|
Log-Analyse und Auswertung: Virtumonde nicht zu beseitigenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
29.08.2008, 12:34 | #1 |
| Virtumonde nicht zu beseitigen Hallo Leute, ich habe mir auf meinem Laptop leider irgendwie Virtumonde eingefangen. Spybot kann mir da leider nicht weiterhelfen, nach jedem neustart ist der kram wieder da. Ich habe zwar passend dazu schon diesen beitrag gefunden: http://www.trojaner-board.de/23940-iwe-kann-man-virtumonde-entfernen.html Allerdings glaube ich es so verstanden zu haben, das er verschiedene Versionen gibt. Wenn ich da richtig liege, kann ich dann die dortige Anleitung trotzdem verwenden? Auch gibt es wohl leider nicht mehr die dort verlinkte Ewido Security Suite. Welches Produkt sollte stattdessen verwendet werden? Spybot spuckt mir beim Scannen zwei dlls aus, die wohl mit dem Virtumonde zusammenhängen. Diese haben die Namen "pbehdj.dll" sowie "rqfjjclt.dll" Anbei dennoch mein HJT Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:22:54, on 29.08.2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe C:\Windows\RtHDVCpl.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\G DATA AntiVirus\AVKTray\AVKTray.exe C:\Windows\System32\oodtray.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\System32\mobsync.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {891D1E8A-9B13-4684-AB35-4FACB393FB0B} - (no file) O2 - BHO: (no name) - {9A0C3176-7B3B-44A3-90E4-572840354A0C} - C:\Windows\system32\urqRIaYq.dll O2 - BHO: {8be888a6-df7e-bb6b-c574-5e33510f276a} - {a672f015-33e5-475c-b6bb-e7fd6a888eb8} - C:\Windows\system32\rqnqds.dll O2 - BHO: (no name) - {C37F211E-5840-4E0E-8AF7-2F3592517238} - C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\3077htsbdjyf[1].dll O2 - BHO: (no name) - {E1C7EDF7-6C3D-424E-B651-A2F57BBA9701} - (no file) O3 - Toolbar: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - (no file) O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang DE /H O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA AntiVirus\AVKTray\AVKTray.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khfCssSk.dll,#1 O4 - HKLM\..\Run: [OODefragTray] C:\Windows\system32\oodtray.exe O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O13 - Gopher Prefix: O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: G DATA AntiVirus Proxy (AVKProxy) - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Program Files\G DATA AntiVirus\AVK\AVKService.exe O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - C:\Program Files\G DATA AntiVirus\AVK\AVKWCtl.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing) Schonmal ein dickes Danke im Vorraus! Wilson |
30.08.2008, 09:56 | #2 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | Virtumonde nicht zu beseitigen Hallo
__________________Zitat:
1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\Windows\system32\urqRIaYq.dll C:\Windows\system32\rqnqds.dll C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\3077htsbdjyf[1].dll C:\Windows\system32\khfCssSk.dll C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL 3.) Führe dieses MBR-Tool aus und poste die Ausgabe Mit Combofix möchte ich noch abwarten.
__________________ |
31.08.2008, 00:51 | #3 |
| Virtumonde nicht zu beseitigen Virustotal.com LogFiles:
__________________Code:
ATTFilter C:\Windows\system32\urqRIaYq.dll weitere Informationen File size: 246784 bytes MD5...: ed2f672420b7114410901a3387c2ade2 SHA1..: 362422d122c5939f2af681b99aa8905696dbb67f SHA256: 73e21cf829180bed8f3c3e860f0cab2e9b0e0e0346252c296525c16f3e8bfc9a SHA512: db118e1fbaa6e37b1c44b3c81be5012883831de682363eb2bb6e225aff93e1d7 5117f353da4022a8968199edb7c68e95ac65196534082109cb570e4fb5bf8029 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10001000 timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1bc66 0x1b800 8.00 b2638f3340efc0e8b8d62021110e559a .rdata 0x1d000 0xa6e 0x400 4.49 8acef8f2b31455cc11bf9bb1569c8bfc .data 0x1e000 0x869e3 0x20400 8.00 786bb08e4774a5c98434c0d4bf47186a ( 2 imports ) > user32.dll: CreatePopupMenu, DeleteMenu, EnableScrollBar, EndPaint, EqualRect, FillRect, GetCursor, GetDC, GetDlgItem, CreateIconFromResource, IsCharLowerA, LoadBitmapA, OemToCharBuffA, RegisterClassA, SetCursor, ShowCursor, ShowOwnedPopups, ShowScrollBar, CreateDesktopW, CopyRect, CharUpperA, CharToOemA, CharPrevA, CharNextA, GetFocus, ChangeMenuA > KERNEL32.dll: lstrcpynA, lstrcmpA, SetEndOfFile, SetCurrentDirectoryA, GetDateFormatA, ExitProcess, lstrlenA ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=785C73170097615BC495035E4FD595000C94F17D C:\Windows\system32\rqnqds.dll weitere Informationen File size: 108544 bytes MD5...: b04ae339acc8555ca367f95acc9245db SHA1..: 210f0c5b468b5721f90efc4024100ad8fb2b6ac3 SHA256: 9e9c4f3b31ff1c7422e2cf00e28253ffc3aeae6855db9223be8db9a6e1e3882f SHA512: 2c0b335a044c1e4ddeee8220a9873aa6b633c7493f3d9ce1b5db6e624e7ea618 1848433a16816e536eb614e1c97c003904f6a345d907fd057f8f50d75ac0ae15 PEiD..: - TrID..: File type identification Win32 Dynamic Link Library (generic) (55.5%) Clipper DOS Executable (14.7%) Generic Win/DOS Executable (14.6%) DOS Executable Generic (14.6%) VXD Driver (0.2%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10001000 timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xa4cc 0xaa00 7.98 7a99d21c729a3842c6ab70ae5e0f8b88 .data 0xc000 0x5d3 0x400 3.63 d4a73f79a8ae78f8a0ecde3de0643680 .rdata 0xd000 0x329cc 0xf600 7.96 4c3ea2deee7116cdf505bccf0381053a ( 2 imports ) > user32.dll: OemToCharW, OemToCharBuffA, ToAscii, IsCharUpperA, GetMenu, EndPaint, DrawTextA, DispatchMessageA, DestroyIcon, CreateMenu, CreateIconFromResourceEx, CreateDialogIndirectParamA, SetMenuInfo, CharToOemBuffA > KERNEL32.dll: WriteFile, TlsAlloc, OpenFileMappingA, GetTimeFormatA, GetSystemTime, GetModuleHandleA, GetLocalTime, GetLastError, EnumResourceLanguagesW, lstrcmpiA ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=DCFFF9CD0033B30BA8420159058CA000A29FBE5D C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\3077htsbdjyf[1].dll weitere Informationen File size: 91648 bytes MD5...: 0a9ebe91127f0140f747c3f50f61dfa8 SHA1..: 40396ac8c34da0ed68879b438fd1383e9a5785b0 SHA256: 338e8636011bf7fa57e2a403320d4cef82fc47a4eb25e301d0c61398bda2ed6c SHA512: 4733033a6341b4ae722e417d1aa1f70b803c03ef0309043462e31aa08b2503e8 bef140ff42b5c47c729c77bba4e0f5f057d65e2560655ccd0356a070f7373bb2 PEiD..: - TrID..: File type identification UPX compressed Win32 Executable (42.6%) Win32 EXE Yoda's Crypter (37.0%) Win32 Executable Generic (11.8%) Win16/32 Executable Delphi generic (2.8%) Generic Win/DOS Executable (2.7%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x43d2b0 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x27000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x28000 0x16000 0x15600 7.89 8e09cf6afffc6adf639ddf5029f81979 .rsrc 0x3e000 0x1000 0xc00 3.77 e42bf71d141c871c741ec5f1b658c042 ( 7 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree > advapi32.dll: RegCloseKey > ole32.dll: IsEqualGUID > oleaut32.dll: LoadTypeLib > shell32.dll: SHGetMalloc > user32.dll: SetTimer > wininet.dll: InternetCrackUrlA ( 5 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, InitEntry0 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=889C9D0D0076BAC4660F018419B236002DC238EF ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=0a9ebe91127f0140f747c3f50f61dfa8 packers (F-Prot): UPX C:\Windows\system32\khfCssSk.dll Nicht vorhanden! C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL weitere Informationen File size: 449536 bytes MD5...: 2063f5de2b28b68ff9a153a8defa1f69 SHA1..: 1fc3975c9acf2b45df792bf5f494189235582996 SHA256: 68112684e252a10d4e2a1b7a7e2601c1bbfa03040184d4ae4c610b81a9ed7b18 SHA512: 6e11191b4bcdaf81186a7ad0c603909ff62a864c782763a2dca241111a4c13e6 637e0c0eccf74ab1d273e9e2772f918a32b3569767e3a2e5c65a6bc35d197852 PEiD..: - TrID..: File type identification Windows OCX File (80.8%) Win32 Executable Delphi generic (9.6%) Win32 Executable Generic (5.5%) Win16/32 Executable Delphi generic (1.3%) Generic Win/DOS Executable (1.3%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x45e494 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 CODE 0x1000 0x5d4ac 0x5d600 6.54 8a96e15f8004b9f1d3b2003fd91d33ec DATA 0x5f000 0x127c 0x1400 4.06 035f615030eab5930390060f0ab9cfbe BSS 0x61000 0xd9d 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .idata 0x62000 0x253e 0x2600 4.96 bc529ad16b2bfacba86dadd1c54a1066 .edata 0x65000 0xa8 0x200 2.03 fe201b7e1d8892f46452545cf38816a1 .reloc 0x66000 0x6758 0x6800 6.69 60ac014f763ca1fe937c31f0aa86f7c5 .rsrc 0x6d000 0x5e00 0x5e00 4.17 453f93e76549662df14ae29535572088 ( 17 imports ) > kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle > user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA > advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey > oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen > kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc > advapi32.dll: RegSetValueExW, RegSetValueExA, RegQueryValueExW, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey > kernel32.dll: lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetShortPathNameA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle > version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA > gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt > user32.dll: CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostThreadMessageA, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout > ole32.dll: CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoLockObjectExternal, CoDisconnectObject, CoRevokeClassObject, CoRegisterClassObject, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID > oleaut32.dll: CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString > ole32.dll: IsEqualGUID > kernel32.dll: Sleep > oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit > comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create > shell32.dll: ShellExecuteW ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer |
31.08.2008, 00:53 | #4 |
| Virtumonde nicht zu beseitigen Blacklight Log Code:
ATTFilter 08/30/08 19:41:10 [Info]: BlackLight Engine 1.0.70 initialized 08/30/08 19:41:10 [Info]: OS: 6.0 build 6001 (Service Pack 1) 08/30/08 19:41:10 [Note]: 7019 4 08/30/08 19:41:10 [Note]: 7005 0 08/30/08 19:42:16 [Note]: 7006 0 08/30/08 19:42:16 [Note]: 7027 0 08/30/08 19:42:17 [Note]: 7035 0 08/30/08 19:42:17 [Note]: 7026 0 08/30/08 19:42:17 [Note]: 7026 0 08/30/08 19:42:25 [Note]: FSRAW library version 1.7.1024 08/30/08 19:42:29 [Note]: 4015 65887 08/30/08 19:42:29 [Note]: 4027 65887 9240576 08/30/08 19:42:29 [Note]: 4020 65880 720896 08/30/08 19:42:29 [Note]: 4022 65880 08/30/08 19:43:23 [Note]: 4015 188645 08/30/08 19:43:23 [Note]: 4027 188645 131072 08/30/08 19:43:23 [Note]: 4020 186678 1507328 08/30/08 19:43:23 [Note]: 4018 186678 1507328 08/30/08 19:43:26 [Note]: 4015 188720 08/30/08 19:43:26 [Note]: 4027 188720 131072 08/30/08 19:43:26 [Note]: 4020 188645 131072 08/30/08 19:43:26 [Note]: 4018 188645 131072 08/30/08 20:44:07 [Note]: 7007 0 Malwarebytes' Log Code:
ATTFilter Malwarebytes' Anti-Malware 1.25 Datenbank Version: 1098 Windows 6.0.6001 Service Pack 1 01:00:31 31.08.2008 mbam-log-08-31-2008 (01-00-31).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 161602 Laufzeit: 49 minute(s), 40 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 3 Infizierte Registrierungsschlüssel: 15 Infizierte Registrierungswerte: 5 Infizierte Dateiobjekte der Registrierung: 3 Infizierte Verzeichnisse: 0 Infizierte Dateien: 82 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: C:\Windows\System32\urqRIaYq.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Windows\System32\xanxksxg.dll (Trojan.Vundo) -> Delete on reboot. C:\Windows\System32\rqnqds.dll (Trojan.Vundo) -> Delete on reboot. Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a0c3176-7b3b-44a3-90e4-572840354a0c} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{9a0c3176-7b3b-44a3-90e4-572840354a0c} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a672f015-33e5-475c-b6bb-e7fd6a888eb8} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a672f015-33e5-475c-b6bb-e7fd6a888eb8} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c37f211e-5840-4e0e-8af7-2f3592517238} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c37f211e-5840-4e0e-8af7-2f3592517238} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{5cf2893c-db92-4b03-ab30-c32b044b027e} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{fe3ce0a3-dfa5-4946-a050-c39a04397fc5} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqriayq -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqriayq -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Windows\System32\urqRIaYq.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Windows\System32\qYaIRqru.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\qYaIRqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\rqnqds.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Windows\System32\duchfetq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\qtefhcud.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\efCRLedB.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\BdeLRCfe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\BdeLRCfe.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\kpyptkde.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\edktpypk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\ljJDWOiI.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\IiOWDJjl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\IiOWDJjl.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\mdccwsbu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\ubswccdm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\pmnkKbyv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\vybKknmp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\vybKknmp.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\vargiowu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Windows\System32\uwoigrav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\3077htsbdjyf[1].dll (Trojan.BHO.H) -> Quarantined and deleted successfully. C:\Windows\System32\xanxksxg.dll (Trojan.Vundo) -> Delete on reboot. C:\Program Files\QIP\unqip.exe (Adware.Sogou) -> Not selected for removal. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2FRUEONZ\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6RZ5K8RV\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SOA80VQ\kb65666[1] (Trojan.Vundo) -> Delete on reboot. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SOA80VQ\kb671231[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SOA80VQ\kb671231[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SOA80VQ\kb671231[3] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SOA80VQ\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SOA80VQ\kb767887[4] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8SOA80VQ\kb767887[5] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb456456[3] (Trojan.Vundo) -> Delete on reboot. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb456456[4] (Trojan.Vundo) -> Delete on reboot. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb671231[1] (Trojan.Vundo) -> Delete on reboot. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb767887[3] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BUUMJ2Q4\kb767887[4] (Trojan.Vundo) -> Delete on reboot. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FQGEFXM5\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROQKT2BD\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROQKT2BD\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROQKT2BD\kb671231[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROQKT2BD\kb671231[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROQKT2BD\kb671231[3] (Trojan.Vundo) -> Delete on reboot. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROQKT2BD\aqua3d[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb456456[3] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb671231[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb671231[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb767887[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\kb767887[4] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\64q33[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Users\Wilson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VL1E2V1Q\8579[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\bqdebiye.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\dzrdtz.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\fwhcjlro.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\hcuomwee.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\isfcntpq.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\iwvqnmyw.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\ojrlvtuq.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\ozcgob.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\pjuftpqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\qelpdits.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\qkepkxsy.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\rbjmcvjw.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\rdsivoiu.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\rqtqbiqx.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\smtcueac.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\smxbjyqw.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\stzklr.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\tkrwoglq.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\uadfescc.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\uewxnkir.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\ylgcgaqu.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\yntssofd.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\znbgug.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Windows\System32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. MBR-Tool Log: Code:
ATTFilter Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK |
31.08.2008, 00:59 | #5 |
/// TB-Ausbilder | Virtumonde nicht zu beseitigen Hi, kleiner Tip am Rande: Überprüfe bitte nochmal dein Post mit den Virustotalergebnissen. root24 wollte neben der Dateigröße und Prüfsummen auch die Ergebnisse der einzelnen Virenscanner sehen. Schließlich interessiert uns auch mit welchen Viren die Dateien befallen sind. Sag bitte auch welche Dateien du wieso nicht hast auswerten lassen. lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
31.08.2008, 13:15 | #6 |
| Virtumonde nicht zu beseitigen Hallo, also die zu erst nicht analysierte Datei wurde nicht analysiert, weil sie einfach nicht mehr vorhanden war. Ich weiß selbst nicht warum, aber sie war halt nicht mehr da. Und jetzt wollte ich sie alle nochmal analysieren lassen, um die restlichen Infos zu ergänzen, musste aber feststellen, dass bis auf die letzte Datei alle anderen auch nicht mehr vorhanden sind. Und die letzte gehört vom Namen her zu einem Programm, mit dem man bzw ich Videos von YouTube speichern oder in MP3 umwandeln kann. Also meiner Meinung nach keine große Bedrohung. Und ich glaube mich auch dran zu erinnern, dass bei dieser Datei nichts gefunden wurde. Dennoch die weiteren Daten zu dieser Datei: Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.29 - AntiVir 7.8.1.23 2008.08.30 - Authentium 5.1.0.4 2008.08.30 - Avast 4.8.1195.0 2008.08.30 - AVG 8.0.0.161 2008.08.30 - BitDefender 7.2 2008.08.31 - CAT-QuickHeal 9.50 2008.08.29 - ClamAV 0.93.1 2008.08.31 - DrWeb 4.44.0.09170 2008.08.31 - eSafe 7.0.17.0 2008.08.28 - eTrust-Vet 31.6.6057 2008.08.29 - Ewido 4.0 2008.08.31 - F-Prot 4.4.4.56 2008.08.30 - F-Secure 7.60.13501.0 2008.08.31 - Fortinet 3.14.0.0 2008.08.31 - GData 19 2008.08.31 - Ikarus T3.1.1.34.0 2008.08.31 - K7AntiVirus 7.10.433 2008.08.30 - Kaspersky 7.0.0.125 2008.08.31 - McAfee 5373 2008.08.29 - Microsoft 1.3807 2008.08.25 - NOD32v2 3401 2008.08.30 - Norman 5.80.02 2008.08.29 - Panda 9.0.0.4 2008.08.31 - PCTools 4.4.2.0 2008.08.30 - Prevx1 V2 2008.08.31 - Rising 20.59.61.00 2008.08.31 - Sophos 4.33.0 2008.08.31 - Sunbelt 3.1.1592.1 2008.08.30 - Symantec 10 2008.08.31 - TheHacker 6.3.0.6.068 2008.08.30 - TrendMicro 8.700.0.1004 2008.08.29 - VBA32 3.12.8.4 2008.08.30 - ViRobot 2008.8.30.1357 2008.08.30 - VirusBuster 4.5.11.0 2008.08.30 - Webwasher-Gateway 6.6.2 2008.08.30 - |
31.08.2008, 19:01 | #7 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Virtumonde nicht zu beseitigen Wagen wir einen Durchlauf mit Combofix: Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste die Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code] Mach auch ein Filelisting mit diesem script:
Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.
__________________ Logfiles bitte immer in CODE-Tags posten |
03.09.2008, 17:56 | #8 |
| Virtumonde nicht zu beseitigen hat bisschen gedauert, aber hier sind dann die beiden sachen die du noch haben wolltest allerdings ist das log con combofix ebenfalls zu groß fürs board. hab es also auch mal hochgeladen. hoffe das ist dir so recht: ComboFix.txt und der link zur listing.txt: listing.txt |
04.09.2008, 21:00 | #9 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Virtumonde nicht zu beseitigen Hi, in den Logs ist mir auf die Schnelle nix Böses unter die Augen geraten. Wie siehts denn nun aus mit Deinem Vundo?
__________________ Logfiles bitte immer in CODE-Tags posten |
04.09.2008, 22:48 | #10 |
| Virtumonde nicht zu beseitigen nabend, also ich glaube ich bin den Vundo los geworden. Zumindest bekomm ich keine Pop Ups mehr oder sonstiges. Alles so wie es sein soll! Echt vielen vielen Dank an dich bzw. an das ganze Board. Super Sache das! Ich kann gar nicht oft genug Danke sagen. Hab schon befürchtet den Rechner platt machen zu müssen, aber dass konntest du ja glücklicher weise abwenden! DANKE!!! |
Themen zu Virtumonde nicht zu beseitigen |
antivirus, bho, content.ie5, explorer, firefox, g data, gservice, hijack, hijackthis, icq, ics, internet, internet explorer, micro, microsoft, monitor, mozilla, namen, neustart, rundll, safer networking, scan, security, software, system, system32, virtumonde, vista, windows, windows sidebar |