Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Bundespolizeitrojaner (https://www.trojaner-board.de/103850-bundespolizeitrojaner.html)

Polla 05.10.2011 11:29
Bundespolizeitrojaner
 
Hallo zusammen,
leider hat es gestern meinen Laptop erwischt und ich habe mir dort den erwähnten Trojaner zu gezogen.
Ich habe in diesem Bord bereits einige Beiträge zu diesem Thema gelesen und auch schon erste Schritte durchgeführt.
Da allerdings in allen Themen immer wieder darauf hingewisen wird, dass jede Infektion einzigartig ist und ein eigenes Vorgehen benötigt poste ich hier jetzt meine ersten Ergebnisse.
Ich habe bereits einen Scan mit srep.exe und OTLPE durchgeführt.
Diese beiden SChritte erschienen mir Sinnvoll und auch ohne weitere Gefahr für meinen Laptop durchführbar.

Hier nun die erhaltenen Logs :

srep :
Zitat:
WIN_VISTA X86Service Pack 2

HKLM\..\Winlogon; Shell = explorer.exe
No action taken
HKCU\..\Winlogon; Shell not found
No action taken


HKLM\..\Run [Windows Defender] = %ProgramFiles%\Windows Defender\MSASCui.exe -hide
HKLM\..\Run [WPCUMI] = C:\Windows\system32\WpcUmi.exe
HKLM\..\Run [LG Intelligent Update] = "C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc
HKLM\..\Run [StartCCC] = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
HKLM\..\Run [avgnt] = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
HKLM\..\Run [DivXUpdate] = "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
HKLM\..\Run [Windows Mobile-based device management] = %windir%\WindowsMobile\wmdSync.exe
HKLM\..\Run [SunJavaUpdateSched] = "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
HKLM\..\Run [Adobe Reader Speed Launcher] = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
HKLM\..\Run [Adobe ARM] = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
HKLM\..\Run [QuickTime Task] = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
HKLM\..\Run [NPSStartup] =

HKCU\..\Run [Sidebar] = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
HKCU\..\Run [msnmsgr] = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
HKCU\..\Run [ehTray.exe] = C:\Windows\ehome\ehTray.exe
HKCU\..\Run [PMCRemote] =
HKCU\..\Run [EA Core] = "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
HKCU\..\Run [Steam] = "D:\Spiele\Steam\Steam.exe" -silent
HKCU\..\Run [ICQ] = "C:\Program Files\ICQ7.2\ICQ.exe" silent loginmode=4
HKCU\..\Run [AutoStartNPSAgent] = C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
HKCU\..\Run [WMPNSCFG] = C:\Program Files\Windows Media Player\WMPNSCFG.exe
HKCU\..\Run [avupdate] = C:\Users\Saturn\AppData\Roaming\mahmud.exe

HKU\.DEFAULT\..\Winlogon; Shell =
HKU\S-1-5-19\..\Winlogon; Shell =
HKU\S-1-5-20\..\Winlogon; Shell =
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Winlogon; Shell =
HKU\S-1-5-21-491113855-2426311782-949560941-1000_Classes\..\Winlogon; Shell =
HKU\S-1-5-18\..\Winlogon; Shell =

HKU\S-1-5-19\..\Run [Sidebar] = %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
HKU\S-1-5-19\..\Run [WindowsWelcomeCenter] = rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\..\Run [Sidebar] = %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
HKU\S-1-5-20\..\Run [WindowsWelcomeCenter] = rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [Sidebar] = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [msnmsgr] = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [ehTray.exe] = C:\Windows\ehome\ehTray.exe
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [PMCRemote] =
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [EA Core] = "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [Steam] = "D:\Spiele\Steam\Steam.exe" -silent
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [ICQ] = "C:\Program Files\ICQ7.2\ICQ.exe" silent loginmode=4
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [AutoStartNPSAgent] = C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [WMPNSCFG] = C:\Program Files\Windows Media Player\WMPNSCFG.exe
HKU\S-1-5-21-491113855-2426311782-949560941-1000\..\Run [avupdate] = C:\Users\Saturn\AppData\Roaming\mahmud.exe

==== FINISH 04.10-15.22 ====
OTLPE :
Zitat:
OTL logfile created on: 10/5/2011 1:19:32 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 99.99 Gb Total Space | 55.25 Gb Free Space | 55.26% Space Free | Partition Type: NTFS
Drive D: | 196.60 Gb Total Space | 167.00 Gb Free Space | 84.94% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2011/08/08 10:00:05 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/07/27 16:34:42 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/04/21 01:52:51 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/31 03:39:36 | 000,233,472 | ---- | M] (Teruten) [Auto] -- C:\Windows\System32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2008/08/29 08:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2008/04/07 03:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/20 22:23:24 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008/01/20 22:23:24 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - [2011/08/08 10:00:11 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/08/08 10:00:11 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/10/08 11:55:33 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2009/04/11 00:38:59 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\usbccid.sys -- (USBCCID)
DRV - [2009/03/31 03:39:36 | 000,036,608 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/03/20 04:01:26 | 000,121,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ss_bmdm.sys -- (ss_bmdm)
DRV - [2009/03/20 04:01:26 | 000,090,112 | ---- | M] (MCCI) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ss_bbus.sys -- (ss_bbus) SAMSUNG USB Mobile Device (WDM)
DRV - [2009/03/20 04:01:26 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ss_bmdfl.sys -- (ss_bmdfl) SAMSUNG USB Mobile Modem (Filter)
DRV - [2009/02/13 06:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/01/19 14:31:56 | 000,277,544 | ---- | M] (Protect Software GmbH) [Kernel | Auto] -- C:\Windows\System32\drivers\acedrv11.sys -- (acedrv11)
DRV - [2008/08/29 08:57:18 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2008/06/25 17:30:50 | 003,662,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
DRV - [2008/06/10 11:35:54 | 003,839,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/05/02 00:59:40 | 000,122,368 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/03/29 12:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2008/01/20 22:23:02 | 004,422,560 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/09/17 09:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/06/14 08:41:00 | 000,466,048 | ---- | M] (LITEON) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Ltn_stk7070P.sys -- (Ltn_stk7070P)
DRV - [2007/06/13 13:30:20 | 000,013,440 | ---- | M] (LITEON) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Ltn_stkrc.sys -- (Ltn_stkrc)
DRV - [2007/01/18 13:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/12/14 02:11:58 | 000,007,680 | ---- | M] (ATK0100) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ATKACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.lge.com
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\Mcx1_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\Saturn_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.lge.com
IE - HKU\Saturn_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://start.icq.com/
IE - HKU\Saturn_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\Saturn_ON_C\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKU\Saturn_ON_C\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
IE - HKU\Saturn_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\System32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/17 12:48:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/17 12:48:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.12\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/08/22 16:02:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.12\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011/02/24 11:02:46 | 000,000,000 | ---D | M]

[2011/06/27 08:49:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/16 08:06:57 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/02/27 12:55:34 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/02/27 12:55:34 | 000,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2011/02/27 12:55:34 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011/02/27 12:55:34 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/02/27 12:55:34 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [LG Intelligent Update] C:\Program Files\lg_swupdate\giljabistart.exe (BIT LEADER)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\Mcx1_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\Saturn_ON_C..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKU\Saturn_ON_C..\Run: [avupdate] C:\Users\Saturn\AppData\Roaming\mahmud.exe ()
O4 - HKU\Saturn_ON_C..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKU\Saturn_ON_C..\Run: [ICQ] File not found
O4 - HKU\Saturn_ON_C..\Run: [PMCRemote] File not found
O4 - HKU\Saturn_ON_C..\Run: [Steam] File not found
O4 - Startup: Error locating startup folders.
O7 - HKU\Mcx1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Mcx1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\Mcx1_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O7 - HKU\Saturn_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Saturn_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\Saturn_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Spiele\Poker\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Spiele\Poker\PartyPoker\RunApp.exe ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/04 09:03:30 | 000,000,000 | ---D | C] -- C:\Users\Saturn\AppData\Roaming\Avira
[2011/10/04 03:26:00 | 000,000,000 | ---D | C] -- C:\Users\Saturn\Desktop\CinemaxX
[2011/09/22 07:51:04 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/09/21 08:26:03 | 000,000,000 | ---D | C] -- C:\Users\Saturn\AppData\Roaming\Padserv
[2011/09/15 09:59:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Airline Tycoon Evolution
[5 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/05 06:10:14 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/05 06:09:06 | 000,007,512 | ---- | M] () -- C:\Users\Saturn\AppData\Local\d3d9caps.dat
[2011/10/05 06:06:33 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/05 06:06:32 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/04 09:27:37 | 000,638,418 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011/10/04 09:27:37 | 000,604,280 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/10/04 09:27:37 | 000,131,526 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011/10/04 09:27:37 | 000,107,958 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/10/04 09:26:43 | 000,000,349 | ---- | M] () -- C:\Users\Public\Documents\PCLECHAL.INI
[2011/10/04 08:47:44 | 000,172,544 | ---- | M] () -- C:\Users\Saturn\AppData\Roaming\mahmud.exe
[2011/09/22 07:51:04 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/09/15 09:59:19 | 000,000,461 | ---- | M] () -- C:\Users\Public\Desktop\Airline Tycoon Evolution.lnk
[2011/09/15 09:59:19 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Airline Tycoon Evolution
[2011/09/14 16:19:55 | 000,017,209 | ---- | M] () -- C:\Users\Saturn\Documents\Wochenplan für WiSe 11,12.ods
[2011/09/10 15:54:58 | 003,750,912 | ---- | M] () -- C:\Users\Saturn\Desktop\DSC_0257.JPG
[2011/09/10 06:43:34 | 003,661,703 | ---- | M] () -- C:\Users\Saturn\Desktop\DSC_0245.JPG
[5 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/04 08:47:44 | 000,172,544 | ---- | C] () -- C:\Users\Saturn\AppData\Roaming\mahmud.exe
[2011/09/24 05:47:39 | 003,661,703 | ---- | C] () -- C:\Users\Saturn\Desktop\DSC_0245.JPG
[2011/09/24 05:47:10 | 003,750,912 | ---- | C] () -- C:\Users\Saturn\Desktop\DSC_0257.JPG
[2011/09/15 09:59:19 | 000,000,461 | ---- | C] () -- C:\Users\Public\Desktop\Airline Tycoon Evolution.lnk
[2011/08/28 14:57:01 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2011/08/28 14:57:01 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2011/02/24 12:45:57 | 000,000,125 | ---- | C] () -- C:\Windows\QTW.INI
[2010/06/18 06:17:48 | 000,201,488 | ---- | C] () -- C:\Windows\System32\MACD32.DLL
[2010/06/18 06:17:48 | 000,144,144 | ---- | C] () -- C:\Windows\System32\MASE32.DLL
[2010/06/18 06:17:48 | 000,141,584 | ---- | C] () -- C:\Windows\System32\MAMC32.DLL
[2010/06/18 06:17:48 | 000,063,248 | ---- | C] () -- C:\Windows\System32\MASD32.DLL
[2010/06/18 06:17:48 | 000,033,040 | ---- | C] () -- C:\Windows\System32\MA32.DLL
[2010/04/03 12:52:07 | 000,069,632 | ---- | C] () -- C:\Windows\System32\xmltok.dll
[2010/04/03 12:52:07 | 000,036,864 | ---- | C] () -- C:\Windows\System32\xmlparse.dll
[2009/12/03 16:47:48 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2009/11/21 09:05:37 | 000,000,822 | ---- | C] () -- C:\Windows\eReg.dat
[2009/10/24 12:14:07 | 000,138,056 | ---- | C] () -- C:\Users\Saturn\AppData\Roaming\PnkBstrK.sys
[2009/10/24 12:13:51 | 000,075,064 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2009/10/09 12:26:12 | 000,554,496 | ---- | C] () -- C:\Windows\System32\dvmsg.dll
[2009/08/08 10:49:03 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/08 10:49:02 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/04 06:36:03 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/08/01 14:47:11 | 000,041,984 | ---- | C] () -- C:\Users\Saturn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/24 11:23:13 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/24 11:18:13 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2009/07/24 11:03:09 | 000,009,665 | ---- | C] () -- C:\Windows\lg_up.ini
[2009/07/24 10:55:51 | 000,000,894 | ---- | C] () -- C:\Windows\lgcenter.ini
[2009/07/24 10:26:05 | 000,007,512 | ---- | C] () -- C:\Users\Saturn\AppData\Local\d3d9caps.dat
[2008/08/29 08:58:26 | 000,197,408 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
[2008/06/16 23:51:02 | 000,638,418 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008/06/16 23:51:02 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008/06/16 23:51:02 | 000,131,526 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008/06/16 23:51:02 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2008/06/10 09:13:02 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2008/06/10 04:50:18 | 000,174,819 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2008/03/05 07:38:44 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2007/10/25 11:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/07/22 11:39:26 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2007/06/25 14:34:26 | 000,070,400 | ---- | C] () -- C:\Windows\System32\PhysXLoader.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,259,776 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,604,280 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,107,958 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2000/02/09 18:00:00 | 000,047,104 | ---- | C] () -- C:\Windows\System32\wrkgadm.exe
[2000/02/09 18:00:00 | 000,012,288 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL

========== LOP Check ==========

[2011/02/08 16:53:51 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\AIMP
[2010/10/18 05:26:33 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Audacity
[2011/07/13 18:00:55 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\DVDVideoSoftIEHelpers
[2009/11/30 19:04:20 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\EPSON
[2010/06/20 06:32:45 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\GoPal Assistant
[2011/09/29 07:43:28 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\ICQ
[2010/04/19 15:53:16 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Leadertech
[2011/05/11 12:01:43 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\LolClient
[2011/08/08 07:33:51 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Mount&Blade
[2009/09/20 06:33:52 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\OpenOffice.org
[2011/09/29 02:26:22 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Padserv
[2011/08/28 15:02:55 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\PC Suite
[2010/05/26 08:17:36 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\ProtectDisc
[2011/08/28 14:56:39 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Samsung
[2009/08/01 15:11:39 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Serif
[2010/08/02 06:54:17 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\temp
[2010/03/30 06:48:00 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Thunderbird
[2010/03/15 17:19:16 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\Tobit
[2011/05/21 13:10:36 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\TS3Client
[2010/07/23 06:07:41 | 000,000,000 | ---D | M] -- C:\Users\Saturn\AppData\Roaming\UseNeXT
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2011/04/28 14:06:05 | 000,000,000 | ---D | M] -- C:\ProgramData\Electronic Arts
[2009/10/13 13:08:54 | 000,000,000 | ---D | M] -- C:\ProgramData\EPSON
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2011/05/18 14:31:28 | 000,000,000 | ---D | M] -- C:\ProgramData\ICQ
[2011/08/28 15:02:56 | 000,000,000 | ---D | M] -- C:\ProgramData\PC Suite
[2010/06/18 06:21:52 | 000,000,000 | ---D | M] -- C:\ProgramData\Pinnacle
[2011/05/31 15:26:34 | 000,000,000 | ---D | M] -- C:\ProgramData\PMB Files
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2009/07/24 10:22:26 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2010/10/03 15:33:34 | 000,000,000 | ---D | M] -- C:\ProgramData\WindowsSearch
[2010/02/21 17:05:13 | 000,000,000 | ---D | M] -- C:\ProgramData\WinZip
[2011/10/04 09:04:33 | 000,032,532 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >
Wäre nun für weitere Anweisungen sehr dankbar.

cosinus 05.10.2011 17:04
Warum OTLPE? Lässt Windows sich nach der Behandlung mit SREP immer noch nicht normal starten?

Polla 06.10.2011 08:59
Hallo, nein Windows lässt sich immer noch nicht normal starten, auch nicht nach dem Scan mit SREP.

Noch kurz als info ich hab Vista Home Premium und ein 32 bit Betriebssystem

cosinus 06.10.2011 13:17
Mach einen OTL-Fix über OTLPE, starte OTL und kopiere folgenden Text in die "Custom Scan/Fixes" Box (unten in OTL): (das ":OTL" muss mitkopiert werden!!!)


Code:
:OTL
O4 - HKU\Saturn_ON_C..\Run: [avupdate] C:\Users\Saturn\AppData\Roaming\mahmud.exe ()
:Files
C:\Users\Saturn\AppData\Roaming\mahmud.exe
:Commands
[emptytemp]
[resethosts]
Klick dann oben links auf den Button Fix!
Das Logfile müsste geöffnet werden, wenn Du nach dem Fixen auf ok klickst, poste das bitte. Evtl. wird der Rechner neu gestartet.

Die mit diesem Script gefixten Einträge, Dateien und Ordner werden zur Sicherheit nicht vollständig gelöscht, es wird eine Sicherheitskopie auf der Systempartition im Ordner "_OTL" erstellt.

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!

Danach sollte Windows wieder normal starten - stell uns bitte den Quarantäneordner von OTL zur Verfügung. Dabei bitte so vorgehen:

1.) GANZ WICHTIG!! Virenscanner deaktivieren, der darf das Packen nicht beeinträchtigen!
2.) Ordner movedfiles in C:\_OTL in eine Datei zippen
3.) Die erstellte ZIP-Datei hier hochladen => http://www.trojaner-board.de/54791-a...ner-board.html
4.) Wenns erfolgreich war Bescheid sagen
5.) Erst dann wieder den Virenscanner einschalten

Polla 07.10.2011 08:45
Alles durchgeführt und Windows hat normal gestartet bis hierhin schon mal danke.

Lofile nach Fix :
Zitat:
========== OTL ==========
Registry value HKEY_USERS\Saturn_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\avupdate deleted successfully.
C:\Users\Saturn\AppData\Roaming\mahmud.exe moved successfully.
========== FILES ==========
File\Folder C:\Users\Saturn\AppData\Roaming\mahmud.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users
-> No Temporary Internet Files cache folder defined!

User: Default
-> No Temporary Internet Files cache folder defined!

User: Default User
-> No Temporary Internet Files cache folder defined!

User: Mcx1
-> No Temporary Internet Files cache folder defined!

User: Public
-> No Temporary Internet Files cache folder defined!

User: Saturn
-> No Temporary Internet Files cache folder defined!

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1533389 bytes
%systemroot%\System32 .tmp files removed: 3911680 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 84651918 bytes

Total Files Cleaned = 86.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTLPE by OldTimer - Version 3.1.48.0 log created on 10072011_101920
Die Datei wurde ebenfalls erfolgreich hochgeladen.

Bis hierhin noch mal danke.

cosinus 07.10.2011 15:57
Bitte nun routinemäßig einen Vollscan mit malwarebytes machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!



ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Polla 08.10.2011 19:43
So einmal die Inhalt des Malware Logs :
Zitat:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Datenbank Version: 7895

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

08.10.2011 10:55:44
mbam-log-2011-10-08 (10-55-20).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 322032
Laufzeit: 1 Stunde(n), 8 Minute(n), 43 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 9

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Users\Saturn\AppData\Local\Temp\jar_cache3300358562354506591.tmp (Trojan.Agent) -> No action taken.
c:\_OTL\movedfiles\10072011_101920\C_Users\Saturn\AppData\Roaming\mahmud.exe (Trojan.Agent) -> No action taken.
c:\Users\Saturn\AppData\Local\Temp\0.41852783337038446.exe (Exploit.Drop.2) -> No action taken.
c:\Users\Saturn\AppData\Local\Temp\0.2011606953196614.exe (Exploit.Drop.2) -> No action taken.
c:\Users\Saturn\AppData\Local\Temp\0.6336789330142466.exe (Exploit.Drop.2) -> No action taken.
c:\Users\Saturn\AppData\Local\Temp\0.6604491711228152.exe (Exploit.Drop.2) -> No action taken.
c:\Users\Saturn\AppData\Local\Temp\0.6795923255072281.exe (Exploit.Drop.2) -> No action taken.
c:\Users\Saturn\AppData\Local\Temp\0.9433839559548062.exe (Exploit.Drop.2) -> No action taken.
c:\Users\Saturn\AppData\Local\Temp\0.603837840019975.exe (Exploit.Drop.2) -> No action taken.
So und als nächstes jetzt das Log von Eset
Zitat:
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=a8eab6b06a8be641acb775942f64e836
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-10-08 04:23:06
# local_time=2011-10-08 06:23:06 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1797 16775165 100 100 0 92963434 0 0
# compatibility_mode=5892 16776573 100 100 90654 155599598 0 0
# compatibility_mode=8192 67108863 100 0 480 480 0 0
# scanned=154492
# found=23
# cleaned=0
# scan_time=24116
C:\Users\Saturn\AppData\Local\Temp\jar_cache4351483731666074639.tmp a variant of Win32/Kryptik.RYW trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\6973b0cb-7912b48b Java/TrojanDownloader.Agent.NBN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\384d41b-371b6674 Java/Agent.DO trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\7c47d765-435a8614 a variant of Java/Agent.DR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\107aebea-185e957d Java/Agent.DS trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-13ab81a6 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-26abb069 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-2f394deb a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-3e7677e4 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-500002db a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-56227dfa a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\4e142333-1c4fbfaa a variant of Java/Agent.DH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\43b8adf4-1a2a0fb6 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\43b8adf4-41451385 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\43b8adf4-5dfe1b71 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\43b8adf4-6a2812b1 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\43b8adf4-7de2f67e a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\43b8adf4-7e722553 a variant of Java/Agent.DT trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\69b417fb-61e77976 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\e8267fc-2e0c1e57 probably a variant of Win32/Agent.LMMBFXF trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Saturn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\78803b7e-1f16d6c3 Java/TrojanDownloader.OpenStream.NBL trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles.rar a variant of Win32/Kryptik.TPJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\10072011_101920\C_Users\Saturn\AppData\Roaming\mahmud.exe a variant of Win32/Kryptik.TPJ trojan (unable to clean) 00000000000000000000000000000000 I

cosinus 10.10.2011 10:26
Zitat:
-> No action taken.
Die Funde müssen mit Malwarebytes entfernt waren! Bitte nachholen falls noch nicht getan!


Alle Zeitangaben in WEZ +1. Es ist jetzt 14:07 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129