TR/Crypt.XPACK.Gen / spyware.spyeyes

Carlsson · 14.11.2010, 14:15

Hallo,

ich bitte um Hilfe bzw. Unterstützung. Ich war drei Wochen im Ausland und bin über free WiFi im Netz unterwegs gewesen und habe mit dabei wohl etwas eingefangen. Antivir meldete mir heute den Fund von dem Trojaner TR/Crypt.XPACK.Gen . Den konnte Antivir in Quarantäne verschieben. Ein zweiter San führte zu keinem Resultat mehr. Ein Spybot Scan brachte ebenfalls keinen Fund.

Malwarebytes Antimalware fand bei dem Quick Scan noch zwei Dateien:

Infizierte Verzeichnisse:
C:\extensions.exe (Spyware.SpyEyes) -> No action taken.

Infizierte Dateien:
C:\extensions.exe\config.bin (Spyware.SpyEyes) -> No action taken.

Das Porblem konnte von Antimalware ebenfalls behoben worden. Ein erneuter Scan führte zu keinem Ergebnis mehr.

Folgendes HijackThis Ergebnis ergibt sich nun:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:36:10, on 14.11.2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\GMX\GMX SMS-Manager\SMSMngr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Users\Christian\Downloads\HiJackThis204.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN, Messenger und Hotmail sowie Nachrichten, Unterhaltung, Video, Sport, Lifestyle, Finanzen, Auto uvm. bei MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN, Messenger und Hotmail sowie Nachrichten, Unterhaltung, Video, Sport, Lifestyle, Finanzen, Auto uvm. bei MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN, Messenger und Hotmail sowie Nachrichten, Unterhaltung, Video, Sport, Lifestyle, Finanzen, Auto uvm. bei MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [GMX SMS-Manager] C:\Program Files\GMX\GMX SMS-Manager\SMSMngr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Senden an Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8406 bytes

Ich hoffe Ihr könnt mir helfen und mir sagen, wie es nun um mein Netbook steht. Betriebssystem ist Windows 7.

Vielen Dank.

markusg · 14.11.2010, 15:03

kannst du mal den avira fund posten?
machst du onlinebanking /einkäufe?
oder sonstige wichtigen aktivitäten?

Carlsson · 14.11.2010, 15:13

Vielen Dank für die Antwort.

Hier der Antivir log:

Avira AntiVir Personal
Report file date: Samstag, 13. November 2010 19:05

Scanning for 3043866 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHRISTIAN-MOBIL

Version information:
BUILD.DAT : 10.0.0.592 31823 Bytes 09.08.2010 11:00:00
AVSCAN.EXE : 10.0.3.1 434344 Bytes 02.11.2010 14:13:47
AVSCAN.DLL : 10.0.3.0 46440 Bytes 01.04.2010 11:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 07.03.2010 17:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 10.02.2010 22:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06.11.2009 08:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19.11.2009 18:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20.01.2010 16:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 26.01.2010 15:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 05.03.2010 10:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15.04.2010 13:16:02
VBASE006.VDF : 7.10.7.218 2294784 Bytes 02.06.2010 13:16:03
VBASE007.VDF : 7.10.9.165 4840960 Bytes 23.07.2010 13:16:05
VBASE008.VDF : 7.10.11.133 3454464 Bytes 13.09.2010 13:16:08
VBASE009.VDF : 7.10.13.80 2265600 Bytes 02.11.2010 14:33:23
VBASE010.VDF : 7.10.13.81 2048 Bytes 02.11.2010 14:33:24
VBASE011.VDF : 7.10.13.82 2048 Bytes 02.11.2010 14:33:24
VBASE012.VDF : 7.10.13.83 2048 Bytes 02.11.2010 14:33:30
VBASE013.VDF : 7.10.13.116 147968 Bytes 04.11.2010 12:56:22
VBASE014.VDF : 7.10.13.147 146944 Bytes 07.11.2010 15:11:08
VBASE015.VDF : 7.10.13.180 123904 Bytes 09.11.2010 23:36:46
VBASE016.VDF : 7.10.13.211 122368 Bytes 11.11.2010 15:34:52
VBASE017.VDF : 7.10.13.212 2048 Bytes 11.11.2010 15:34:53
VBASE018.VDF : 7.10.13.213 2048 Bytes 11.11.2010 15:34:53
VBASE019.VDF : 7.10.13.214 2048 Bytes 11.11.2010 15:34:54
VBASE020.VDF : 7.10.13.215 2048 Bytes 11.11.2010 15:34:54
VBASE021.VDF : 7.10.13.216 2048 Bytes 11.11.2010 15:34:54
VBASE022.VDF : 7.10.13.217 2048 Bytes 11.11.2010 15:34:54
VBASE023.VDF : 7.10.13.218 2048 Bytes 11.11.2010 15:34:54
VBASE024.VDF : 7.10.13.219 2048 Bytes 11.11.2010 15:34:55
VBASE025.VDF : 7.10.13.220 2048 Bytes 11.11.2010 15:34:55
VBASE026.VDF : 7.10.13.221 2048 Bytes 11.11.2010 15:34:55
VBASE027.VDF : 7.10.13.222 2048 Bytes 11.11.2010 15:34:55
VBASE028.VDF : 7.10.13.223 2048 Bytes 11.11.2010 15:34:56
VBASE029.VDF : 7.10.13.224 2048 Bytes 11.11.2010 15:34:56
VBASE030.VDF : 7.10.13.225 2048 Bytes 11.11.2010 15:34:56
VBASE031.VDF : 7.10.13.237 73728 Bytes 13.11.2010 18:02:23
Engineversion : 8.2.4.98
AEVDF.DLL : 8.1.2.1 106868 Bytes 10.10.2010 13:16:17
AESCRIPT.DLL : 8.1.3.46 1364347 Bytes 03.11.2010 14:37:15
AESCN.DLL : 8.1.6.1 127347 Bytes 10.10.2010 13:16:16
AESBX.DLL : 8.1.3.1 254324 Bytes 10.10.2010 13:16:18
AERDL.DLL : 8.1.9.2 635252 Bytes 10.10.2010 13:16:16
AEPACK.DLL : 8.2.3.11 471416 Bytes 13.10.2010 17:32:10
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 10.10.2010 13:16:15
AEHEUR.DLL : 8.1.2.41 3043703 Bytes 12.11.2010 15:36:02
AEHELP.DLL : 8.1.14.0 246134 Bytes 13.10.2010 17:32:07
AEGEN.DLL : 8.1.3.24 401781 Bytes 03.11.2010 14:35:30
AEEMU.DLL : 8.1.2.0 393588 Bytes 10.10.2010 13:16:13
AECORE.DLL : 8.1.17.0 196982 Bytes 10.10.2010 13:16:13
AEBB.DLL : 8.1.1.0 53618 Bytes 10.10.2010 13:16:13
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14.01.2010 11:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 14.01.2010 11:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 18.02.2010 15:47:40
AVREG.DLL : 10.0.3.2 53096 Bytes 02.11.2010 14:13:47
AVSCPLR.DLL : 10.0.3.1 83816 Bytes 02.11.2010 14:13:47
AVARKT.DLL : 10.0.0.14 227176 Bytes 01.04.2010 11:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26.01.2010 08:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28.01.2010 11:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16.03.2010 14:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 19.02.2010 13:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28.01.2010 12:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 02.11.2010 14:13:46

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Samstag, 13. November 2010 19:05

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\downloadexpirationtime
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\iphlpsvc\Teredo\PreviousState\00-1f-3f-28-93-c8\clientlocalport
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\iphlpsvc\Teredo\PreviousState\00-1f-3f-28-93-c8\addresscreationtimestamp
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\iphlpsvc\Teredo\PreviousState\00-1f-3f-28-93-c8\teredoaddress
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\usezerobroadcast
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\enabledeadgwdetect
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\enabledhcp
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\nameserver
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\nameserver
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\registrationenabled
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\registeradaptername
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpipaddress
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpsubnetmask
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpserver
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpserver
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\lease
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\leaseobtainedtime
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\t1
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\t2
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\leaseterminatestime
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\addresstype
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\isservernapaware
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpconnforcebroadcastflag
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpnetworkhint
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpinterfaceoptions
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpgatewayhardware
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpgatewayhardwarecount
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpdomain
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpdefaultgateway
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet002\services\Tcpip\Parameters\Interfaces\{44140F89-66DF-4399-8410-7D86156E39CF}\64259445A51224F6870264F6E60275C414E40273237303\dhcpsubnetmaskopt
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'MsiExec.exe' - '50' Module(s) have been scanned
Scan process 'msiexec.exe' - '81' Module(s) have been scanned
Scan process 'Setup.exe' - '64' Module(s) have been scanned
Scan process 'dotNetFx40_Client_x86.exe' - '28' Module(s) have been scanned
Scan process 'wuauclt.exe' - '46' Module(s) have been scanned
Scan process 'SearchFilterHost.exe' - '58' Module(s) have been scanned
Scan process 'UI0Detect.exe' - '27' Module(s) have been scanned
Scan process 'TrustedInstaller.exe' - '47' Module(s) have been scanned
Scan process 'wuauclt.exe' - '44' Module(s) have been scanned
Scan process 'SearchProtocolHost.exe' - '47' Module(s) have been scanned
Scan process 'svchost.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '28' Module(s) have been scanned
Scan process 'vssvc.exe' - '52' Module(s) have been scanned
Scan process 'avscan.exe' - '82' Module(s) have been scanned
Scan process 'svchost.exe' - '57' Module(s) have been scanned
Scan process 'avcenter.exe' - '77' Module(s) have been scanned
Scan process 'DllHost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '59' Module(s) have been scanned
Scan process 'iPodService.exe' - '33' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '115' Module(s) have been scanned
Scan process 'SuperHybridEngine.exe' - '23' Module(s) have been scanned
Scan process 'SSScheduler.exe' - '20' Module(s) have been scanned
Scan process 'BTTray.exe' - '50' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '74' Module(s) have been scanned
Scan process 'SMSMngr.exe' - '85' Module(s) have been scanned
Scan process 'sidebar.exe' - '95' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '65' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
Scan process 'ETDCtrl.exe' - '33' Module(s) have been scanned
Scan process 'fpassist.exe' - '85' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '29' Module(s) have been scanned
Scan process 'AsEPCMon.exe' - '16' Module(s) have been scanned
Scan process 'AsAcpiSvr.exe' - '35' Module(s) have been scanned
Scan process 'avgnt.exe' - '70' Module(s) have been scanned
Scan process 'jusched.exe' - '26' Module(s) have been scanned
Scan process 'igfxpers.exe' - '32' Module(s) have been scanned
Scan process 'hkcmd.exe' - '28' Module(s) have been scanned
Scan process 'igfxtray.exe' - '29' Module(s) have been scanned
Scan process 'Explorer.EXE' - '169' Module(s) have been scanned
Scan process 'Dwm.exe' - '32' Module(s) have been scanned
Scan process 'taskhost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'conhost.exe' - '14' Module(s) have been scanned
Scan process 'avshadow.exe' - '31' Module(s) have been scanned
Scan process 'btwdins.exe' - '30' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '17' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '47' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '78' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '69' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '40' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '33' Module(s) have been scanned
Scan process 'avguard.exe' - '67' Module(s) have been scanned
Scan process 'svchost.exe' - '62' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned
Scan process 'spoolsv.exe' - '103' Module(s) have been scanned
Scan process 'svchost.exe' - '95' Module(s) have been scanned
Scan process 'svchost.exe' - '83' Module(s) have been scanned
Scan process 'svchost.exe' - '176' Module(s) have been scanned
Scan process 'svchost.exe' - '115' Module(s) have been scanned
Scan process 'svchost.exe' - '94' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '52' Module(s) have been scanned
Scan process 'lsm.exe' - '16' Module(s) have been scanned
Scan process 'lsass.exe' - '68' Module(s) have been scanned
Scan process 'winlogon.exe' - '31' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '16' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '16' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '380' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\System Volume Information\_restore{4E6033BC-2E0B-41AA-A598-1B4507984BBE}\RP128\A0042191.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
Begin scan in 'D:\'

Beginning disinfection:
C:\System Volume Information\_restore{4E6033BC-2E0B-41AA-A598-1B4507984BBE}\RP128\A0042191.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '490413dd.qua'.

End of the scan: Sonntag, 14. November 2010 11:17
Used time: 3:19:07 Hour(s)

The scan has been done completely.

19399 Scanned directories
318364 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
318363 Files not concerned
1928 Archives were scanned
0 Warnings
1 Notes
574748 Objects were scanned with rootkit scan
30 Hidden objects were found

Ich betreibe online banking und kaufe hin und wieder auch online.

Sonst keine wichtigen Aktivitäten.

markusg · 14.11.2010, 15:18

naja ist onlinebanking nicht wichtig :d
du musst die bank anrufen, es muss gesperrt werden, der trojaner mit dem du es zu tun hast, mit dem ist nicht zu spaßen :-)
ich persönlich würde neu aufsetzen, damit du wieder sicher onlinebanking etc betreiben kannst.
ich werde dir helfen das system abzusichern, dazu gehört auch ein backup, damit du das nächste mal das system bei befall innerhalb von 5 minuten zurücksichern kannst.

Carlsson · 14.11.2010, 15:30

Online Banking ist bereits gesperrt. Der erste Hinweis kam auch von meinem Bankberater. Es wurde vorsorglich gesperrt, da versucht wurde Daten auszuspähen. Antivir hat dies aber erst mit Abstand von mehreren Tagen gemeldet. Spybot hat nichts gefunden.

Ich werde wohl neu aufsetzen. Bootkits Checks habe gemacht und keine Probleme erkannt. Das Neuaufsetzen ist mit dem Netbook immer so mühseelig ohne DVD/CD Laufwerk.

markusg · 14.11.2010, 16:00

du hast doch ne recovery partition nehme ich an, was für n netbook ists? den genauen typ bitte.

14.11.2010, 15:03	#2
markusg /// Malware-holic	TR/Crypt.XPACK.Gen / spyware.spyeyes kannst du mal den avira fund posten? machst du onlinebanking /einkäufe? oder sonstige wichtigen aktivitäten? __________________ __________________

14.11.2010, 16:00	#6
markusg /// Malware-holic	TR/Crypt.XPACK.Gen / spyware.spyeyes du hast doch ne recovery partition nehme ich an, was für n netbook ists? den genauen typ bitte. __________________ --> TR/Crypt.XPACK.Gen / spyware.spyeyes

TR/Crypt.XPACK.Gen / spyware.spyeyes

Log-Analyse und Auswertung: TR/Crypt.XPACK.Gen / spyware.spyeyes