Ok.

Ich habe nochmal einen Einsatz gemacht. ComboFix kann nicht auf einem Serverbetriebsystem ausgeführt werden, da es dafür nicht gebaubt wurde.

Malewarebytes

Code: Alles auswählenAufklappen

ATTFilter

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1003

(c) Malwarebytes Corporation 2011-2012

OS version: 5.2.3790 Windows Server 2003 Service Pack 2 x86

Account is Administrative

Internet Explorer version: 6.0.3790.3959

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 3.200000 GHz
Memory total: 3488538624, free: 3105247232

Downloaded database version: v2013.06.05.10
Downloaded database version: v2013.05.22.01
Initializing...
------------ Kernel report ------------
     06/06/2013 00:29:44
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
PCIIde.sys
\WINDOWS\System32\Drivers\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
volsnap.sys
PartMgr.sys
atapi.sys
symmpi.sys
\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
Dfs.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
crcdisk.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\b57xp32.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\ati2mpad.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\watchdog.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_symmpi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2drad.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\TDTCP.SYS
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\System32\RDPDD.dll
\??\C:\DOKUME~1\Mafis\LOKALE~1\Temp\1\aswMBR.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8ab9fab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Scsi\symmpi1Port2Path0Target0Lun0\
Lower Device Object: 0xffffffff8ab98030
Lower Device Driver Name: \Driver\symmpi\
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8ab9fab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8aba1a70, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ab9fab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ab98030, DeviceName: \Device\Scsi\symmpi1Port2Path0Target0Lun0\, DriverName: \Driver\symmpi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 95729572

Partition information:

    Partition 0 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 16065  Numsec = 71039430

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 71055495  Numsec = 46138680
    Partition file system is NTFS
    Partition is not bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 117194175  Numsec = 24932880

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 72771174400 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-16064-142111200-142131200)...
Done!
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\@ --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-21-3633405614-2588406599-3147092733-1009\$5556fa7613cb1e7ff54b414d2f31af2d\@ --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\L\00000004.@ --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\L\201d3dde --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\L\76603ac3 --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\U\00000001.@ --> [Trojan.0Access]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\U\00000008.@ --> [Trojan.0Access]
Infected: c:\RECYCLER\S-1-5-21-3633405614-2588406599-3147092733-1009\$5556fa7613cb1e7ff54b414d2f31af2d\U\00000001.@ --> [Trojan.0Access]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\U --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-21-3633405614-2588406599-3147092733-1009\$5556fa7613cb1e7ff54b414d2f31af2d\U --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d\L --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-21-3633405614-2588406599-3147092733-1009\$5556fa7613cb1e7ff54b414d2f31af2d\L --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-18\$5556fa7613cb1e7ff54b414d2f31af2d --> [Trojan.Siredef.C]
Infected: c:\RECYCLER\S-1-5-21-3633405614-2588406599-3147092733-1009\$5556fa7613cb1e7ff54b414d2f31af2d --> [Trojan.Siredef.C]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
         

FSS

Code: Alles auswählenAufklappen

ATTFilter

Farbar Service Scanner Version: 31-05-2013 01
Ran by Mafis (administrator) on 06-06-2013 at 10:35:49
Running from "C:\Dokumente und Einstellungen\Mafis\Desktop"
Microsoft Windows Server 2003 Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.

tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy: 
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.


System Restore Disabled Policy: 
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt: "%systemroot%\system32\svchost.exe -k netsvcs".
The ServiceDll of winmgmt: "C:\DOKUME~1\ALLUSE~1\ANWEND~1\doni6zq.dat".


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The service key does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========

ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\afd.sys
[2005-03-25 14:00] - [2011-12-27 16:13] - 0150528 ____A (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B


ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\tcpip.sys
[2005-03-25 14:00] - [2009-08-15 11:57] - 0393216 ____A (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3

C:\WINDOWS\system32\dnsrslvr.dll
[2009-04-20 20:33] - [2009-04-20 20:33] - 0045568 ____A (Microsoft Corporation) F156DC9FCCCE08471CE84B66CA1794F2


ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\vssvc.exe
[2005-03-25 14:00] - [2007-02-17 06:46] - 0841216 ____A (Microsoft Corporation) 14EF277CAFF085DED9D01399AC01A6C7


ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2013-05-03 16:33] - [2007-02-17 06:48] - 0143872 ____A (Microsoft Corporation) 6F31AC308299CF5F4D0DF1E1C57FCDAB

C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2013-05-03 15:05] - [2007-02-17 06:49] - 0380928 ____A (Microsoft Corporation) 5487028837DF4ADDB6B88B0CCEF048CE

C:\WINDOWS\system32\es.dll
[2008-04-29 23:34] - [2008-04-29 23:34] - 0247296 ____A (Microsoft Corporation) DF2F8ECC34E8206ADA1D251E83322C42

C:\WINDOWS\system32\cryptsvc.dll
[2013-05-03 16:33] - [2007-02-17 06:53] - 0056832 ____A (Microsoft Corporation) DEE70ABF784C0CE67D7277156C809621


ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\ipnathlp.dll
[2005-03-25 14:00] - [2007-02-17 06:51] - 0345600 ____A (Microsoft Corporation) 836CBAD45E4A035814300084EAF00CE3


ATTENTION!=====> C:\WINDOWS\system32\iphlpsvc.dll FILE IS MISSING.

C:\WINDOWS\system32\svchost.exe
[2013-05-03 16:32] - [2007-02-17 06:40] - 0014848 ____A (Microsoft Corporation) B8DAF8F87218757D332EA3EF831015E4

C:\WINDOWS\system32\rpcss.dll
[2013-05-03 16:57] - [2009-02-09 13:04] - 0486912 ____A (Microsoft Corporation) 45D1D6A09217163980F67AB8377D35B9



**** End of log ****
         

Ah ja, dieses Betriebssystem macht die Sache nicht gerade einfacher...

Du hast von MBAR das systemlog gepostet. Kannst du bitte noch dasjenige mit dem Format mbar-log-<Jahr-Monat-Tag>.txt nachreichen?
Auch führe MBAR erneut aus, solange bis keine Funde mehr gemeldet werden.

Hey Leo,

eine kleine Zwischenmeldung. MBA sanned den Server durch und findet auch Viren. Die Funde sind immer in C:\Recycler\********.
Wenn ich auf Cleanup drücke hängt er sich immer auf aber es scheinen trotzdem weniger Funde zu werden. Den Log kann ich dir leider nicht posten, da er druch die Abstürze nicht erstellt wird.

Hallo,

das tönt sehr unerfreulich...
Auch sind unsere Tools nicht so spezialisiert auf das Server BS.
Da ja die Daten bereits gesichert sind, wäre es ganz bestimmt schneller (und viel sicherer), jetzt die Kiste platt zu machen und neu zu installieren.

Dieses Thema scheint erledigt und wird aus meinen Abos gelöscht. Ich bekomme somit keine Benachrichtigung mehr über neue Antworten.
Solltest du das Thema erneut brauchen, schicke mir bitte eine PM und wir machen hier weiter.

Jeder andere bitte diese Anleitung lesen und einen eigenen Thread erstellen.