thema trojan-spy.win32.greenscreen - Hallo Trojanerexperten, ich habe mir den trojaner trojan-spy.win32.greenscreen eingefangen. oder auch dieses xp antispy 2009. es meldet zumindest ein weißes kreuz in rotem kreis in der symbolleiste. ich habe antivir, - trojan-spy.win32.greenscreen...
Archiv
Du betrachtest: trojan-spy.win32.greenscreen auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.