Trojaner-Board - Sehr liebe Bitte um professionelle Hilfe bei hartnäckigem Problem!

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Sehr liebe Bitte um professionelle Hilfe bei hartnäckigem Problem! (https://www.trojaner-board.de/61394-sehr-liebe-bitte-um-professionelle-hilfe-hartnaeckigem-problem.html)

Hi,

mit dem Virus dürfte das eigentlich nichts zu tun haben. Der macht sowas meines Wissens nicht.

Dann lass uns mal noch alles genauer kontrollieren, mach bitte folgende Scans, um zu sehen, was auf deinem Rechner ist:

Kaspersky - Onlinescanner
Dieser Scanner entfernt die Funde nicht, gibt aber einen guten Überblick über die vorhandene Malware.
---> hier herunterladen => Kaspersky Online-Scanner
=> Hinweise zu älteren Versionen beachten! => Voraussetzung: Internet Explorer 6.0 oder höher => die nötigen ActiveX-Steuerelemente installieren
=> Update der Signaturen => Weiter => Scan-Einstellungen => Standard wählen => OK
=> Link "Arbeitsplatz" anklicken => Scan beginnt automatisch
=> Untersuchung wurde abgeschlossen => Protokoll speichern als => Dateityp auf .txt umstellen => auf dem Desktop als Kaspersky.txt speichern
=> Log hier posten
=> Deinstallation => Systemsteuerung => Software => Kaspersky Online Scanner entfernen

Sowie einige Scans auf Dateien, Prozesse und Registryeinträge, die vor den meisten anderen Scannern versteckt werden (durch ein sogenanntes Rootkit). Während dieser Scans soll(en):

alle anderen Scanner gegen Viren, Spyware, usw deaktiviert sein
keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen)
nichts am Rechner getan werden
nach jedem Scan der Rechner neu gestartet werden

Gmer scannen lassen

Lade dir Gmer von dieser Seite runter und entpacke es auf deinen Desktop.
Starte gmer.exe. Alle anderen Programme sollen geschlossen sein.
Starte den Scan mit "Scan". Mache nichts am Computer während der Scan läuft.
Wenn der Scan fertig ist klicke auf "Copy" um das Log in die Zwischenablage zu kopieren. Mit "Ok" wird Gmer beendet.
Füge das Log aus der Zwischenablage in deine Antwort hier ein.

Catchme scannen lassen

Lade dir Catchme runter auf deinen Desktop.
Starte Catchme.exe. Alle anderen Programme sollen geschlossen sein. Mit "Scan" starten.
Falls nach dem Ende des Scans im Fenster Dateien stehen, dann klicke auf "Zip" damit eine Kopie dieser Dateien erzeugt wird. Die Dateien werden dabei nicht entfernt.
Das Log ist in catchme.log, füge es vollständig in deine Antwort ein.

RootkitRevealer scannen lassen

Lade RootkitRevealer runter und entpacke das Archiv in einen eigenen Ordner, z.B. C:\programme\rootkitrevealer.
Starte in diesem Ordner RootkitRevealer.exe. Alle anderen Programme schließen.
Starte durch Klick auf "Scan".
Wenn der Scan fertig ist das Logfile mit File -> Save abspeichern.

Erstelle bitte ein Log mit RSIT. Es werden 2 Dateien erstellt (log.txt und info.txt). Poste den Inhalt beider Dateien hier. (Wenn die Dateien zu lange sind kannst du sie bei file-upload hochladen und die Links hier posten.)

lg myrtille

Liebe Myrtille: hier ist alles drin,was ich hinkriegen konnte, bin gespannt auf Deine Antwort

http://www.file-upload.net/download-1174287/Antwort-Myrtille.txt.html

http://www.file-upload.net/delete-1174287/mlhnl8.html

Hi,

in den Einträgen ist nichts zu sehen, was auf Malware hindeutet.

Hast du mal versucht den Eintrag im abgesicherten Modus zu löschen? Ich kann dir ehrlich gesagt nicht sagen, woher der Eintrag immer wieder kommt.

lg myrtille

Liebe Myrtille,

im abgesicherten Modus ist der Eintrag ja garnicht da!

Noch 2 allerletzte Fragen:

Diese ganzen Sachen, die Catchme (62 hidden files) und RootkitRevealer (69 hidden files) gefunden haben, diese Messenger-Sachen usw. sind ok?

Vielleicht gewöhne ich mir einfach an, den Eintrag icqlite.exe bei jedem Start immer wieder zu löschen. Wäre das eine Alternative?

Danke im voraus, eelaa

Hi,

ja das ist ok, solang die Programme gelaufen sind, während des Scans. Die Einträge im Hijackthislog deuten jedenfalls darauf hin.

Wenn die Einträge immer wieder kommen, dann heißt das entweder, dass du ein Programm hast, dass die Einträge immer wieder neu einträgt oder dass ein Programm die Einträge immer wieder erstellt.
Wenn du wrklich all deine Antivrensoftware während des fixens deaktiviert hast, bleibt eigentlich nur noch die erste Möglichkeit. Es könnte eventuell icq6 sein, aber ich finde da keinerlei informationen zu und kann dir daher nicht wirklich helfen. :(

lg myrtille

MSN Messenger ist nicht gelaufen, als Catchme gescannt hat. Trotzdem waren alle Messenger-Kontakte aufgelistet. Ist mein MSN Messenger verseucht?

Ich habe Gmer nochmal durchlaufen lassen, weil ich Kaspersy noch anhatte beim ersten Mal, vielleicht könntest Du nur hier kurz nochmal reinschauen:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-11 19:42:44
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xED9E081A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xED9E0DC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xED9E282A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xED9E21E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xED9DFF90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xED9E418C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xED9E0BC2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xED9E03D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xED9E05D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xED9E24EC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xED9E4698]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xED9E06E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xED9E0750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xED9E23A2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xED9E3C50]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xED9E203C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xED9E00F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xED9E09E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xED9E41B6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xED9E093E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xED9E07B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xED9E04BC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xED9E029A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xED9E3EB8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xED9DFC12]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xED9E30B4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xED9DFD74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xED9E4568]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xED9DFA10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xED9E26CC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xED9E0CC0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xED9E3D4A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xED9E41E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xED9E0148]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xED9E42C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xED9E43F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xED9E3B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xED9E0A92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xED9E0B04]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9F90 5 Bytes JMP ED9F701C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE86E 5 Bytes JMP ED9F73D6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F80 12 Bytes [ C4, 42, 9E, ED, F0, 43, 9E, ... ]
.text win32k.sys!EngCreateBitmap + D9AD BF845875 5 Bytes JMP 84DF3610

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 84E0FDF0
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 84E0FDF0

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \FileSystem\Fastfat \Fat BAFE3D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 4:320 84E4B6F0
Thread 4:324 84E4B6F0
Thread 4:328 84E1CEB0
Thread 4:332 84E1CEB0
Thread 4:336 84E1CEB0

---- EOF - GMER 1.0.14 ----

Liebe Grüsse, eelaa

Hi,

was man sieht sind Einträge von Kaspersky und Starforce. Auch wenn Kaspersky aus ist, hat es seine Einträge dennoch geschützt um sich vor eventuellen Übergriffen zu schützen.

lg myrtille

Liebe Myrtille,

bezüglich des icqlite-eintrags hätte ich noch eine Idee: Da der Eintrag tatsächlich nur erscheint, wenn ich eine Internetverbindung habe, er aber im abgesicherten Modus nicht zu sehen ist, müsste ich im abgesicherten Modus eine Internetverbindung herstellen und dann fixen. Nur das Problem ist, dass wohl Kaspersky im abgesicherten Modus nicht aktiv schützt, glaube ich. Kannst Du mir dazu was sagen?

Liebe Grüße von eelaa

Hi,

versuchen wir lieber was anderes:

Anstatt rumzuraten, können wir nachschauen welches Programm den Schlüssel bearbeitet:

lade dir ProcessMonitor herunter.
Entpacke das Programm ProcMon.exe in einen Ordner deiner Wahl (etwa C:\Programme\ProcessMonitor)
Die NUB annehmen und das Programm starten (vorher mit Hijackthis den Eintrag icqlite löschen)
Rufe dann unter Tools die Filter auf.
Setze folgenden Filter:

Code:

Path contains HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings then include
Provoziere das erscheinen des Proxyeintrags
Nachdem der gesuchte Eintrag erscheint auf File und auf Save gehen. Dort unter Format den Haken bei Comma-separated value setzen und die Datei abspeichern.
Den Inhalt der Datei dann hier posten

lg myrtille

Liebe Myrtille,

danke für Deine Antwort, wenn ich das Erscheinen des Proxy-Eintrags provozieren muss, dann muss ich neu starten, kann ich das zwischendurch in dem Programm?

lg eelaa

Hi,

lad das programm runter, starte neu und führe das programm dann auf dem gefixten rechner aus.

Du musst nur während des herunterladen des programms online sein :D

lg myrtille

LIebe Myrtille,

ich hab´s endlich hinbekommen, es ist riesengroß und angsteinflößend.

http://www.file-upload.net/download-1180822/Prozess-MonitorLogfile.CSV.html

http://www.file-upload.net/delete-1180822/w4mh4.html

bin gespannt auf Deine Antwort

lg,eelaa

Hi,

bist du sicher, dass du "include" gewählt hast um den Filter zu setzen? Der Eintrag zu den Internet Settings ist in dem Log nicht zu finden.

lg myrtille

Hallo liebe Myrtille,

nein ich bin nicht sicher,weil ich ziemlich dämlich bin. Aber jetzt hab ich´s glaub ich:

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"09:43:59,5223086","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5223651","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5224472","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:43:59,5224735","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:43:59,5224911","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5225198","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5225536","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:43:59,5225788","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:43:59,5225916","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5226204","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5226550","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:43:59,5226794","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:43:59,5226919","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5229478","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5229830","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:43:59,5230084","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:43:59,5230216","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5230498","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5230836","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:43:59,5272618","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:43:59,5272942","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5273475","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:43:59,5273830","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:43:59,5274082","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:43:59,5776872","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS","Desired Access: Read"
"09:43:59,5777389","Explorer.EXE","2176","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep","SUCCESS","Type: REG_DWORD, Length: 4, Data: 20"
"09:43:59,5778067","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS",""
"09:45:00,2610056","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS","Desired Access: Read"
"09:45:00,2610397","Explorer.EXE","2176","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep","SUCCESS","Type: REG_DWORD, Length: 4, Data: 20"
"09:45:00,2610950","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS",""
"09:45:30,2953181","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS","Desired Access: Read"
"09:45:30,2953546","Explorer.EXE","2176","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep","SUCCESS","Type: REG_DWORD, Length: 4, Data: 20"
"09:45:30,2954139","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS",""
"09:45:49,7966558","firefox.exe","3272","RegOpenKey","HKCU\software\Microsoft\Windows\CurrentVersion\Internet Settings","SUCCESS","Desired Access: Read"
"09:45:49,7967192","firefox.exe","3272","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","BUFFER OVERFLOW","Query: Basic, Length: 24"
"09:45:49,7967374","firefox.exe","3272","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","BUFFER OVERFLOW","Query: Basic, Length: 24"
"09:45:49,7967678","firefox.exe","3272","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings","SUCCESS",""
"09:46:03,1494417","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1494777","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1495135","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:46:03,1495389","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:46:03,1495532","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1495808","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1496152","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:46:03,1496389","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:46:03,1496518","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1496800","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1497124","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:46:03,1497364","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:46:03,1497487","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1497769","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1498096","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:46:03,1512506","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:46:03,1512760","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1513190","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS","Desired Access: Query Value, Set Value, Create Sub Key, Enumerate Sub Keys"
"09:46:03,1515361","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache","SUCCESS",""
"09:46:03,1515615","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache","SUCCESS",""
"09:46:03,1738437","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS","Desired Access: Read"
"09:46:03,1738979","Explorer.EXE","2176","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep","SUCCESS","Type: REG_DWORD, Length: 4, Data: 20"
"09:46:03,1740188","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS",""
"09:46:42,4991454","Explorer.EXE","2176","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS","Desired Access: Read"
"09:46:42,4991797","Explorer.EXE","2176","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep","SUCCESS","Type: REG_DWORD, Length: 4, Data: 20"
"09:46:42,4992350","Explorer.EXE","2176","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History","SUCCESS",""

und sowas hier auch:

"09:50:13,9182807","Start.exe","2756","RegOpenKey","HKCU\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Desired Access: Read"
"09:50:13,9183478","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","BUFFER OVERFLOW","Query: Name, Length: 256"
"09:50:13,9183679","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Query: Name"
"09:50:13,9184215","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Query: Cached, SubKeys: 77, Values: 1"
"09:50:13,9184662","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","BUFFER OVERFLOW","Query: Name, Length: 256"
"09:50:13,9184878","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Query: Name"
"09:50:13,9185121","Start.exe","2756","RegEnumKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Index: 0, Name: Range1"
"09:50:13,9185392","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","BUFFER OVERFLOW","Query: Name, Length: 256"
"09:50:13,9185590","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Query: Name"
"09:50:13,9193845","Start.exe","2756","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1","SUCCESS","Desired Access: Read"
"09:50:13,9194465","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1","BUFFER OVERFLOW","Query: Name, Length: 256"
"09:50:13,9194678","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1","SUCCESS","Query: Name"
"09:50:13,9195234","Start.exe","2756","RegQueryValue","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\:Range","SUCCESS","Type: REG_SZ, Length: 30, Data: 85.255.117.243"
"09:50:13,9197446","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","BUFFER OVERFLOW","Query: Name, Length: 256"
"09:50:13,9197664","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Query: Name"
"09:50:13,9198220","Start.exe","2756","RegEnumKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Index: 1, Name: Range10"
"09:50:13,9198547","Start.exe","2756","RegCloseKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1","SUCCESS",""
"09:50:13,9198826","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","BUFFER OVERFLOW","Query: Name, Length: 256"
"09:50:13,9199351","Start.exe","2756","RegQueryKey","HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges","SUCCESS","Query: Name"

lg,eelaa

Hi,

das ist erstaunlich. :eek: Der Eintrag mit dem Proxyserver ist in der Zeit, in der du das aufgenommen hast erschienen?

lg myrtille