Backdoor / rootkit doersam daily

Rokop Security

Mitglieder Moderatoren

Regeln

Hilfe

Suche

Mitglieder

Kalender

Willkommen, Gast ( Anmelden | Registrierung )

Rokop Security > Security > HijackThis-Logs

Backdoor / rootkit doersam daily

Einstellungen

r00t Profil ansehen	06.01.2010, 05:39 Beitrag #1
Kennt sich hier aus Gruppe: Mitglieder Beiträge: 161 Mitglied seit: 09.08.2004 Mitglieds-Nr.: 1.319	Hallo (mal wieder) Hab mich lange nicht mehr sehen lassen, an dieser Stelle sorry dafür. Aber nundenn ... ich hab ein Problem ... es handet sich hierbei um ein Trojaner und / oder Virus der mir gefaikte Windows Sicherheitscenter Meldungen schickt und mir mein Anti viren Programm killt genauso wie den Malwarebytes' Anti-Malwareund sowas... Hier mal meine Loggfile (die BOLD Punkte sind denke ich verdächtiug) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:32:15, on 06.01.2010 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16386) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\DllHost.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\RunDLL32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 cmicnfg3.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Google Update Service (gupdate1ca30ead1ed1c8b) (gupdate1ca30ead1ed1c8b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- End of file - 6345 bytes //edit ... ähm wäre nett wenn ich mein system wieder clean bekommen würde ohne die schnell formatier lösung ;/ mfg Der Beitrag wurde von r00t bearbeitet: 06.01.2010, 05:40 --------------------

Antworten

r00t Profil ansehen	08.01.2010, 05:50 Beitrag #2
Kennt sich hier aus Gruppe: Mitglieder Beiträge: 161 Mitglied seit: 09.08.2004 Mitglieds-Nr.: 1.319	Moin Moin ... So sorry hat etwas gedauert nettes rootkit was ich da wohl habe -.- AVZ hat nach 10 stunden scann bei 99% aufgegeben und ich hatte einen Bluescreen ... naja denn habe ich gegoogelt und bin auf Dr Web gestosen und hab den ma scannen lassen da ja meine anderen Viren Scanner gekilled werden ... Dr Web sagt mir backdoor.tdss.565 hat sich bei mir breit gemacht. Ich habe nun nach diesem Dingerich gesucht im internet und bin im Trojaner Board fündig geworden ... ZITAT bis auf wenige Scanner findet keiner den TDSS (ist ein sehr intelligentes und gut programmiertes Rootkit, fast nicht zu finden&zu beseitigen... zur Zeit tobt der Kampf darum...)... Naja Ich habe nun mit RSIT einen Scann gemacht den ich hier gleich posten werde und danach nochmal mit Gmer geschaut ... folgendes ist dabei rausgekommen : RSIT LOG ! Logfile of random's system information tool 1.06 (written by random/random) Run by n3tgh0st at 2010-01-08 05:13:26 Microsoft® Windows Vista™ Business System drive C: has 30 GB (38%) free of 79 GB Total RAM: 3326 MB (68% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 05:13:27, on 08.01.2010 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16386) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Users\n3tgh0st\Desktop\RSIT.exe C:\Program Files\Trend Micro\HijackThis\n3tgh0st.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 cmicnfg3.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Google Update Service (gupdate1ca30ead1ed1c8b) (gupdate1ca30ead1ed1c8b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- End of file - 6304 bytes ======Scheduled tasks folder====== C:\Windows\tasks\GoogleUpdateTaskMachineCore.job C:\Windows\tasks\GoogleUpdateTaskMachineUA.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-09-16 320920] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Anmelde-Hilfsprogramm - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-09-16 41368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}] Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}] FlashFXP Helper for Internet Explorer - C:\PROGRA~1\FlashFXP\IEFlash.dll [2007-05-16 191096] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {855F3B16-6D32-4fe6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2009-06-01 962808] {21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "VolPanel"=C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe [2007-04-17 184320] "SPIRunE"=Rundll32 SPIRunE.dll,RunDLLEntry [] "CmPCIaudio"=RunDll32 cmicnfg3.cpl,CMICtrlWnd [] "SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-09-16 148888] "NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-02-26 153136] "Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696] "Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288] "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883840] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient] C:\Program Files\Curse\CurseClient.exe [2009-06-08 1934336] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883840] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2007-06-18 271360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] C:\Program Files\Skype\Phone\Skype.exe [2009-07-16 25604904] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe [2007-03-03 341488] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=0 "ConsentPromptBehaviorUser"=0 "EnableLUA"=0 "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "C:\Program Files\FlashFXP\FlashFXP.exe"="C:\Program Files\FlashFXP\FlashFXP.exe::Enabled:FlashFXP v3" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "C:\Program Files\FlashFXP\FlashFXP.exe"="C:\Program Files\FlashFXP\FlashFXP.exe::Enabled:FlashFXP v3" ======List of files/folders created in the last 1 months====== 2010-01-08 05:13:26 ----D---- C:\rsit 2010-01-07 01:00:03 ----D---- C:\Program Files\AVZ 2010-01-06 04:25:31 ----A---- C:\Windows\ntbtlog.txt 2010-01-06 04:14:31 ----D---- C:\ProgramData\Malwarebytes 2010-01-06 04:14:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware 2010-01-06 04:11:13 ----D---- C:\Program Files\CCleaner 2010-01-06 03:38:07 ----D---- C:\Program Files\Trend Micro 2010-01-06 03:14:00 ----D---- C:\ProgramData\Avira 2010-01-06 03:14:00 ----D---- C:\Program Files\Avira 2010-01-05 20:27:14 ----A---- C:\Windows\system32\krl32mainweq.dll 2010-01-05 20:25:37 ----A---- C:\ProgramData\sysReserve.ini 2010-01-04 04:15:02 ----A---- C:\lol.vbs 2010-01-01 15:42:06 ----D---- C:\Users\n3tgh0st\AppData\Roaming\UDC Profiles 2010-01-01 15:41:49 ----A---- C:\Windows\system32\udcpm.dll 2010-01-01 15:41:43 ----D---- C:\Program Files\Universal Document Converter 2010-01-01 15:35:48 ----D---- C:\ProgramData\Adobe 2010-01-01 15:35:38 ----D---- C:\Program Files\Common Files\Adobe 2010-01-01 15:35:38 ----D---- C:\Program Files\Adobe 2009-12-31 13:15:24 ----D---- C:\Program Files\Nero 2009-12-31 13:15:24 ----D---- C:\Program Files\Common Files\Ahead 2009-12-31 12:54:49 ----D---- C:\Users\n3tgh0st\AppData\Roaming\Nero 2009-12-31 12:41:15 ----D---- C:\ProgramData\Nero 2009-12-31 12:41:14 ----D---- C:\Program Files\Common Files\Nero 2009-12-13 13:56:04 ----D---- C:\Users\n3tgh0st\AppData\Roaming\Acreon ======List of files/folders modified in the last 1 months====== 2010-01-08 05:13:27 ----D---- C:\Windows\Prefetch 2010-01-08 05:07:52 ----D---- C:\Program Files\Mozilla Firefox 2010-01-08 05:06:08 ----D---- C:\Windows\Temp 2010-01-08 05:06:08 ----D---- C:\Windows\System32 2010-01-08 05:05:31 ----D---- C:\ProgramData\NVIDIA 2010-01-08 05:05:07 ----D---- C:\Windows\Minidump 2010-01-08 05:05:02 ----D---- C:\Windows 2010-01-07 23:24:33 ----D---- C:\Users\n3tgh0st\AppData\Roaming\Mumble 2010-01-07 09:09:16 ----A---- C:\Windows\NeroDigital.ini 2010-01-07 01:01:41 ----D---- C:\Windows\system32\drivers 2010-01-07 01:00:15 ----RD---- C:\Program Files 2010-01-07 00:50:52 ----D---- C:\Program Files\Curse 2010-01-06 13:17:26 ----SHD---- C:\System Volume Information 2010-01-06 04:14:31 ----HD---- C:\ProgramData 2010-01-06 04:13:51 ----D---- C:\Windows\Debug 2010-01-06 03:28:38 ----D---- C:\Windows\system32\catroot2 2010-01-06 03:11:30 ----SHD---- C:\Windows\Installer 2010-01-06 03:11:29 ----D---- C:\Windows\winsxs 2010-01-05 21:29:09 ----D---- C:\Users\n3tgh0st\AppData\Roaming\ICQ 2010-01-01 23:25:42 ----D---- C:\Windows\inf 2010-01-01 23:25:42 ----A---- C:\Windows\system32\PerfStringBackup.INI 2010-01-01 15:37:18 ----D---- C:\Users\n3tgh0st\AppData\Roaming\Adobe 2010-01-01 15:35:38 ----D---- C:\Program Files\Common Files 2009-12-31 12:40:32 ----D---- C:\Windows\system32\Tasks 2009-12-31 12:40:05 ----D---- C:\Program Files\Common Files\microsoft shared 2009-12-30 11:43:44 ----D---- C:\Program Files\ICQ6.5 2009-12-28 01:31:51 ----D---- C:\Users\n3tgh0st\AppData\Roaming\mIRC 2009-12-27 10:59:24 ----D---- C:\Program Files\mIRC 2009-12-23 19:19:25 ----D---- C:\Users\n3tgh0st\AppData\Roaming\teamspeak2 ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608] R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104] R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2006-11-02 319488] R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520] R3 cmuda3;TerraTec Aureon 5.1 Audio Interface; C:\Windows\system32\drivers\cmudax3.sys [2007-04-12 1399680] R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2006-10-18 7680] R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-05-03 1065384] R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-07-14 9557216] S2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-11-25 56816] S3 c65013264;C-Media CM6501 Like Sound UDAX Interface; C:\Windows\system32\drivers\c6501.sys [] S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632] S3 fssfltr;FssFltr; C:\Windows\system32\DRIVERS\fssfltr.sys [2009-08-05 54632] S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520] S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192] S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888] S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016] S3 nmwcd;Nokia USB Phone Parent; C:\Windows\system32\drivers\nmwcd.sys [2007-02-22 137216] S3 nmwcdc;Nokia USB Generic; C:\Windows\system32\drivers\nmwcdc.sys [2007-02-22 8320] S3 nmwcdcj;Nokia USB Port; C:\Windows\system32\drivers\nmwcdcj.sys [2007-02-22 12288] S3 nmwcdcm;Nokia USB Modem; C:\Windows\system32\drivers\nmwcdcm.sys [2007-02-22 12288] S3 t3;Sound Blaster X-Fi Xtreme Audio; C:\Windows\system32\drivers\t3.sys [2009-06-04 413208] S3 usbaudio;USB-Audiotreiber (WDM); C:\Windows\system32\drivers\usbaudio.sys [2006-11-02 71552] S3 utczmjuz;AVZ Kernel Driver; \??\C:\Windows\system32\Drivers\utczmjuz.sys [2010-01-07 7168] S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936] S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560] S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Capture Device Service;Capture Device Service; C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe [2007-03-06 198168] R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2006-11-02 22016] R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-07-14 215584] R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648] S2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] S2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089] S2 gupdate1ca30ead1ed1c8b;Google Update Service (gupdate1ca30ead1ed1c8b); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-09-09 133104] S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2006-11-02 22016] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-08-13 79360] S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2006-11-02 521216] S3 fsssvc;Windows Live Family Safety-Dienst; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864] S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-02-26 267824] S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-06-15 300544] S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2006-11-02 22016] S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2006-11-02 562176] -----------------EOF----------------- --------------------

Beiträge in diesem Thema

r00t Backdoor / rootkit doersam daily 06.01.2010, 05:39

Habakuck Poste mal bitte zwei AVZ logs wie hier beschrieben... 06.01.2010, 07:28

r00t Moin Moin ... So sorry hat etwas gedauert nettes ... 08.01.2010, 05:50

r00t Sorry für Doppelpost RSIT INFO info.txt logfile ... 08.01.2010, 05:53

raman Wir versuchen mal was . Lade dir Mbam herunter un... 08.01.2010, 05:57

r00t So.. wie gut das ich nicht schlafen konnte ... F... 08.01.2010, 07:16

raman Du solltest Mbam aktualisieren, deines ist relativ... 08.01.2010, 08:30

r00t Moin also diese datein habe ich beide nicht ...... 08.01.2010, 09:13

aido Neuaufsetzen ist das beste was du machen kannst. E... 08.01.2010, 09:37

r00t ZITAT(aido @ 08.01.2010, 09:36) Es ist vö... 08.01.2010, 09:51

raman Frage ist, ob wir alles erwischt haben. Wenn du mu... 08.01.2010, 10:10

aido @r00t Du bist Lustig Auch wenn du die Kennwörter ... 08.01.2010, 15:55

r00t In der sysreserve.ini steht nur "285 new... 08.01.2010, 16:24

aido Ok, denk bitte nicht ich wollte dir an den Karren ... 08.01.2010, 16:50

r00t Combofix.log ComboFix 10-01-04.01 - n3tgh0st 08.0... 08.01.2010, 16:50

raman Das ist ein DNSchanger, der leitet anfragen an www... 08.01.2010, 17:05

r00t ZITAT(raman @ 08.01.2010, 17:04) Das ist ... 08.01.2010, 17:14

raman Was man aus den Reporten so sehen kann, ist alles ... 08.01.2010, 17:19

citro Für was steht der "Find3M Bericht" von C... 08.01.2010, 19:08

raman Finde alles der letzten 3 Monate, aber das stimmt ... 08.01.2010, 19:22

citro ZITAT(raman @ 08.01.2010, 19:21) Finde al... 08.01.2010, 19:33

raman Ist schwer zu sagen, da steckt eine Art "inte... 08.01.2010, 19:44

« Vorhergehendes Thema · HijackThis-Logs · Folgendes Thema »

1 Besucher lesen dieses Thema (Gäste: 1 | Anonyme Besucher: 0)

0 Mitglieder:

Anzeige Modus: Wechsle zu: Standard · Wechsle zu: Thema+ · Überblick

Thema abonnieren · Dieses Thema versenden · Dieses Thema ausdrucken · Forum abonnieren

Vereinfachte Darstellung

Aktuelles Datum: 25.06.2024, 04:41

Licensed to: Rokop Security

Impressum

Original Style by Bo Derek, further improvements and board management by Style Biz | Webdevelopment