Backdoor / rootkit doersam daily |
Willkommen, Gast ( Anmelden | Registrierung )
Backdoor / rootkit doersam daily |
06.01.2010, 05:39
Beitrag
#1
|
|
Kennt sich hier aus Gruppe: Mitglieder Beiträge: 161 Mitglied seit: 09.08.2004 Mitglieds-Nr.: 1.319 |
Hallo (mal wieder)
Hab mich lange nicht mehr sehen lassen, an dieser Stelle sorry dafür. Aber nundenn ... ich hab ein Problem ... es handet sich hierbei um ein Trojaner und / oder Virus der mir gefaikte Windows Sicherheitscenter Meldungen schickt und mir mein Anti viren Programm killt genauso wie den Malwarebytes' Anti-Malwareund sowas... Hier mal meine Loggfile (die BOLD Punkte sind denke ich verdächtiug) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:32:15, on 06.01.2010 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16386) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Toolbar\wltuser.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\DllHost.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\RunDLL32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 cmicnfg3.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Google Update Service (gupdate1ca30ead1ed1c8b) (gupdate1ca30ead1ed1c8b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- End of file - 6345 bytes //edit ... ähm wäre nett wenn ich mein system wieder clean bekommen würde ohne die schnell formatier lösung ;/ mfg Der Beitrag wurde von r00t bearbeitet: 06.01.2010, 05:40 -------------------- |
|
|
08.01.2010, 16:50
Beitrag
#2
|
|
Kennt sich hier aus Gruppe: Mitglieder Beiträge: 161 Mitglied seit: 09.08.2004 Mitglieds-Nr.: 1.319 |
Combofix.log
ComboFix 10-01-04.01 - n3tgh0st 08.01.2010 16:30:46.1.2 - x86 Microsoft® Windows Vista™ Business 6.0.6000.0.1252.49.1031.18.3326.2457 [GMT 1:00] ausgeführt von:: c:\users\n3tgh0st\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} SP: AntiVir Desktop *disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} SP: Windows-Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500 c:\program files\ICQ6.5\ICQLRun.exe c:\users\n3tgh0st\AppData\Roaming\Desktopicon c:\users\n3tgh0st\AppData\Roaming\Desktopicon\eBayShortcuts.exe . ((((((((((((((((((((((( Dateien erstellt von 2009-12-08 bis 2010-01-08 )))))))))))))))))))))))))))))) . 2010-01-08 15:34 . 2010-01-08 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-01-08 05:56 . 2010-01-08 05:56 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Malwarebytes 2010-01-08 04:13 . 2010-01-08 04:13 -------- d-----w- C:\rsit 2010-01-07 00:01 . 2010-01-07 00:01 7168 ----a-w- c:\windows\system32\drivers\utczmjuz.sys 2010-01-07 00:00 . 2010-01-07 00:01 -------- d-----w- c:\program files\AVZ 2010-01-06 06:27 . 2010-01-06 07:19 -------- d-----w- c:\users\n3tgh0st\DoctorWeb 2010-01-06 03:14 . 2009-12-30 13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-06 03:14 . 2010-01-06 03:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-06 03:14 . 2010-01-06 03:14 -------- d-----w- c:\programdata\Malwarebytes 2010-01-06 03:14 . 2009-12-30 13:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-06 03:11 . 2010-01-06 03:11 -------- d-----w- c:\program files\CCleaner 2010-01-06 02:38 . 2010-01-06 02:38 -------- d-----w- c:\program files\Trend Micro 2010-01-06 02:14 . 2010-01-08 05:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-01-06 02:14 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-01-06 02:14 . 2010-01-06 02:14 -------- d-----w- c:\programdata\Avira 2010-01-06 02:14 . 2010-01-06 02:14 -------- d-----w- c:\program files\Avira 2010-01-04 03:18 . 2010-01-04 03:11 2289 ----a-w- c:\users\n3tgh0st\lol.vbs 2010-01-04 03:15 . 2010-01-04 03:11 2289 ----a-w- C:\lol.vbs 2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\UDC Profiles 2010-01-01 14:41 . 2009-09-04 14:09 34680 ----a-w- c:\windows\system32\udcpm.dll 2010-01-01 14:41 . 2010-01-01 14:41 -------- d-----w- c:\program files\Universal Document Converter 2010-01-01 14:37 . 2010-01-01 14:40 -------- d-----w- c:\users\n3tgh0st\AppData\Local\Adobe 2010-01-01 14:35 . 2010-01-01 14:35 -------- d-----w- c:\program files\Common Files\Adobe 2009-12-31 12:15 . 2009-12-31 12:19 -------- d-----w- c:\program files\Common Files\Ahead 2009-12-31 12:15 . 2009-12-31 12:15 -------- d-----w- c:\program files\Nero 2009-12-31 11:54 . 2009-12-31 11:54 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Nero 2009-12-31 11:41 . 2009-12-31 12:15 -------- d-----w- c:\programdata\Nero 2009-12-31 11:41 . 2009-12-31 12:10 -------- d-----w- c:\program files\Common Files\Nero 2009-12-13 12:56 . 2009-12-13 12:56 272384 ----a-w- c:\users\n3tgh0st\AppData\Roaming\Acreon\WowMatrix\Modules\curl.exe 2009-12-13 12:56 . 2009-12-13 12:56 196608 ----a-w- c:\users\n3tgh0st\AppData\Roaming\Acreon\WowMatrix\Libraries\wmweb.dll 2009-12-13 12:56 . 2009-12-13 12:56 258048 ----a-w- c:\users\n3tgh0st\AppData\Roaming\Acreon\WowMatrix\Libraries\wmzip.dll 2009-12-13 12:56 . 2009-12-13 12:56 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Acreon 2009-12-13 12:56 . 2009-12-25 07:14 -------- d-----w- c:\users\n3tgh0st\AppData\Local\._Revolution_ . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-08 15:34 . 2009-08-03 14:49 -------- d-----w- c:\program files\ICQ6.5 2010-01-08 14:57 . 2009-08-03 14:15 -------- d-----w- c:\programdata\NVIDIA 2010-01-08 14:57 . 2009-08-03 14:17 33164 ----a-w- c:\programdata\nvModes.dat 2010-01-07 22:24 . 2009-11-22 20:50 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Mumble 2010-01-06 23:50 . 2009-08-05 20:20 -------- d-----w- c:\program files\Curse 2010-01-06 02:18 . 2009-08-03 13:38 1356 ----a-w- c:\users\n3tgh0st\AppData\Local\d3d9caps.dat 2010-01-05 20:29 . 2009-08-03 14:49 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\ICQ 2010-01-01 22:25 . 2006-11-02 15:42 641106 ----a-w- c:\windows\system32\perfh007.dat 2010-01-01 22:25 . 2006-11-02 15:42 116500 ----a-w- c:\windows\system32\perfc007.dat 2009-12-28 00:31 . 2009-08-29 13:13 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\mIRC 2009-12-27 09:59 . 2009-08-29 13:13 -------- d-----w- c:\program files\mIRC 2009-12-23 18:19 . 2009-08-03 16:38 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\teamspeak2 2009-12-07 13:27 . 2009-08-03 16:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2009-12-07 04:10 . 2009-12-07 04:10 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\AVS4YOU 2009-12-07 04:10 . 2009-12-07 04:10 -------- d-----w- c:\programdata\AVS4YOU 2009-12-07 04:10 . 2009-08-03 13:38 60360 ----a-w- c:\users\n3tgh0st\AppData\Local\GDIPFONTCACHEV1.DAT 2009-12-07 04:10 . 2009-12-07 04:09 -------- d-----w- c:\program files\AVS4YOU 2009-12-07 04:10 . 2009-12-07 04:09 -------- d-----w- c:\program files\Common Files\AVSMedia 2009-12-07 03:37 . 2009-12-07 03:33 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Ulead Systems 2009-12-07 03:33 . 2009-12-07 03:25 -------- d-----w- c:\programdata\Ulead Systems 2009-12-07 03:27 . 2009-12-07 03:27 -------- d-----w- c:\program files\Common Files\InterVideo 2009-12-07 03:27 . 2009-12-07 03:27 -------- d-----w- c:\programdata\InterVideo 2009-12-07 03:27 . 2009-08-03 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-07 03:27 . 2009-08-03 14:35 -------- d-----w- c:\program files\Common Files\InstallShield 2009-12-07 03:26 . 2009-12-07 03:26 -------- d-----w- c:\program files\Windows Media Components 2009-12-07 03:26 . 2009-12-07 03:25 -------- d-----w- c:\program files\Common Files\Ulead Systems 2009-12-07 03:25 . 2009-12-07 03:25 -------- d-----w- c:\program files\Ulead Systems 2009-11-28 19:04 . 2009-10-25 22:42 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Ventrilo 2009-11-28 09:47 . 2009-08-03 22:23 -------- d-----w- c:\program files\Microsoft Silverlight 2009-11-27 16:10 . 2009-11-27 16:09 -------- d-----w- c:\program files\Ventrilo 2009-11-27 16:09 . 2009-08-03 14:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-27 11:24 . 2009-08-04 17:55 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Skype 2009-11-27 11:24 . 2009-08-04 17:56 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\skypePM 2009-11-27 08:08 . 2009-08-03 22:19 -------- d-----w- c:\program files\Windows Live 2009-11-23 12:33 . 2009-11-23 12:30 -------- d-----w- c:\program files\Mumble 2009-11-21 08:46 . 2009-11-21 08:46 86016 ----a-w- c:\windows\system32\frapsvid.dll 2009-11-14 07:44 . 2009-11-14 07:41 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Ahead 2009-11-14 07:39 . 2009-11-14 07:39 -------- d-----w- c:\programdata\Ahead 2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320] "SPIRunE"="SPIRunE.dll" [2009-03-05 18432] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 148888] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-26 153136] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 0 (0x0) "EnableLUA"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer2"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient] 2009-06-08 14:51 1934336 ----a-w- c:\program files\Curse\CurseClient.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] 2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] 2007-06-18 13:10 271360 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2009-07-16 11:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload] 2007-03-03 13:12 341488 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [06.01.2010 03:14 108289] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [14.07.2009 11:28 239648] S2 gupdate1ca30ead1ed1c8b;Google Update Service (gupdate1ca30ead1ed1c8b);c:\program files\Google\Update\GoogleUpdate.exe [09.09.2009 02:14 133104] S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [13.08.2009 12:45 79360] S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [27.11.2009 09:08 54632] S3 fsssvc;Windows Live Family Safety-Dienst;c:\program files\Windows Live\Family Safety\fsssvc.exe [05.08.2009 22:48 704864] S3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\System32\drivers\t3.sys [03.08.2009 15:39 413208] S3 utczmjuz;AVZ Kernel Driver;c:\windows\System32\drivers\utczmjuz.sys [07.01.2010 01:01 7168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc . Inhalt des "geplante Tasks" Ordners 2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 01:13] 2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 01:13] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://start.icq.com/ FF - ProfilePath - c:\users\n3tgh0st\AppData\Roaming\Mozilla\Firefox\Profiles\umn1bxf2.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://de.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:de:official FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q= FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll ---- FIREFOX Richtlinien ---- FF - user.js: yahoo.homepage.dontask - true. - - - - Entfernte verwaiste Registrierungseinträge - - - - HKLM-Run-CmPCIaudio - cmicnfg3.cpl ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-08 16:34 Windows 6.0.6000 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... HKLM\Software\Microsoft\Windows\CurrentVersion\Run SPIRunE = Rundll32 SPIRunE.dll,RunDLLEntry? Scanne versteckte Dateien... c:\users\n3tgh0st\AppData\Local\Temp\catchme.dll 53248 bytes executable Scan erfolgreich abgeschlossen versteckte Dateien: 1 ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Zeit der Fertigstellung: 2010-01-08 16:35:34 ComboFix-quarantined-files.txt 2010-01-08 15:35 Vor Suchlauf: 7 Verzeichnis(se), 31.183.790.080 Bytes frei Nach Suchlauf: 10 Verzeichnis(se), 31.230.009.344 Bytes frei - - End Of File - - 08CF3CB1C80E9B605B440CABCF24CCC0 Das ich noch Updaten muss weiss ich bin ich noch nicht zu gekommen. interessant finde ich irgendwie [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 was ist das genau ? ansonsten sehe ich nix verdächtiges @aido ... Na ich denke da schon nicht das du mir da was wolltest alles kein Problem. Es hört sich ja auch toll an was du mit dem Image so sagst nur habe ich leider kein Image und deswegen müsste ich halt alles neu installieren + einstellungen ect was ich natürlich auch machen würde wenn ich des rootkit net wegbekommen würde aber ich bin ja im Moment wohl auf einem guten weg hoffe ich Mich würde irgendwie nur noch interessieren was genau dieser triojaner für eine aufgabe hatte DNCChanger ?! Tcp/ip umkonfigurieren ? mfg Der Beitrag wurde von r00t bearbeitet: 08.01.2010, 16:57 -------------------- |
|
|
Vereinfachte Darstellung | Aktuelles Datum: 27.05.2024, 18:30 |