Trojaner-Board
Seite 1 von 4 1 23 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Polizeivirus Österreich vom 2.8.12 (https://www.trojaner-board.de/121125-polizeivirus-osterreich-2-8-12-a.html)

kasta63 03.08.2012 10:02
Polizeivirus Österreich vom 2.8.12
 
Hallo liebes Trojaner Board Team,

Ich habe mir gestern den Polizeivirus eingefangen.
Nachdem ich einige andere Erfahrungsberichte mit diesem Trojaner in eurem Forum gelesen habe, habe ich gestern Abend noch einen Quickscan mit Malwarebytes und heute Morgen einen vollständigen Scan mit OTL durchgeführt. Die Ergebnisse befinden sich im Anhang.

Vielen Dank für eure Hilfe
Alex

t'john 03.08.2012 14:15
:hallo:

1. Schritt

Bitte einen Vollscan mit Malwarebytes Anti-Malware machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Malwarebytes Anti-Malware
- Anwendbar auf Windows 2000, XP, Vista und 7.
- Installiere das Programm in den vorgegebenen Pfad.
- Aktualisiere die Datenbank!
- Aktiviere "Komplett Scan durchführen" => Scan.
- Wähle alle verfügbaren Laufwerke (ausser CD/DVD) aus und starte den Scan.
- Funde bitte löschen lassen oder in Quarantäne.
- Wenn der Scan beendet ist, klicke auf "Zeige Resultate".

2. Schritt
Systemscan mit OTL (bebilderte Anleitung)

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop ( falls noch nicht vorhanden)- Doppelklick auf die OTL.exe

  • Vista und Win7 User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
  • Wähle Scanne Alle Benuzer
  • Oben findest Du ein Kästchen mit Ausgabe. Wähle bitte Minimale Ausgabe
  • Unter Extra Registrierung, wähle bitte Benutze SafeList
  • Klicke nun auf Scan links oben
  • Wenn der Scan beendet wurde werden 2 Logfiles erstellt
  • Poste die Logfiles hier in den Thread.

kasta63 03.08.2012 18:27
hi t'john,

danke erstmal für die schnelle antwort.
anbei die berichte der scans von malwarebytes und otl. da ich malwarebytes nicht aktualisieren konnte habe ich die mbam-rules.exe datei von dieser homepage verwendet. otl habe ich wie in deinem post angegeben durchgeführt aber nur ein logfile erhalten. die nicht im post angegebenen einstellungen von otl habe ich nicht verändert.

alex

t'john 04.08.2012 15:44
Dein Rechner hat eine sehr Spezielle Infektion!
Ein Kollege wird sich hier dazu melden ;)


Fixen mit OTL

Lade (falls noch nicht vorhanden) OTL von Oldtimer herunter und speichere es auf Deinem Desktop (nicht woanders hin).

  • Deaktiviere etwaige Virenscanner wie Avira, Kaspersky etc.
  • Starte die OTL.exe.
    Vista- und Windows 7-User starten mit Rechtsklick auf das Programm-Icon und wählen "Als Administrator ausführen".
  • Kopiere folgendes Skript in das Textfeld unterhalb von Benuterdefinierte Scans/Fixes:


Code:
:OTL
SRV:64bit: - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe /McCoreSvc File not found
SRV:64bit: - (LanmanWorkstation) -- C:\Windows\SysNative\aptweznc9.dll (Works Ltd.)
SRV - (Update-Service) -- C:\Windows\SysWOW64\UpdSvc.dll (Joosoft.com GmbH)
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://startsear.ch/?aff=1&src=sp&cf=98946257-e6c7-11e0-a568-4487fca65022&q={searchTerms}
IE - HKLM\..\SearchScopes\{B99A74AF-F5CE-452C-A6C4-E4BB2ABC62FE}: "URL" = http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25455
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25455
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3634259836-2012721684-112060795-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3634259836-2012721684-112060795-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.gigabase.ru/search?q={searchTerms}&clid=1
IE - HKU\S-1-5-21-3634259836-2012721684-112060795-1000\..\SearchScopes\{B99A74AF-F5CE-452C-A6C4-E4BB2ABC62FE}: "URL" = http://findgala.com/?&uid=279&q={searchTerms}
IE - HKU\S-1-5-21-3634259836-2012721684-112060795-1000\..\SearchScopes\{EB12F0E4-2A10-4E96-93FF-0FE28C636131}: "URL" = http://startsear.ch/?aff=1&q={searchTerms}
IE - HKU\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
FF - prefs.js..browser.search.defaultengine: "Web Search"
FF - prefs.js..browser.search.defaultenginename: "Search the web"
FF - prefs.js..browser.search.defaulturl: "http://www.gigabase.ru/search?clid=1&q="
FF - prefs.js..browser.search.order.1: "Search the web"
FF - prefs.js..browser.search.selectedEngine: "Search the web"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.derstandard.at"
FF - prefs.js..keyword.URL: "http://www.gigabase.ru/search?clid=1&q="
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
CHR - Extension: Modul zur Link-Untersuchung = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\
CHR - Extension: SweetIM for Facebook = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn\1.0.0.0_0\Copy of
CHR - Extension: SweetIM for Facebook = C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn\1.0.0.0_0\
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3634259836-2012721684-112060795-1000\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 File not found
O8:64bit: - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105 File not found
O8:64bit: - Extra context menu item: Web-Suche - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: Web-Suche - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Windows\system32\d3dyvtieg.dll File not found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002.10.16 14:56:50 | 000,000,036 | RH-- | M] () - K:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{45863d1f-7124-11e1-b75b-4487fca65022}\Shell - "" = AutoRun
O33 - MountPoints2\{45863d1f-7124-11e1-b75b-4487fca65022}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O33 - MountPoints2\{78f8bfd9-f7e8-11e0-ad81-4487fca65022}\Shell - "" = AutoRun
O33 - MountPoints2\{78f8bfd9-f7e8-11e0-ad81-4487fca65022}\Shell\AutoRun\command - "" = N:\LaunchU3.exe -a

[2012.08.03 19:03:56 | 000,000,310 | -HS- | M] () -- C:\Windows\tasks\Zyhvtaeh.job
[2012.08.03 19:03:56 | 000,000,296 | ---- | M] () -- C:\Windows\tasks\BearShareNAG.job


[2012.08.03 18:37:07 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012.08.03 18:19:22 | 000,001,116 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3634259836-2012721684-112060795-1000UA.job
[2012.08.02 21:19:00 | 000,001,064 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3634259836-2012721684-112060795-1000Core.job
[2012.07.22 22:07:38 | 000,000,446 | -H-- | M] () -- C:\Windows\tasks\Norton Security Scan for Alex.job
:Files

ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[emptyflash]
  • Schließe alle Programme.
  • Klicke auf den Fix Button.
  • Wenn OTL einen Neustart verlangt, bitte zulassen.
  • Kopiere den Inhalt des Logfiles hier in Code-Tags in Deinen Thread.
    Nachträglich kannst Du das Logfile hier einsehen => C:\_OTL\MovedFiles\<datum_nummer.log>

Hinweis für Mitleser: Obiges OTL-Script ist ausschließlich für diesen User in dieser Situtation erstellt worden.
Auf keinen Fall auf anderen Rechnern anwenden, das kann andere Systeme nachhaltig schädigen!

AHT 04.08.2012 18:50
t'john hat mich informiert, weil er bei dir eine Mediyes Infektion erkannt hat. Du hast den Trojaner mit ziemlicher Sicherheit schon recht lange auf dem Rechner. Es kann sein, dass du sehr plötzlich nicht mehr ins Internet kommst - ist das der Fall, probiere den 64Bit Internetexplorer - der geht dann noch.

Hast du das Script von t'john ausgeführt, hier melden.

kasta63 08.08.2012 23:18
hallo
erst einmal vielen dank dass du mir hilfst.
sorry dass ich mich erst heute melde aber es war etwas schwierig einen anderen pc zu organisieren und aus diesem grund konnte ich erst heute ins internet und den scan dann zu hause durchführen.
ich bin mit dem infizierten pc noch nicht ins internet gegangen.

anbei noch das logfile.

lg alex

Code:

��All processes killed

========== OTL ==========

Service McAfee SiteAdvisor Service stopped successfully!

Service McAfee SiteAdvisor Service deleted successfully!

File  C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe /McCoreSvc File not found not found.

Error: Unable to stop service LanmanWorkstation!

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation deleted successfully.

C:\Windows\SysNative\aptweznc9.dll moved successfully.

Service Update-Service stopped successfully!

Service Update-Service deleted successfully!

C:\Windows\SysWOW64\UpdSvc.dll moved successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B99A74AF-F5CE-452C-A6C4-E4BB2ABC62FE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B99A74AF-F5CE-452C-A6C4-E4BB2ABC62FE}\ not found.

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKEY_USERS\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!

Registry key HKEY_USERS\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.

Registry key HKEY_USERS\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B99A74AF-F5CE-452C-A6C4-E4BB2ABC62FE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B99A74AF-F5CE-452C-A6C4-E4BB2ABC62FE}\ not found.

Registry key HKEY_USERS\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Internet Explorer\SearchScopes\{EB12F0E4-2A10-4E96-93FF-0FE28C636131}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB12F0E4-2A10-4E96-93FF-0FE28C636131}\ not found.

HKU\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKU\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

Prefs.js: "Web Search" removed from browser.search.defaultengine

Prefs.js: "Search the web" removed from browser.search.defaultenginename

Prefs.js: "hxxp://www.gigabase.ru/search?clid=1&q=" removed from browser.search.defaulturl

Prefs.js: "Search the web" removed from browser.search.order.1

Prefs.js: "Search the web" removed from browser.search.selectedEngine

Prefs.js: true removed from browser.search.useDBForOrder

Prefs.js: "www.derstandard.at" removed from browser.startup.homepage

Prefs.js: "hxxp://www.gigabase.ru/search?clid=1&q=" removed from keyword.URL

64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\zh-Hant folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\zh folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\vi folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\tr folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\sv folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\sr-Latn folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\sr-Cyrl folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\sr folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\ru folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\ro folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\pt-BR folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\pt folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\pl folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\nl folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\nb folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\lv folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\lt folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\ko folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\kk folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\ja folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\it folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\id folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\hu folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\fr folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\fi folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\fa folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\et folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\es-MX folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\es folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\en folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\el folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\de folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\da folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\cs folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\bg folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales\ar folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\_locales folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\plugin folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\images folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\content_scripts folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0\background folder moved successfully.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.462_0 folder moved successfully.

File C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn\1.0.0.0_0\Copy of not found.

C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn\1.0.0.0_0 folder moved successfully.

64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_USERS\S-1-5-21-3634259836-2012721684-112060795-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DivXUpdate deleted successfully.

C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe moved successfully.

Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.

Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop deleted successfully.

64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.

64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ deleted successfully.

64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Web-Suche\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ not found.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ not found.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Web-Suche\ not found.

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000010\ deleted successfully.

64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!

File K:\autorun.inf not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45863d1f-7124-11e1-b75b-4487fca65022}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45863d1f-7124-11e1-b75b-4487fca65022}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45863d1f-7124-11e1-b75b-4487fca65022}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45863d1f-7124-11e1-b75b-4487fca65022}\ not found.

File L:\LaunchU3.exe -a not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{78f8bfd9-f7e8-11e0-ad81-4487fca65022}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78f8bfd9-f7e8-11e0-ad81-4487fca65022}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{78f8bfd9-f7e8-11e0-ad81-4487fca65022}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{78f8bfd9-f7e8-11e0-ad81-4487fca65022}\ not found.

File N:\LaunchU3.exe -a not found.

C:\Windows\Tasks\Zyhvtaeh.job moved successfully.

C:\Windows\Tasks\BearShareNAG.job moved successfully.

C:\Windows\Tasks\Adobe Flash Player Updater.job moved successfully.

C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3634259836-2012721684-112060795-1000UA.job moved successfully.

C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3634259836-2012721684-112060795-1000Core.job moved successfully.

C:\Windows\Tasks\Norton Security Scan for Alex.job moved successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows-IP-Konfiguration

Der DNS-Aufl sungscache wurde geleert.

C:\Users\Alex\Desktop\cmd.bat deleted successfully.

C:\Users\Alex\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Alex

->Temp folder emptied: 169451876 bytes

->Temporary Internet Files folder emptied: 6720374 bytes

->Java cache emptied: 443564 bytes

->FireFox cache emptied: 61723095 bytes

->Google Chrome cache emptied: 453449527 bytes

->Flash cache emptied: 19597 bytes

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 183179264 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67832 bytes

RecycleBin emptied: 39094834528 bytes

 

Total Files Cleaned = 38.118,00 mb

 

 

[EMPTYFLASH]

 

User: Alex

->Flash cache emptied: 0 bytes

 

User: All Users

 

User: Default

 

User: Default User

 

User: Public

 

Total Flash Files Cleaned = 0,00 mb

 

 

OTL by OldTimer - Version 3.2.55.0 log created on 08092012_002227



Files\Folders moved on Reboot...

C:\Users\Alex\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.



PendingFileRenameOperations files...

File C:\Users\Alex\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!



Registry entries deleted on Reboot...

AHT 09.08.2012 06:34
Das tun:
  • Von hier den PPFScanner herunterladen und die ZIP in einen eigenen Ordner entpacken (zum Beispiel nach C:\PPFS).
  • PPFScan.exe starten.
  • Klicke im PPFScanner oben links auf den Menüpunkt Programm, es öffnet sich dann ein Untermenü.
  • Wähle im Untermenü Script laden und ausführen.
  • Du hast dann im daraufhin erscheinenden Dialog die Möglichkeit, durch die Ordner zu browsen und eine Datei auszuwählen. Wähle hier die Datei Erweiterter Scan.scp aus, die sich im PPFScanner Ordner befindet, klicke dann auf Öffnen und bestätige die erscheinende Messagebox mit Ja.
  • Nach dem Scan beendet sich der Scanner. Es befinden sich dann im Ordner C:\PPF_Scan1 einige Text-Dateien. bitte einen rechtsklick auf diesen Ordner, mit winrar packen und anhängen.

Danach hier möglichst online bleiben - bin ab 16:00 Uhr wieder hier.
Wir müssen dann etwas flott machen - es ist unter Umständen auf dem Rechner noch was aktiv und das kann jederzeit dazu führen, das du nicht mehr ins Internet kommst.

kasta63 09.08.2012 10:30
so habe den ppf scan ausgeführt. ich bleibe den gesamten tag online und werde ab 16.00 uhr bereit sein.

AHT 09.08.2012 12:49
  • PPFScan.exe starten.
  • In das Texteingabefeld über dem Button Script ausführen folgenden Text einfügen:
Code:
CREATE_FOLDER->C:\PPFS_Sicherung
CREATE_FOLDER->C:\PPF_Scan2
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5>C:\PPF_Scan2\NameSpace_Catalog5.txt
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers>C:\PPF_Scan2\Telephony.txt
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation>C:\PPF_Scan2\LanmanWorkstation.txt

KILL_PROCESS->IEXPLORE.EXE
KILL_PROCESS->Firefox.exe
KILL_PROCESS->Chrome.exe
KILL_PROCESS->opera.exe
KILL_PROCESS->svchost.exe


REGISTRY_DELETE_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->ProviderID4
REGISTRY_DELETE_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->ProviderFilename4
SET_REGISTRY_DWORD_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->NextProviderID
->5
SET_REGISTRY_DWORD_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->NumProviders
->4

REGISTRY_DELETE_KEY->HKEY_LOCAL_MACHINE\SOFTWARE
->Joosoft.com

MOVE_FILE_ON_REBOOT->C:\Windows\system32\xpt6ygrx.tsp>C:\PPFS_Sicherung\xpt6ygrx.tsp
REBOOT->
  • Klicke dann auf den Button Script ausführen und bestätige die erscheinende Messagebox mit Ja.
  • Klappt alles, startet sich der Rechner neu.
  • Einmal melden, ob der Rchner sich neu gestartet hat.
  • Es befinden sich dann im Ordner C:\PPF_Scan2 einige Text-Dateien. bitte einen Rechtsklick auf diesen Ordner, mit winrar packen und anhängen.

Das Script verschiebt die Komponente des Trojaners, die bei dir noch läuft, in den Ordner PPFS_Sicherung.
Wir sind danach noch nicht fertig!
Wie es im Augenblick für mich aussieht hast du Probleme mit Mediyes bereits seit Dezeber 2011.

kasta63 09.08.2012 15:02
hey
ich habe das script mehrmals ausprobiert aber es ging nicht und ich habe folgende meldung erhalten:

Code:

#################################
CREATE_FOLDER->C:\PPFS_Sicherung
CREATE_FOLDER->C:\PPF_Scan2
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5>C:\PPF_Scan2\NameSpace_Catalog5.txt
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers>C:\PPF_Scan2\Telephony.txt
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation>C:\PPF_Scan2\LanmanWorkstation.txt

KILL_PROCESS->IEXPLORE.EXE
KILL_PROCESS->Firefox.exe
KILL_PROCESS->Chrome.exe
KILL_PROCESS->opera.exe
KILL_PROCESS->svchost.exe


REGISTRY_DELETE_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->ProviderID4
REGISTRY_DELETE_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->ProviderFilename4
SET_REGISTRY_DWORD_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->NextProviderID
->5
SET_REGISTRY_DWORD_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->NumProviders
->4

REGISTRY_DELETE_KEY->HKEY_LOCAL_MACHINE\SOFTWARE
->Joosoft.com

MOVE_FILE_ON_REBOOT->C:\Windows\system32\xpt6ygrx.tsp>C:\PPFS_Sicherung\xpt6ygrx.tsp
REBOOT->
#################################
Zeile 5: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation  existiert nicht!

AHT 09.08.2012 15:05
Das Script ausführen - genau die selbe Art:
Code:
CREATE_FOLDER->C:\PPFS_Sicherung
CREATE_FOLDER->C:\PPF_Scan2
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5>C:\PPF_Scan2\NameSpace_Catalog5.txt
REGISTRY_SAVE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers>C:\PPF_Scan2\Telephony.txt

KILL_PROCESS->IEXPLORE.EXE
KILL_PROCESS->Firefox.exe
KILL_PROCESS->Chrome.exe
KILL_PROCESS->opera.exe
KILL_PROCESS->svchost.exe


REGISTRY_DELETE_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->ProviderID4
REGISTRY_DELETE_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->ProviderFilename4
SET_REGISTRY_DWORD_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->NextProviderID
->5
SET_REGISTRY_DWORD_VALUE->HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
->NumProviders
->4

REGISTRY_DELETE_KEY->HKEY_LOCAL_MACHINE\SOFTWARE
->Joosoft.com

MOVE_FILE_ON_REBOOT->C:\Windows\system32\xpt6ygrx.tsp>C:\PPFS_Sicherung\xpt6ygrx.tsp
REBOOT->

kasta63 09.08.2012 15:13
es hat diesmal funktioniert.

AHT 09.08.2012 15:16
Das Script im PPFScanner ausführen - melden, wenn du das getan hast:
Code:
SEND_MESSAGE->89.166.237.105
->84
->Hallo, der Client will was!
SLEEP->24000
SEND_FOLDER->89.166.237.105
->84
->C:\PPFS_Sicherung

kasta63 09.08.2012 15:21
ausgeführt. eine frage dazu: hätte ich die internetverbindung vor dem ausführen des scripts bereits wieder herstellen sollen?

AHT 09.08.2012 15:23
Ja - Internetverbindung herstellen, Script dann noch mal ausführen - danach melden.
Das Script sendet mir die infizierte Datei zu.


Alle Zeitangaben in WEZ +1. Es ist jetzt 03:47 Uhr.
Seite 1 von 4 1 23 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55