|
Avira Antivirus Premium 2012: Funde von TR/ATRAPS.GEN TR/ATRAPS.GEN2 TR/Sirefef.P.666 BDS/ZAccess.T Hallo, seit gestern früh tauchte erstmals bei Avira Antivirus Premium 2012 der Fund von TR/ATRAPS.GEN und TR/ATRAPS.GEN2 auf. Diese wurde in Qurantäne verschoben. In unregelmäßigen Abständen tauchte dann wieder die Info über diese Trojaner auf, jedesmal mit dem Verschieben in Quarantäne. Im Zuge eines Avira Systemchecks wurden dann auch TR/Sirefef.P.666 sowie BDS/ZAccess.T und TR/Ransom.Birele.yaa entdeckt. Nachdem Avira beim Fund von TR/ATRAPS.GEN das Schadenspotential als niedrig angab, habe ich mir erstmal keine größeren Sorgen gemacht. Nach dem Besuch hier und dem Fund der anderen 3 Schädlinge habe ich mein Online Banking Account gestern Abend sperren lassen. Der Laptop wird fast nur zum Surfen, Onlinebanking, Onlineshopping benutzt. Größere private Datenmengen sind nicht vorhanden. Meine gespeicherten Fotos sind fast alle auf einer externen Festplatte gesichert. Anbei die Logfiles streng nach den Anweisungen des Forums. Ich gehe davon aus, dass ich wohl die Festplatte C formatieren muss. Ich warte auf die Anweisungen der hier anwesenden Experten. Grüße, Ucbblue OTL.txt: OTL logfile created on: 21.07.2012 22:43:50 - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Martin & Sandra\Desktop Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,99 Gb Total Physical Memory | 0,94 Gb Available Physical Memory | 47,08% Memory free 4,21 Gb Paging File | 2,94 Gb Available in Paging File | 69,74% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 92,77 Gb Total Space | 37,02 Gb Free Space | 39,90% Space Free | Partition Type: NTFS Drive E: | 92,07 Gb Total Space | 87,70 Gb Free Space | 95,25% Space Free | Partition Type: NTFS Drive F: | 701,45 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: MARTINSANDRA-PC | User Name: Martin & Sandra | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012.07.21 22:42:42 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Martin & Sandra\Desktop\OTL.exe PRC - [2012.06.29 20:50:42 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2012.06.29 20:49:55 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avwebgrd.exe PRC - [2012.06.29 20:49:54 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avshadow.exe PRC - [2012.06.29 20:49:46 | 000,375,760 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avmailc.exe PRC - [2012.06.29 20:49:45 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2012.06.29 20:49:44 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2009.04.11 08:28:03 | 001,233,920 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Sidebar\sidebar.exe PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe PRC - [2008.01.29 19:51:52 | 004,911,104 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2008.01.29 16:00:40 | 000,430,080 | ---- | M] () -- C:\Programme\TOSHIBA\TOSCDSPD\TOSCDSPD.exe PRC - [2008.01.22 14:25:26 | 000,712,704 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\FlashCards\TCrdMain.exe PRC - [2008.01.21 16:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe PRC - [2008.01.21 04:33:00 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe PRC - [2008.01.17 16:27:52 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\TOSHIBA\Power Saver\TPwrMain.exe PRC - [2008.01.17 16:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- c:\Programme\TOSHIBA\Power Saver\TosCoSrv.exe PRC - [2008.01.09 14:02:08 | 001,056,768 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe PRC - [2007.12.25 13:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe PRC - [2007.12.25 13:06:52 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\TOSHIBA\ConfigFree\CFSwMgr.exe PRC - [2007.12.03 17:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- c:\Programme\TOSHIBA\SMARTLogService\TosIPCSrv.exe PRC - [2007.11.21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe PRC - [2006.08.23 16:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Programme\Common Files\Ulead Systems\DVD\ULCDRSvr.exe ========== Modules (No Company Name) ========== Extra.txt: OTL Extras logfile created on: 21.07.2012 22:43:50 - Run 1 OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Martin & Sandra\Desktop Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 1,99 Gb Total Physical Memory | 0,94 Gb Available Physical Memory | 47,08% Memory free 4,21 Gb Paging File | 2,94 Gb Available in Paging File | 69,74% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 92,77 Gb Total Space | 37,02 Gb Free Space | 39,90% Space Free | Partition Type: NTFS Drive E: | 92,07 Gb Total Space | 87,70 Gb Free Space | 95,25% Space Free | Partition Type: NTFS Drive F: | 701,45 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF Computer Name: MARTINSANDRA-PC | User Name: Martin & Sandra | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) http [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software) https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{42737AD4-3979-4591-9837-BE9B07B16D6D}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe | "{42915676-8DA1-43EF-9554-9FDC996E6BD9}" = protocol=17 | dir=in | app=c:\program files\opera\pluginwrapper\opera_plugin_wrapper.exe | "{566766B6-E0BE-449C-A09E-234FC474E91E}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe | "{5D03CC1C-CFFA-46B3-8970-C7D542DB740F}" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe | "{8B1A6C7F-95AA-414B-B637-306710BCE471}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "{98477E87-C9F1-47EA-9DC0-413C3E3C785A}" = protocol=6 | dir=in | app=c:\program files\opera\pluginwrapper\opera_plugin_wrapper.exe | "{9E825C16-B5E3-4E84-A3EF-0658500FB399}" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe | "{B0A865D3-490B-421C-A7E0-2BE8D2C6E5F5}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | "TCP Query User{73C6E444-B564-49C6-A700-CED15B2B3B29}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe | "UDP Query User{D5663088-EE82-4398-A7BD-F91762E058D6}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{052FDD78-A6EA-3187-8386-C82F4CA3A929}" = Microsoft .NET Framework 3.5 Language Pack SP1 - deu "{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime "{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox "{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update "{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist "{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{2290A680-4083-410A-ADCC-7092C67FC052}" = Toshiba Online Product Information "{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 33 "{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3 "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5 "{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE "{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant "{39D0E034-1042-4905-BECB-5502909FCB7C}" = Microsoft Works "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password "{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC "{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery "{56995235-B76E-44A6-BA17-8FF13D3F907A}" = TOSHIBA Benutzerhandbücher "{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp "{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator "{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder "{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm "{6AFCA4E1-9B78-3640-8F72-A7BF33448200}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 "{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{735DEB9C-61BD-4D31-994B-92395BBB4E45}" = Microsoft XML Parser "{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update "{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree "{7988ba74-4a27-4685-991a-53f072f22808}" = F2200_Help "{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista "{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007 "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007 "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007 "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007 "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007 "{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007 "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007 "{90120000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2007 "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{95120000-00AF-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (German) "{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer "{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status "{A1973A71-BC23-4A8C-A0A0-2B0497B7EAF4}" = WISO Sparbuch 2008 "{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder "{AC76BA86-7AD7-1031-7B44-A81000000003}" = Adobe Reader 8.1.0 - Deutsch "{AC76BA86-7AD7-1031-7B44-A82000000003}" = Adobe Reader 8.2.0 - Deutsch "{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser "{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator "{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply "{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5 "{c6922d7f-c698-4d9e-9671-8b3de04d1511}" = DJ_AIO_03_F2200_Software_Min "{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch "{D77D43B5-ED55-426b-B67B-E21F804F6102}" = HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3 "{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component "{db18dc72-cd20-4801-be82-f5d2caeec4d7}" = DJ_AIO_03_F2200_Software "{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader "{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01 "{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9-Reihe "{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher "{e97a9fd7-2fa1-4474-820d-3f8893a5b78a}" = F2200 "{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support "{eca3039b-e429-420f-bd5e-7dec0683fc32}" = DJ_AIO_03_F2200_ProductContext "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer "{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA "{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy "{F750C986-5310-3A5A-95F8-4EC71C8AC01C}" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "Amazon MP3-Downloader" = Amazon MP3-Downloader 1.0.9 "Avira AntiVir Desktop" = Avira Antivirus Premium 2012 "CNXT_MODEM_PCI_VEN_14F1&DEV_2C06&SUBSYS_14F10000" = HDAUDIO Soft Data Fax Modem with SmartCP "ElsterFormular 12.4.1.7699p" = ElsterFormular "ElsterFormular 2008 - 2009 2008-2009" = ElsterFormular 2008 - 2009 "Firebird SQL Server D" = Firebird SQL Server - MAGIX Edition 2.0.0.1 (D) "HDMI" = Intel(R) Graphics Media Accelerator Driver "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "HP Imaging Device Functions" = HP Imaging Device Functions 10.0 "HP Photosmart Essential" = HP Photosmart Essential 2.5 "HP Smart Web Printing" = HP Smart Web Printing "HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0 "HPExtendedCapabilities" = HP Customer Participation Program 10.0 "InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center "InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TRDCReminder "InstallShield_{E65C7D8E-186D-484B-BEA8-DEF0331CE600}" = TRORDCLauncher "InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package "MAGIX Digital Foto Maker SE D" = MAGIX Digital Foto Maker SE 4.1.0.835 (D) "MAGIX Foto Suite D" = MAGIX Foto Suite 1.12.0.89 (D) "MAGIX Online Druck Service D" = MAGIX Online Druck Service 2.3.2.0 (D) "Microsoft .NET Framework 3.5 Language Pack SP1 - deu" = Microsoft .NET Framework 3.5 Language Pack SP1 - DEU "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Microsoft .NET Framework 4 Client Profile DEU Language Pack" = Microsoft .NET Framework 4 Client Profile DEU Language Pack "Opera 12.00.1467" = Opera 12.00 "Picasa 3" = Picasa 3 "Ravensburger tiptoi" = Ravensburger tiptoi "Shop for HP Supplies" = Shop for HP Supplies "SynTPDeinstKey" = Synaptics Pointing Device Driver "Windows Media Encoder 9" = Windows Media Encoder 9-Reihe "YTdetect" = Yahoo! Detect ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 10.07.2012 12:54:06 | Computer Name = MartinSandra-PC | Source = WinMgmt | ID = 10 Description = Error - 11.07.2012 15:21:24 | Computer Name = MartinSandra-PC | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e, fehlerhaftes Modul HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e, Ausnahmecode 0xc0000005, Fehleroffset 0x000032db, Prozess-ID 0x7f8, Anwendungsstartzeit 01cd5f9a566e7492. Error - 11.07.2012 15:21:56 | Computer Name = MartinSandra-PC | Source = WinMgmt | ID = 10 Description = Error - 12.07.2012 03:21:44 | Computer Name = MartinSandra-PC | Source = WinMgmt | ID = 10 Description = Error - 12.07.2012 03:22:21 | Computer Name = MartinSandra-PC | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e, fehlerhaftes Modul HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e, Ausnahmecode 0xc0000005, Fehleroffset 0x000032db, Prozess-ID 0x45c, Anwendungsstartzeit 01cd5ffed12a9a00. Error - 12.07.2012 04:47:01 | Computer Name = MartinSandra-PC | Source = WinMgmt | ID = 10 Description = Error - 12.07.2012 12:09:58 | Computer Name = MartinSandra-PC | Source = Application Error | ID = 1000 Description = Fehlerhafte Anwendung HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e, fehlerhaftes Modul HpqSRmon.exe, Version 10.0.0.202, Zeitstempel 0x46c64b4e, Ausnahmecode 0xc0000005, Fehleroffset 0x000032db, Prozess-ID 0x5bc, Anwendungsstartzeit 01cd6048c14c76b5. Error - 12.07.2012 12:10:34 | Computer Name = MartinSandra-PC | Source = WinMgmt | ID = 10 Description = Error - 12.07.2012 14:48:55 | Computer Name = MartinSandra-PC | Source = WinMgmt | ID = 10 Description = Error - 13.07.2012 10:38:08 | Computer Name = MartinSandra-PC | Source = WinMgmt | ID = 10 Description = [ System Events ] Error - 19.07.2012 05:00:19 | Computer Name = MartinSandra-PC | Source = DCOM | ID = 10010 Description = Error - 19.07.2012 07:19:06 | Computer Name = MartinSandra-PC | Source = Service Control Manager | ID = 7022 Description = Error - 19.07.2012 07:52:26 | Computer Name = MartinSandra-PC | Source = RasMan | ID = 20062 Description = Interner Fehler: Das Trennen an PPPoE2-0 endete zwar vollständig, aber mit einem Fehler. PPPoE2-0 Error - 19.07.2012 08:09:07 | Computer Name = MartinSandra-PC | Source = Service Control Manager | ID = 7011 Description = Error - 19.07.2012 13:57:57 | Computer Name = MartinSandra-PC | Source = RasMan | ID = 20062 Description = Interner Fehler: Das Trennen an PPPoE2-0 endete zwar vollständig, aber mit einem Fehler. PPPoE2-0 Error - 20.07.2012 09:07:10 | Computer Name = MartinSandra-PC | Source = Service Control Manager | ID = 7022 Description = Error - 20.07.2012 13:40:32 | Computer Name = MartinSandra-PC | Source = Service Control Manager | ID = 7011 Description = Error - 21.07.2012 03:26:16 | Computer Name = MartinSandra-PC | Source = Service Control Manager | ID = 7022 Description = Error - 21.07.2012 04:40:36 | Computer Name = MartinSandra-PC | Source = DCOM | ID = 10010 Description = Error - 21.07.2012 11:38:43 | Computer Name = MartinSandra-PC | Source = Service Control Manager | ID = 7022 Description = < End of report > Gmer.txt: GMER 1.0.15.15641 - hxxp://www.gmer.net Rootkit scan 2012-07-21 23:51:56 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.DK02 Running: it9drury.exe; Driver: C:\Users\MARTIN~1\AppData\Local\Temp\kxkyafob.sys ---- System - GMER 1.0.15 ---- SSDT 8A94BA2E ZwCreateSection SSDT 8A94BA06 ZwCreateSymbolicLinkObject SSDT 8A94BA0B ZwLoadDriver SSDT 8A94BA01 ZwOpenSection SSDT 8A94BA38 ZwRequestWaitReplyPort SSDT 8A94BA33 ZwSetContextThread SSDT 8A94BA3D ZwSetSecurityObject SSDT 8A94BA10 ZwSetSystemInformation SSDT 8A94BA42 ZwSystemDebugControl SSDT 8A94B9CF ZwTerminateProcess SSDT 8A94B9CA ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 215 820C48D8 4 Bytes [2E, BA, 94, 8A] .text ntkrnlpa.exe!KeSetEvent + 21D 820C48E0 4 Bytes [06, BA, 94, 8A] .text ntkrnlpa.exe!KeSetEvent + 37D 820C4A40 4 Bytes [0B, BA, 94, 8A] .text ntkrnlpa.exe!KeSetEvent + 3FD 820C4AC0 4 Bytes [01, BA, 94, 8A] .text ntkrnlpa.exe!KeSetEvent + 539 820C4BFC 4 Bytes [38, BA, 94, 8A] .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8835A000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x883A3000, 0x510, 0x40000040] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernelmodustreiber-Frameworklaufzeit/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- und die Auswertung von Malwarebytes: Malwarebytes Anti-Malware (Test) 1.62.0.1300 www.malwarebytes.org Datenbank Version: v2012.07.22.03 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Martin & Sandra :: MARTINSANDRA-PC [Administrator] Schutz: Aktiviert 22.07.2012 10:37:36 mbam-log-2012-07-22 (10-37-36).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 182989 Laufzeit: 11 Minute(n), 9 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 1 HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Registrierungswerte: 1 HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Daten: C:\Users\Martin & Sandra\AppData\Local\{b30ac7e4-b48e-0006-7cf0-cb9f7edea8e2}\n. -> Erfolgreich gelöscht und in Quarantäne gestellt. Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) |
Hallo und Herzlich Willkommen! :) Habe leider schlechte Nachricht für Dich, da hast Du Dir ein grausliches Tierchen eingefangenhttp://www.world-of-smilies.com/wos_sonstige/crying.gif: Zitat:
Da würde ich an Deiner Stelle das System gleich neu installieren, da die Bekämpfung diese neue Art der Infektion ohne div. Nebenwirkungen und hinterlassenen Schaden, die immer wieder [auf verschiedene Weise] Probleme bereiten können, ist nicht möglich! - einen Backdoor mit Rootkitfunktionalität http://www.world-of-smilies.com/wos_sonstige/crying.gif diese Malware verwendet Rootkit-Technologie und Backdoor-Routine *was sind Backdoors und Rootkits* Verhaltensweise: "speicherresident" Zitat:
Tipps & Rat: ➊ Datensicherung: ► NUR Daten sichern, die nicht ausführbaren Dateien enthalten - Dateiendungen - Dies ist eine Liste von Dateiendungen, die Dateien mit ausführbarem Code bezeichnen können. - Vorsicht mit den schon vorhandenen Dateien auf die extern gespeicherten Daten und auch jetzt mit dem Virus infizierte Dateien eine Datensicherung anzufertigen - Am besten alles was dir sehr wichtig, separat (extern) sichern - nicht mischen eventuell früher geschicherten Daten, also vor dem Befall! - Eventuell gecrackte Software nicht sichern und dann auf neu aufgesetztem System wieder drauf installieren! - Vor zurückspielen - bevor du mit deinem PC direkt ins Netz gehst...: - die Autoplay-Funktion für alle Laufwerke deaktivieren/ausschalten -> Autorun/Autoplay gezielt für Laufwerkstypen oder -buchstaben abschalten Die auf eine externe Festplatte gesicherten Daten, gründlich zu scannen von einem suaberen System aus, am besten mit mehreren Scannern-> Kostenlose Online Scanner - Anleitung Absolut empfehlenswerter Scanner: Zitat:
➋ -> Anleitung: Neuaufsetzen des Systems + Absicherung -> Anleitung zum Neuaufsetzen - Windows XP, Vista und Win7 ➌ Ich würde Dir vorsichtshalber raten, dein Passwort zu ändern z.B. Login-, Mail- oder Website-Passwörter Tipps: Die sichere Passwort-Wahl - (sollte man eigentlich regelmäßigen Abständen ca. alle 3-5 Monate ändern) auch noch hier unter: Sicheres Kennwort (Password) gruß kira |
Hallo Kira, vielen Dank für die Analyse der Log-Files und die Lösungsvorschläge. Der Support von Avira schlägt mir vor mein system mittels Rescue CD wiederherzustellen. Ich werde jedoch meine Festplatte komplett formatieren und mein System neu aufspielen. Grüße, Ucbblue |
Zitat:
alles Gute! gruß kira |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 12:58 Uhr. |
Copyright ©2000-2024, Trojaner-Board