Harald858 | 23.11.2013 02:48 | Ich habe den kompletten Ordner einfach gelöscht. War nicht ganz einfach, denn die dll
BingDesktopOverlays.dll hat sich in die explorer.exe injiziert und auch ständig zum Internet verbunden. Habe natürlich alles geblockt. Im abgesicherten Modus mit Kommandozeilenfenster konnte ich die Dll schließlich löschen.
Ich hab in der Zwischenzeit, RogueKiller ausgeführt um die Registrierung zu säubern. Nach Combofix habe ich nun wieder Zugriff auf die Windows Firewall und Windows Defender.
Trotzdem stimmt wohl noch einiges nicht. Im Kernel wird vieles gehookt. Speziell im IDT. Malwarebytes habe ich auch bereits ausgeführt mit dem Ergebnis, dass er fündig wurde und die Infektionen beseitigt hat.
Habe nun nochmals Combofix ausgeführt, nun sieht der Log ganz anders aus. Man beachte die Treiber...
Combofix Logfile: Code:
ComboFix 13-11-22.01 - str8 23.11.2013 2:27.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.49.1031.18.2046.1085 [GMT 1:00]
ausgeführt von:: c:\users\str8\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\PFRO.log
c:\windows\system32\FlashPlayerApp.exe
.
.
((((((((((((((((((((((( Dateien erstellt von 2013-10-23 bis 2013-11-23 ))))))))))))))))))))))))))))))
.
.
2013-11-23 01:37 . 2013-11-23 01:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-23 01:23 . 2013-11-23 01:23 204896 ----a-w- c:\windows\system32\drivers\89812972.sys
2013-11-23 01:23 . 2013-11-23 01:23 -------- d-----w- C:\TDSSKiller_Quarantine
2013-11-23 01:22 . 2013-11-23 01:22 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC5EC030-4F0D-4A34-8FF4-E3C70592D7C9}\offreg.dll
2013-11-23 00:43 . 2013-11-23 00:45 -------- d-----w- c:\programdata\Comodo
2013-11-23 00:43 . 2013-11-23 00:43 -------- d-----w- c:\program files\COMODO
2013-11-23 00:05 . 2013-11-23 00:05 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-22 21:22 . 2013-11-22 21:22 -------- d-----w- c:\users\str8\AppData\Roaming\Malwarebytes
2013-11-22 21:22 . 2013-11-22 21:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-22 21:22 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-22 21:22 . 2013-11-22 21:22 -------- d-----w- c:\users\str8\AppData\Local\Programs
2013-11-22 21:14 . 2013-11-23 01:21 -------- d-----w- c:\users\str8\AppData\Local\CrashDumps
2013-11-22 17:25 . 2013-11-22 17:25 -------- d-----w- C:\FRST
2013-11-22 16:58 . 2013-11-22 16:58 -------- d-----w- c:\programdata\Malwarebytes
2013-11-22 16:57 . 2013-11-23 00:04 75992 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-22 16:50 . 2013-11-23 00:18 -------- d-----w- C:\AdwCleaner
2013-11-22 13:07 . 2013-11-22 13:07 -------- d-----w- c:\users\str8\AppData\Roaming\AVAST Software
2013-11-22 13:07 . 2013-11-22 13:07 403440 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-11-22 13:07 . 2013-11-22 13:07 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-22 13:07 . 2013-11-22 13:07 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-22 13:07 . 2013-11-22 13:07 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-22 13:07 . 2013-11-22 13:07 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-11-22 13:07 . 2013-11-22 13:07 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-11-22 13:07 . 2013-11-22 13:07 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-11-22 13:07 . 2013-11-22 13:07 43152 ----a-w- c:\windows\avastSS.scr
2013-11-22 13:06 . 2013-11-22 13:06 -------- d-----w- c:\program files\AVAST Software
2013-11-22 13:05 . 2013-11-22 13:05 -------- d-----w- c:\programdata\AVAST Software
2013-11-22 10:49 . 2013-11-22 10:49 -------- d-----w- c:\program files\Google
2013-11-22 10:35 . 2013-11-08 01:15 7772552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC5EC030-4F0D-4A34-8FF4-E3C70592D7C9}\mpengine.dll
2013-11-14 13:10 . 2013-11-14 13:10 -------- d-----w- c:\programdata\Canneverbe Limited
2013-11-14 13:10 . 2013-11-14 13:10 -------- d-----w- c:\users\str8\AppData\Roaming\Canneverbe Limited
2013-11-14 13:10 . 2013-11-14 13:10 -------- d-----w- c:\program files\CDBurnerXP
2013-11-13 02:02 . 2013-11-13 02:02 999936 ----a-w- c:\program files\Internet Explorer\networkinspection.dll
2013-11-12 13:02 . 2013-11-12 13:02 -------- d-----w- c:\users\str8\AppData\Local\e-academy Inc
2013-11-09 17:17 . 2013-11-09 17:23 -------- d-----w- c:\users\str8\AppData\Roaming\TeamViewer
2013-11-09 15:15 . 2013-11-09 15:15 -------- d-----w- c:\users\str8\.m2
2013-11-07 19:34 . 2013-11-07 19:54 1491328 ----a-w- c:\programdata\Microsoft\VisualStudio\12.0\1031\ResourceCache.dll
2013-11-07 19:31 . 2013-11-12 14:06 -------- d-----w- c:\program files\Microsoft Silverlight
2013-11-07 19:29 . 2013-11-07 19:29 -------- d-----w- c:\program files\Application Verifier
2013-11-07 19:29 . 2013-11-07 19:29 -------- d-----w- c:\programdata\Windows App Certification Kit
2013-11-07 19:28 . 2013-11-07 19:28 -------- d-----w- c:\program files\Common Files\Microsoft
2013-11-07 19:27 . 2013-11-07 19:27 -------- d-----w- c:\programdata\PreEmptive Solutions
2013-11-07 19:26 . 2013-11-07 19:26 -------- d-----w- c:\programdata\NuGet
2013-11-07 19:26 . 2013-11-07 19:26 -------- d-----w- c:\program files\NuGet
2013-11-07 19:26 . 2013-11-07 19:26 -------- d-----w- c:\program files\Microsoft WCF Data Services
2013-11-07 19:23 . 2013-11-07 19:23 -------- d-----w- c:\program files\HTML Help Workshop
2013-11-07 19:18 . 2013-11-07 19:28 -------- d-----w- c:\program files\Common Files\Merge Modules
2013-11-07 19:17 . 2013-11-07 19:32 -------- d-----w- c:\program files\Microsoft Visual Studio 12.0
2013-11-07 19:11 . 2013-11-07 19:11 -------- d-----w- c:\windows\Migration
2013-11-07 19:05 . 2013-11-07 19:05 -------- d-----w- c:\programdata\regid.1991-06.com.microsoft
2013-11-07 17:12 . 2013-11-07 17:12 -------- d-----w- c:\users\str8\AppData\Roaming\e-academy Inc
2013-11-02 16:15 . 2013-11-12 14:09 -------- d-----w- c:\users\str8\AppData\Roaming\Dropbox
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-11 04:50 . 2012-10-16 19:52 230048 ------w- c:\windows\system32\MpSigStub.exe
2013-10-18 13:56 . 2013-10-18 13:56 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-10 21:48 . 2013-10-10 21:48 11152 ----a-w- c:\windows\system32\vpncategories.dll
2013-10-10 21:48 . 2013-10-10 21:48 34192 ----a-w- c:\windows\system32\vpnevents.dll
2013-10-10 21:31 . 2013-10-10 21:31 43376 ----a-w- c:\windows\system32\drivers\vpnva-6.sys
2013-10-10 21:29 . 2013-03-26 15:18 92528 ----a-r- c:\windows\system32\drivers\acsock.sys
2013-10-05 01:38 . 2013-10-05 01:38 97440 ----a-w- c:\windows\system32\mfcm120d.dll
2013-10-05 01:38 . 2013-10-05 01:38 970912 ----a-w- c:\windows\system32\msvcr120.dll
2013-10-05 01:38 . 2013-10-05 01:38 96936 ----a-w- c:\windows\system32\mfcm120ud.dll
2013-10-05 01:38 . 2013-10-05 01:38 912552 ----a-w- c:\windows\system32\vcamp120d.dll
2013-10-05 01:38 . 2013-10-05 01:38 83104 ----a-w- c:\windows\system32\mfcm120u.dll
2013-10-05 01:38 . 2013-10-05 01:38 83104 ----a-w- c:\windows\system32\mfcm120.dll
2013-10-05 01:38 . 2013-10-05 01:38 8282784 ----a-w- c:\windows\system32\mfc120ud.dll
2013-10-05 01:38 . 2013-10-05 01:38 8212640 ----a-w- c:\windows\system32\mfc120d.dll
2013-10-05 01:38 . 2013-10-05 01:38 815272 ----a-w- c:\windows\system32\msvcp120d.dll
2013-10-05 01:38 . 2013-10-05 01:38 772784 ----a-w- c:\windows\system32\vccorlib120d.dll
2013-10-05 01:38 . 2013-10-05 01:38 74920 ----a-w- c:\windows\system32\mfc120fra.dll
2013-10-05 01:38 . 2013-10-05 01:38 74920 ----a-w- c:\windows\system32\mfc120deu.dll
2013-10-05 01:38 . 2013-10-05 01:38 73896 ----a-w- c:\windows\system32\mfc120esn.dll
2013-10-05 01:38 . 2013-10-05 01:38 72872 ----a-w- c:\windows\system32\mfc120ita.dll
2013-10-05 01:38 . 2013-10-05 01:38 70824 ----a-w- c:\windows\system32\mfc120rus.dll
2013-10-05 01:38 . 2013-10-05 01:38 697016 ----a-w- c:\windows\system32\PUGAExperiment.dll
2013-10-05 01:38 . 2013-10-05 01:38 65192 ----a-w- c:\windows\system32\mfc120enu.dll
2013-10-05 01:38 . 2013-10-05 01:38 53928 ----a-w- c:\windows\system32\mfc120jpn.dll
2013-10-05 01:38 . 2013-10-05 01:38 53416 ----a-w- c:\windows\system32\mfc120kor.dll
2013-10-05 01:38 . 2013-10-05 01:38 46248 ----a-w- c:\windows\system32\mfc120cht.dll
2013-10-05 01:38 . 2013-10-05 01:38 46248 ----a-w- c:\windows\system32\mfc120chs.dll
2013-10-05 01:38 . 2013-10-05 01:38 455328 ----a-w- c:\windows\system32\msvcp120.dll
2013-10-05 01:38 . 2013-10-05 01:38 4449952 ----a-w- c:\windows\system32\mfc120u.dll
2013-10-05 01:38 . 2013-10-05 01:38 4424344 ----a-w- c:\windows\system32\mfc120.dll
2013-10-05 01:38 . 2013-10-05 01:38 339616 ----a-w- c:\windows\system32\vcamp120.dll
2013-10-05 01:38 . 2013-10-05 01:38 306360 ----a-w- c:\windows\system32\vsjitdebugger.exe
2013-10-05 01:38 . 2013-10-05 01:38 247984 ----a-w- c:\windows\system32\vccorlib120.dll
2013-10-05 01:38 . 2013-10-05 01:38 218792 ----a-w- c:\windows\system32\VSPerf120.dll
2013-10-05 01:38 . 2013-10-05 01:38 1824424 ----a-w- c:\windows\system32\msvcr120d.dll
2013-10-05 01:38 . 2013-10-05 01:38 1768640 ----a-w- c:\windows\system32\VsGraphicsHelper.dll
2013-10-05 01:38 . 2013-10-05 01:38 176296 ----a-w- c:\windows\system32\VSCover120.dll
2013-10-05 01:38 . 2013-10-05 01:38 149672 ----a-w- c:\windows\system32\vcomp120d.dll
2013-10-05 01:38 . 2013-10-05 01:38 119456 ----a-w- c:\windows\system32\vcomp120.dll
2013-09-14 00:48 . 2013-10-09 10:50 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-09-11 20:21 . 2013-09-11 20:21 863344 ----a-w- c:\windows\system32\msvcr110_clr0400.dll
2013-09-11 20:21 . 2013-09-11 20:21 501872 ----a-w- c:\windows\system32\msvcp110_clr0400.dll
2013-09-11 20:21 . 2013-09-11 20:21 28776 ----a-w- c:\windows\system32\aspnet_counters.dll
2013-09-11 20:21 . 2013-09-11 20:21 18000 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2013-09-08 02:07 . 2013-10-09 10:50 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03 . 2013-10-09 10:50 231424 ----a-w- c:\windows\system32\mswsock.dll
2013-09-04 01:15 . 2013-10-09 10:50 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-09-04 01:14 . 2013-10-09 10:50 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-09-04 01:14 . 2013-10-09 10:50 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-09-04 01:14 . 2013-10-09 10:50 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-09-04 01:14 . 2013-10-09 10:50 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-09-04 01:14 . 2013-10-09 10:50 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-09-04 01:14 . 2013-10-09 10:50 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-29 14:00 . 2013-08-29 14:00 522344 ----a-w- c:\windows\system32\SqlServerSpatial110.dll
2013-08-29 01:51 . 2013-10-09 10:50 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-09 10:50 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-09 10:50 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-08-29 01:50 . 2013-10-09 10:50 619520 ----a-w- c:\windows\system32\tdh.dll
2013-08-29 01:48 . 2013-10-09 10:50 640512 ----a-w- c:\windows\system32\advapi32.dll
2013-08-28 01:04 . 2013-10-09 10:50 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-08-28 00:57 . 2013-10-09 10:50 434688 ----a-w- c:\windows\system32\scavengeui.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-22 13:07 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2012-05-18 10979984]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-04 641704]
"TBTray"="acoustic.exe" [2002-04-26 28672]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2013-10-10 707984]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-22 3568312]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"{9FE57FAD-CA91-46EC-8994-1DF134BC02AC}"="start" [X]
.
c:\users\str8\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Server4PC.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Server4PC.lnk
backup=c:\windows\pss\Server4PC.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus SX400 Series]
2007-12-17 05:00 188928 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIEGE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-10-16 20:27 116648 ----atw- c:\users\str8\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerDVD12Agent]
2012-09-18 03:46 374560 ----a-w- c:\program files\CyberLink\PowerDVD12\PowerDVD12Agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerDVD12DMREngine]
2012-09-18 03:46 505872 ----a-w- c:\program files\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-10-09 02:19 1813928 ----a-w- c:\program files\Steam\Steam.exe
.
R2 {73526619-C24F-470B-9BED-53D455FBB5C6};Power Control [2012/10/17 12:35];c:\program files\CyberLink\PowerDVD12\Common\NavFilter\000.fcl [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-09-05 171680]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [2013-10-10 92528]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2013-11-13 108032]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\BDC3.tmp [x]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\DRIVERS\SkyNET.SYS [2012-10-17 627288]
R3 SkyNetBDA;TechniSat DVB-PC TV Star PCI (BDA);c:\windows\system32\DRIVERS\SkyNetBDA.sys [2010-05-10 622040]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [2013-02-12 37064]
R3 tbHD;Philips PSC705 WDM Driver;c:\windows\system32\drivers\TBirdHD.sys [2002-06-03 336066]
R3 TBhdgame;Philips PSC705 GamePort;c:\windows\system32\DRIVERS\TBhdgame.sys [2002-04-26 11491]
R3 Te.Service;Te.Service;c:\program files\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [2013-08-21 91136]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 VsEtwService120;Visual Studio ETW Event Collection Service;c:\program files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [2013-10-05 71344]
R3 XDva405;XDva405;c:\windows\system32\XDva405.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-11-22 774392]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-11-22 403440]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-11-07 494416]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2012-11-07 36072]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-02-24 242240]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-04 217088]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-11-22 35656]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-11-22 70384]
S2 CLHNServiceForPowerDVD12;CLHNServiceForPowerDVD12;c:\program files\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe [2012-09-18 90640]
S2 CyberLink PowerDVD 12 Media Server Monitor Service;CyberLink PowerDVD 12 Media Server Monitor Service;c:\program files\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [2012-09-18 78352]
S2 CyberLink PowerDVD 12 Media Server Service;CyberLink PowerDVD 12 Media Server Service;c:\program files\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [2012-09-18 295440]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2013-03-01 36600]
S2 ntk_PowerDVD12;ntk_PowerDVD12;c:\program files\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\ntk_PowerDVD12.sys [2012-06-20 121208]
S2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [2013-10-01 5087584]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-09-29 490088]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - 63667015
*Deregistered* - 63667015
*Deregistered* - TrueSight
.
Inhalt des "geplante Tasks" Ordners
.
2013-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1583257125-4176554371-4191051257-1001Core.job
- c:\users\str8\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-16 20:27]
.
2013-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1583257125-4176554371-4191051257-1001UA.job
- c:\users\str8\AppData\Local\Google\Update\GoogleUpdate.exe [2012-10-16 20:27]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://de.yahoo.com?fr=fp-comodo
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{7EFBA01A-E6F5-445B-A9C4-530C591943E8}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\str8\AppData\Roaming\Mozilla\Firefox\Profiles\jpjdujy6.default\
FF - prefs.js: browser.search.selectedEngine - LEO Eng-Deu
FF - ExtSQL: 2013-09-29 14:20; tsvnmenu@pumacode.org; c:\users\str8\AppData\Roaming\Mozilla\Firefox\Profiles\jpjdujy6.default\extensions\tsvnmenu@pumacode.org.xpi
FF - ExtSQL: 2013-10-20 11:12; fiddlerhook@fiddler2.com; c:\program files\Fiddler2\FiddlerHook
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
ShellIconOverlayIdentifiers-{B82655E9-B81D-4A97-8154-0D84A4C048E4} - c:\programdata\Microsoft\BingDesktop\BingCore\BingDesktopOverlays.dll
SafeBoot-84132669.sys
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\BDC3.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{73526619-C24F-470B-9BED-53D455FBB5C6}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD12\Common\NavFilter\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\guard32.dll
.
Zeit der Fertigstellung: 2013-11-23 02:39:24
ComboFix-quarantined-files.txt 2013-11-23 01:39
ComboFix2.txt 2013-11-22 21:04
.
Vor Suchlauf: 16 Verzeichnis(se), 42.704.236.544 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 42.640.687.104 Bytes frei
.
- - End Of File - - B781490CC6F392DA7A6E0C386580020A --- --- ---
A36C5E4F47E84449FF07ED3517B43A31
[/CODE]
Das System startet immr noch langsam. Speziell, wenn man sich einloggen will dauert es ewig.
Eine schöne LogFile könnte man noch mit OTL generieren, da FRST bei mir crasht. Komischerweise immer bei der selben Datei mit der Endung TMP. Vielleicht sollte ich noch einen gmer Log posten für den Kernel?
EDIT: Der Rootkit scheint noch nicht weg zu sein. Es sind jetzt wieder folgende Schlüssel in der Registrierung aufgetaucht (Bild von RogueKiller): http://s14.directupload.net/images/131123/l4zj9gjg.png http://s7.directupload.net/images/131123/v46b9k89.png |