Hallo Zusammen,
seit Kurzem erschien AVZ 4.19 (Autor Oleg Zaitsew [Oлег Зайцев], Russland) in englischer Sprache (DL-Link). Das Programm ist in Rußland bereits seit ein Paar Jahren bekannt und hilft in machen Fällen ganz gut.
Das Programm, lt. Aussage vom Autor, stellt ein Mix aus TrojanHunter und AdAware dar. Die von Malware betroffenen User könnten das Tool gleich ausprobieren.
Fragen an Autor können per E-Mail an in der Info-Tafel angegebene Adresse in Englisch geschickt werden. Wer sich mit dem Englischen nicht wohl füllt, bitte an mich eine PM senden: ich werde eure Anfrage übersetzen und im russischsprachigen Forum setzen oder direkt zum Autor senden.

hmm ?

Dr.Web (R) daemon for Linux v4.33 (4.33.0.09211)
Copyright © Igor Daniloff, 1992-2005

File size: 1638.1K


avz4en.zip - archive ZIP
>avz4en.zip/avz4/avz.cnt - OK
>avz4en.zip/avz4/avz.exe packed by UPX
In file >>avz4en.zip/avz4/avz.exe probably found virus DLOADER.Trojan
>avz4en.zip/avz4/AVZ.HLP - OK
>avz4en.zip/avz4/avz.sys - OK
>avz4en.zip/avz4/avz.url - OK
>avz4en.zip/avz4/avzsg.sys - OK
>avz4en.zip/avz4/Base/extract.avz - OK
>avz4en.zip/avz4/Base/keylogger.avz - OK
>avz4en.zip/avz4/Base/lang_en.avz - OK
>avz4en.zip/avz4/Base/main.avz - OK
>avz4en.zip/avz4/Base/main001.avz - OK
>avz4en.zip/avz4/Base/main002.avz - OK
>avz4en.zip/avz4/Base/main003.avz - OK
>avz4en.zip/avz4/Base/main004.avz - OK
>avz4en.zip/avz4/Base/main005.avz - OK
>avz4en.zip/avz4/Base/neural.avz - OK
>avz4en.zip/avz4/Base/neurald.avz - OK
>avz4en.zip/avz4/Base/neurale.avz - OK
>avz4en.zip/avz4/Base/neuralm.avz - OK
>avz4en.zip/avz4/Base/ports.avz - OK
>avz4en.zip/avz4/Base/repair.avz - OK
>avz4en.zip/avz4/Base/rootkit.avz - OK
>avz4en.zip/avz4/Base/scripts.avz - OK
>avz4en.zip/avz4/Base/signf001.avz - OK
>avz4en.zip/avz4/Base/signf002.avz - OK
>avz4en.zip/avz4/Base/signfusr.avz - OK
>avz4en.zip/avz4/Base/syscheck.avz - OK
>avz4en.zip/avz4/version.txt - OK

@iso9001
Dr.Web daemon for Linux & probably dazu .

Also mein Dr. Web erkennt daran mit aktivierter Heuristik nichts.

Hat dies evtl. schon jemand eingeschickt?

Zitat:

Zitat von *Christian*

Also mein Dr. Web erkennt daran mit aktivierter Heuristik nichts.

Hat dies evtl. schon jemand eingeschickt?

natürlich, was meinst du denn welchen Sinn der Scan weiter oben hatte ?

Zitat:

Zitat von iso9001

natürlich, was meinst du denn welchen Sinn der Scan weiter oben hatte ?

Es sind nicht alle User so 'schlau' wie du.

>>>> Danger - the avz.exe file has been modified: its current CRC is not listed in Trusted Objects Database
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 27.08.2009 00:39:34
Database loaded: signatures - 238532, NN profile(s) - 2, malware removal microprograms - 56, signature database released 26.08.2009 00:12
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 137134
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights
System Restore: Disabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtCreateFile (123) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:NtCreateProcess (134) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:NtCreateProcessEx (135) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:NtDeviceIoControlFile (154) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:NtOpenFile (204) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:NtQueryInformationProcess (243) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:ZwCreateFile (933) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:ZwCreateProcess (944) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:ZwCreateProcessEx (945) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:ZwDeviceIoControlFile (963) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:ZwOpenFile (1013) intercepted, method - CodeHijack (not defined)
Function ntdll.dll:ZwQueryInformationProcess (1052) intercepted, method - CodeHijack (not defined)
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.4 Searching for masking processes and drivers
Searching for masking processes and drivers - complete
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = F7454A35 -> C:\WINDOWS\System32\drivers\e49dd731.sys
\FileSystem\ntfs[IRP_MJ_CLOSE] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 89B9E1F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 89B9E1F8 -> hook not defined
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F7455887 -> C:\WINDOWS\System32\drivers\e49dd731.sys
Checking - complete
2. Scanning RAM
Number of processes found: 32
Extended process analysis: 1772 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 180 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 500 C:\WINDOWS\System32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 608 C:\WINDOWS\system32\svchost.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 948 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 1056 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 172 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 488 C:\WINDOWS\system32\nvsvc32.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 704 C:\Programme\samsung\Samsung Network Manager\SNMWLANService.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1644 C:\WINDOWS\system32\svchost.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 1876 C:\WINDOWS\System32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1920 C:\WINDOWS\System32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 436 C:\WINDOWS\System32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 2536 C:\WINDOWS\system32\wbem\wmiapsrv.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 3640 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
>>> The real size is supposed to be = 22380544
Extended process analysis: 3148 C:\WINDOWS\System32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 3256 C:\WINDOWS\System32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Extended process analysis: 13052 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 11244 C:\WINDOWS\system32\taskmgr.exe
[ES]:Program code includes networking-related functionality
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 38980 C:\WINDOWS\system32\wiwow64.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 42452 C:\WINDOWS\system32\svchost.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 39152 C:\WINDOWS\system32\sofatnet.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 302
Scanning RAM - complete
3. Scanning disks
C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\9VWS09C6\bbsuper1[1].htm - PE file with non-standard extension(dangerousness level is 5%)
File quarantined succesfully (C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\9VWS09C6\bbsuper1[1].htm)
File quarantined succesfully (C:\WINDOWS\system32\10.tmp)
C:\WINDOWS\system32\10.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\14.tmp)
C:\WINDOWS\system32\14.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\1A.tmp)
C:\WINDOWS\system32\1A.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\1C.tmp)
C:\WINDOWS\system32\1C.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\1E.tmp)
C:\WINDOWS\system32\1E.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\21.tmp)
C:\WINDOWS\system32\21.tmp >>>>> Email-Worm.Win32.Joleee.cws deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\26.tmp)
C:\WINDOWS\system32\26.tmp >>>>> Email-Worm.Win32.Joleee.cwm deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\3C.tmp)
C:\WINDOWS\system32\3C.tmp >>>>> Email-Worm.Win32.Joleee.cwm deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\42.tmp)
C:\WINDOWS\system32\42.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\A.tmp)
C:\WINDOWS\system32\A.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\B.tmp)
C:\WINDOWS\system32\B.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
File quarantined succesfully (C:\WINDOWS\system32\C.tmp)
C:\WINDOWS\system32\C.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
Direct reading: C:\WINDOWS\system32\drivers\sptd.sys
File quarantined succesfully (C:\WINDOWS\system32\E.tmp)
C:\WINDOWS\system32\E.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully
Direct reading: D:\331aa155a4e18f478495237f\DeleteTemp.exe
Direct reading: D:\331aa155a4e18f478495237f\dlmgr.dll
Direct reading: D:\331aa155a4e18f478495237f\GenComp.dll
Direct reading: D:\331aa155a4e18f478495237f\HtmlLite.dll
Direct reading: D:\331aa155a4e18f478495237f\Setup.EXE
Direct reading: D:\331aa155a4e18f478495237f\setupres.1025.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1028.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1029.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1030.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1031.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1032.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1035.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1036.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1037.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1038.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1040.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1041.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1042.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1043.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1044.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1045.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1046.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1049.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1053.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.1055.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.2052.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.2070.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.3082.dll
Direct reading: D:\331aa155a4e18f478495237f\setupres.dll
Direct reading: D:\331aa155a4e18f478495237f\SitSetup.DLL
Direct reading: D:\331aa155a4e18f478495237f\VS70UIMgr.dll
Direct reading: D:\331aa155a4e18f478495237f\VSBaseReqs.dll
Direct reading: D:\331aa155a4e18f478495237f\VSScenario.dll
Direct reading: D:\331aa155a4e18f478495237f\VS_Setup.dll
Direct reading: D:\331aa155a4e18f478495237f\vs_setup.msi
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1025.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1028.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1029.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1030.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1031.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1032.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1035.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1036.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1037.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1038.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1040.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1041.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1042.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1043.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1044.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1045.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1046.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1049.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1053.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.1055.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.2052.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.2070.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.3082.dll
Direct reading: D:\331aa155a4e18f478495237f\WapRes.dll
Direct reading: D:\331aa155a4e18f478495237f\WapUI.dll
Direct reading: D:\331aa155a4e18f478495237f\wcu\dotNetFramework\dotNetFX20\Netfx20a_x86.msi
Removing traces of deleted files...
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious software
Checking - disabled by user
7. Heuristic system check
>>> Suspicion for service/driver reg key masking "e49dd731"
>>> Suspicion for service/driver reg key masking "kbiwkmcuunjeta"
>>> Suspicion for service/driver reg key masking "xexkins"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>> Network drives autorun is allowed
>> Removable media autorun is allowed
Checking - complete
Files scanned: 84080, extracted from archives: 63599, malicious software found 13, suspicions - 0
Scanning finished at 27.08.2009 00:50:21
Time of scanning: 00:10:49
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\System32\drivers\e49dd731.sys)
Quarantine file (direct disk reading) "%S" - failed (error)


hi ich habe genau das befolgt was da stand und kopier mal meinen scan rein ich habe mir da was eingefangen das ich mit garkeinem tool löschen kann ...kannst du vllt hier was erkennen???thx im vorraus

Lies dir bitte folgendes durch http://www.trojaner-board.de/anleitu...uncements.html und erstelle ein neues Thema mit den Reporten von den Programmen aus Punkt 2.

http://www.trojaner-board.de/79118-a...l-toolkit.html
.