| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Vundo/Virtumonde (vermutlich)Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
06.01.2009, 18:48
| #1 |
 |  Vundo/Virtumonde (vermutlich) Hallo, neuer member und dann gleich so ein Thema  Sorry. Auch wenn das Thema bereits so oft existiert, wage ich mal meinen Fall zu schildern - in der Hoffnung auf Hilfe. Zum System: Windows XP mit SP2 ... auf nem etwas älteren Computer. Firefox (aber Internet-Explorer ist installiert, sonst spinnt mein MSN  )Neu aufsetzen mit format c etc. möchte ich unbedingt vermeiden. Problem: Extrem langsamer Start. Wenn es nicht "einfriert". Fehlermeldungen der Explorer.exe, die aber ignoriert werden können (kommen als 16 bit-System Meldung). Allgemeine Langsamkeit. Im Netz kommen "lustige" pop-ups, Google/Yahoo links werden umgeleitet etc, auf Seiten von Anti-Virus-Software kann ich nicht zugreifen...updates für Windows oder Kaspersky (hab 2009 erst nach der Infektion bekommen) runterladen funktioniert auch nicht  . Das "übliche" Vundo-Verhalten (von dem was ich gelesen habe).In Ad-Aware (welches im Weiteren nutzlos war und de-installiert wurde) war auch mal Vundo/Virtumonde als Meldung aufgetaucht. Andere Programme (Spybot, Malwarebites) werden gar nicht erst gestartet. Hijackthis meint: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:48:39, on 06.01.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\Explorer.EXE C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\Dit.exe C:\WINDOWS\CNYHKey.exe C:\WINDOWS\system32\Prismsta.exe C:\Programme\HP\hpcoretech\hpcmpmgr.exe C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Programme\Logitech\QuickCam\Quickcam.exe C:\Programme\Java\jre6\bin\jusched.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\System32\svchost.exe c:\programme\logitech\quickcam\lu\lulnchr.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\wscntfy.exe c:\programme\logitech\quickcam\lu\LogitechUpdate.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE C:\Programme\Windows Live\Messenger\msnmsgr.exe C:\Programme\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\rundll32.exe c:\lotus\wordpro\wordpro.exe C:\Programme\Internet Explorer\iexplore.exe C:\DOKUME~1\***\LOKALE~1\Temp\csrssc.exe C:\WINDOWS\system32\taskmgr.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hp://w.accoona.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hp://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hp://w.accoona.com/search?q=%s R3 - URLSearchHook: (no name) - {2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9} - FLKPT.dll (file missing) F2 - REG:system.ini: UserInit=userinit.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe O4 - HKLM\..\Run: [Prism_Utility] Prismsta.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" O4 - HKLM\..\Run: [2496af42] rundll32.exe "C:\WINDOWS\system32\arqcykfe.dll",b O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [gadcom] "C:\Dokumente und Einstellungen\***\Anwendungsdaten\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOKUME~1\SEBAST~1\LOKALE~1\Temp\csrssc.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Logitech . Produktregistrierung.lnk = C:\Programme\Logitech\QuickCam\eReg.exe O4 - Global Startup: Kodak EasyShare Software.lnk = C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Statistik für den Schutz des Web-Datenverkehrs - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: MedionShop - {07E3F115-C445-480D-94CB-ECA914A353CE} - hp://w.medionshop.de/ (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hp://software-dl.real.com/04a30f04300bfbf27206/netzip/RdxIE601_de.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - hp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AE60CE46-C8A7-4F46-9B82-19496EE1E875}: NameServer = 217.237.149.205 217.237.151.51 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: axlrsp.dll wtdhhh.dll qergrj.dll itbhyl.dll glezxi.dll qcrpie.dll ugtpei.dll gromqd.dll vpswlf.dll lceaff.dll dcfkxh.dll wzdgxc.dll slpilz.dll awengh.dll bldqdp.dll oyqtrx.dll pnugaj.dll tmeubo.dll nrohqz.dll xkcgcq.dll syswwb.dll quykcz.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll ejmdtq.dll O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\***\LOKALE~1\Temp\hpdj.exe (file missing) O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe |
|
06.01.2009, 19:18
| #2 |
  | Vundo/Virtumonde (vermutlich) Hallo und
__________________ Arbeite diese Liste ab: 1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\WINDOWS\system32\arqcykfe.dll
C:\Dokumente und Einstellungen\SEBAST~1\Anwendungsdaten\gadcom\gadcom.exe
C:\DOKUME~1\SEBAST~1\LOKALE~1\Temp\csrssc.exe
C:\WINDOWS\system32\rsekd83jde.dll
Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code] 3.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten (Wächter Deines Virenscanner vor dem Scannen deaktivieren!) 4.) Superantispyware runterladen und laufenlassen, so wie hier beschrieben: http://www.trojaner-board.de/51871-a...tispyware.html 5.) ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. 6.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe Editiere die Links und privaten Infos!! ciao, andreas |
|
06.01.2009, 19:53
| #3 |
| | Vundo/Virtumonde (vermutlich) Thanks.
__________________Und sorry, wegen den logfile-Format. Das Problem bei den ersten Schritten (mit Ausnahme von combofix, wovon ich bisher die Finger gelassen habe) ist folgendes: Ich bekomme keine server-Verbindung zu den Seiten. Alles, was mit Anti-Virus zu tun hat wird geblockt. Virustotal (gerade mehrfach probiert) und die direkten downloads für Malwarebytes etc. auch (wie schon oben beschrieben). Ich habe mir Malwarebytes und SUPERAntiSpyware als downloadvon einem anderen rechner ziehen können (Uni-Rechner, da komm ich vor morgen auch nicht dran). Beide Programme werden nicht gestartet. malwarebytes ohne jede Meldung. Superantispyware gibt eine (Windows)Fehlermeldung ohne weitere Begründung.  |
|
06.01.2009, 20:00
| #4 |
| | Vundo/Virtumonde (vermutlich) Start => Ausführen => devmgmt.msc eingeben und [Enter] drücken Menüzeile: Ansicht => Ausgeblendete Geräte anzeigen => Nicht-PNP-Treiber Dort alle Treiber, die mit ADS oder TDS beginnen (vermutlich ist es TDSSserv.sys) deaktivieren => Rechner neustarten, nochmal probieren. ciao, andreas p.s.: Teste auch das Umbenennen der Programme in z.B. asdf.com Geändert von john.doe (06.01.2009 um 20:11 Uhr) |
|
06.01.2009, 20:35
| #5 |
| | Vundo/Virtumonde (vermutlich) Danke. Es war die TDSSserv  Ich geh dann mal die Liste durch. arqcykfe.dll Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.73 2009.01.06 -
AhnLab-V3 2009.1.6.3 2009.01.06 -
AntiVir 7.9.0.45 2009.01.06 HEUR/Crypted
Authentium 5.1.0.4 2009.01.06 -
Avast 4.8.1281.0 2009.01.06 -
AVG 8.0.0.199 2009.01.06 -
BitDefender 7.2 2009.01.06 -
CAT-QuickHeal 10.00 2009.01.06 -
ClamAV 0.94.1 2009.01.06 -
Comodo 884 2009.01.06 -
DrWeb 4.44.0.09170 2009.01.06 -
eTrust-Vet 31.6.6294 2009.01.06 Win32/VundoCryptorAA!generic
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.06 -
Fortinet 3.117.0.0 2009.01.06 -
GData 19 2009.01.06 -
Ikarus T3.1.1.45.0 2009.01.06 -
K7AntiVirus 7.10.578 2009.01.06 -
Kaspersky 7.0.0.125 2009.01.06 -
McAfee 5486 2009.01.05 -
McAfee+Artemis 5487 2009.01.06 Generic!Artemis
Microsoft 1.4205 2009.01.06 Trojan:Win32/Vundo.gen!Y
NOD32 3743 2009.01.06 -
Norman 5.80.02 2009.01.06 -
Panda 9.0.0.4 2009.01.06 -
PCTools 4.4.2.0 2009.01.06 -
Rising 21.11.12.00 2009.01.06 AdWare.Win32.Agent.cqn
SecureWeb-Gateway 6.7.6 2009.01.06 Heuristic.Crypted
Sophos 4.37.0 2009.01.06 Troj/Virtum-Gen
Sunbelt 3.2.1809.2 2008.12.22 VIPRE.Suspicious
Symantec 10 2009.01.06 -
TheHacker 6.3.1.4.205 2009.01.05 -
TrendMicro 8.700.0.1004 2009.01.06 -
VBA32 3.12.8.10 2009.01.06 -
ViRobot 2009.1.6.1546 2009.01.06 -
VirusBuster 4.5.11.0 2009.01.06 -
weitere Informationen
File size: 72704 bytes
MD5...: 442fdfb53d15cdc5f80b0d7793da9369
SHA1..: 70625dce17f0e2c6124c6907d41674f2f32e9965
SHA256: 83e5b83d449322c796e79e623722dfb3fb886b25ac768d501c71a73dc42f7b22
SHA512: 888ee982f2db2f9f7418ef98e5713f13bb0b2fe4bbb771062081bc8f6b6eb102
5ccaa179b15b3b43450c3c8bcd9e297fa024634553f70455793de6b6e2eb2775
ssdeep: 1536:HciZq0r59K8nEMSjkfpY0EjPUGIrp1tokg/04R8G7q0Um+K:HHqS9K8E/jk
6GokY04Zo
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10021526
timedatestamp.....: 0x4823ae2e (Fri May 09 01:51:42 2008)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1000 0x200 7.61 55f1aae89dd4396a0d3bea7efae8c254
text 0x2000 0x1000 0x200 7.61 b945b20c17d84cebd228f92bd47849af
text 0x3000 0x1d000 0xe800 8.00 b70deb00125a5b1b1ac33cc2391c46b6
.reloc 0x20000 0x1000 0x400 2.24 f855c79b5614ab83c10f2d4df14a06c5
.pdata 0x21000 0x3000 0x2800 3.85 383fc4d5935895699d3e53f297381495
( 4 imports )
> USER32.dll: SystemParametersInfoA, GetSystemMetrics
> KERNEL32.dll: ExitProcess, GetSystemInfo, CreateFileA
> GDI32.dll: CreateHalftonePalette
> comdlg32.dll: PrintDlgExW
( 0 exports )
|
|
06.01.2009, 20:45
| #6 |
| | Vundo/Virtumonde (vermutlich) csrssc.exe Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.73 2009.01.06 -
AhnLab-V3 2009.1.6.3 2009.01.06 -
AntiVir 7.9.0.45 2009.01.06 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2009.01.06 -
Avast 4.8.1281.0 2009.01.06 Win32:Trojan-gen {Other}
AVG 8.0.0.199 2009.01.06 Crypt
BitDefender 7.2 2009.01.06 -
CAT-QuickHeal 10.00 2009.01.06 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.01.06 -
Comodo 884 2009.01.06 -
DrWeb 4.44.0.09170 2009.01.06 -
eTrust-Vet 31.6.6294 2009.01.06 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.06 -
F-Secure 8.0.14470.0 2009.01.06 -
Fortinet 3.117.0.0 2009.01.06 -
GData 19 2009.01.06 Win32:Trojan-gen {Other}
Ikarus T3.1.1.45.0 2009.01.06 -
K7AntiVirus 7.10.578 2009.01.06 -
Kaspersky 7.0.0.125 2009.01.06 Trojan-Downloader.Win32.Suurch.hs
McAfee 5486 2009.01.05 Generic Dropper.bu
McAfee+Artemis 5487 2009.01.06 Generic Dropper.bu
Microsoft 1.4205 2009.01.06 PWS:Win32/Ldpinch.BO
NOD32 3743 2009.01.06 -
Norman 5.80.02 2009.01.06 W32/Antivirus2008.BJE
Panda 9.0.0.4 2009.01.06 Adware/ProAntispyware2009
PCTools 4.4.2.0 2009.01.06 -
Prevx1 V2 2009.01.06 Cloaked Malware
Rising 21.11.12.00 2009.01.06 -
SecureWeb-Gateway 6.7.6 2009.01.06 Trojan.Crypt.XPACK.Gen
Sophos 4.37.0 2009.01.06 Mal/Generic-A
Sunbelt 3.2.1809.2 2008.12.22 VIPRE.Suspicious
Symantec 10 2009.01.06 Trojan.Fakeavalert
TheHacker 6.3.1.4.205 2009.01.05 -
TrendMicro 8.700.0.1004 2009.01.06 -
VBA32 3.12.8.10 2009.01.06 -
ViRobot 2009.1.6.1546 2009.01.06 Trojan.Win32.Amvo.Gen
VirusBuster 4.5.11.0 2009.01.06 -
weitere Informationen
File size: 22017 bytes
MD5...: 050c0347af9d75c24a85ab5201b5e067
SHA1..: ec243508b0136f80cce8d846384639189cea9cff
SHA256: 22cd55f6ca4db7c5394abf2e2825308d650c1838b8679a6b8cf4ad42479c681d
SHA512: a12c915dfb4cfebabe5be3078c6942e33e9dedb589b6d533f387fb6bf9e29042
64c1ee74fad438a9a4a9299885279b7b09b4e848bf7454c5b20f72e7de1fc67c
ssdeep: 384:PTv9/7wy+G6HAVOENzkmt42gCjV1hXK8FT4nhJRvTrJ3eWH5sEzAjoSYgiA0
9eRV:7vJaG6H9AAM4RSXXGRvTrJ37Hhz0G9en
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x401008
timedatestamp.....: 0x4947f405 (Tue Dec 16 18:31:33 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x1000 0x400 3.55 e11bce845f5e330eb35c826931262272
0x2000 0x5000 0x4600 7.93 ccb81d4f4f5e83906aa411754dd0fc37
0x7000 0x21000 0x800 4.19 3993efd9a118cf0ff060759f8b45e973
( 3 imports )
> KERNEL32.DLL: ExitProcess, GetProcAddress, lstrcpyn, WaitCommEvent, _lcreat, CreateIoCompletionPort, FindFirstFileExW, SetCommState, BuildCommDCBAndTimeoutsW, GetTimeZoneInformation, SetFileAttributesA, ReadFile, GetVolumeInformationA, GetConsoleCursorInfo, SetMessageWaitingIndicator, TlsFree, GetOEMCP, PulseEvent, GetSystemTimeAdjustment, SetConsoleCtrlHandler, WaitForSingleObject, InterlockedExchangeAdd, DefineDosDeviceA, TlsAlloc, Sleep
> USER32.DLL: GetWindowTextLengthA, InternalGetWindowText, PeekMessageW, OpenIcon, LoadImageW, LoadCursorA, GetMessagePos, DrawMenuBarTemp, EnumChildWindows, IsWindowEnabled, AppendMenuA, GetKeyboardState, SetCursorPos, wvsprintfW, GetClipboardFormatNameA, InsertMenuW, CallMsgFilter, GetKeyState, RegisterClassExA, BringWindowToTop, GetAncestor, GetDlgItemInt, DefMDIChildProcW, DeleteMenu, DialogBoxParamA, EnumDesktopsA, EnumDisplayDevicesA
> GDI32.DLL: CreateCompatibleDC, EnumICMProfilesW, ExcludeClipRect, DPtoLP, EnumICMProfilesA, SwapBuffers, CopyMetaFileA, DeleteMetaFile, CreateDIBitmap, CreateRoundRectRgn, EnumObjects, GetDeviceGammaRamp, CreateEllipticRgnIndirect, ScaleViewportExtEx, GetLayout, CreateScalableFontResourceA, GetTextExtentExPointA, ResetDCW, GetPixelFormat, FlattenPath, RectVisible
( 0 exports )
Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.73 2009.01.06 Trojan-Clicker.Win32.Klik!IK
AhnLab-V3 2009.1.6.3 2009.01.06 Win-Trojan/Downloader.15000.AB
AntiVir 7.9.0.45 2009.01.06 TR/Dldr.Small.ahhm
Authentium 5.1.0.4 2009.01.06 W32/Trojan3.RF
Avast 4.8.1281.0 2009.01.06 Win32:Zbot-AWR
AVG 8.0.0.199 2009.01.06 Crypt.Y
BitDefender 7.2 2009.01.06 Packer.Malware.Lighty.F
CAT-QuickHeal 10.00 2009.01.06 TrojanDownloader.Small.ahhm
ClamAV 0.94.1 2009.01.06 -
Comodo 884 2009.01.06 TrojWare.Win32.TrojanDownloader.Small.~NQ
DrWeb 4.44.0.09170 2009.01.06 Trojan.DownLoad.4660
eTrust-Vet 31.6.6294 2009.01.06 Win32/FakeAlert.UA
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.06 W32/Trojan3.RF
F-Secure 8.0.14470.0 2009.01.06 Trojan-Downloader.Win32.Small.ahhm
Fortinet 3.117.0.0 2009.01.06 W32/Small.AHHM!tr.dldr
GData 19 2009.01.06 Packer.Malware.Lighty.F
Ikarus T3.1.1.45.0 2009.01.06 Trojan-Clicker.Win32.Klik
K7AntiVirus 7.10.578 2009.01.06 Trojan-Downloader.Win32.Small.ahhm
Kaspersky 7.0.0.125 2009.01.06 Trojan-Downloader.Win32.Small.ahhm
McAfee 5486 2009.01.05 Generic.dx
McAfee+Artemis 5487 2009.01.06 Generic.dx
Microsoft 1.4205 2009.01.06 PWS:Win32/Ldpinch.BO
NOD32 3743 2009.01.06 Win32/TrojanDownloader.Small.NTQ
Norman 5.80.02 2009.01.06 W32/Zbot.BVQ
Panda 9.0.0.4 2009.01.06 Adware/ProAntispyware2009
PCTools 4.4.2.0 2009.01.06 -
Prevx1 V2 2009.01.06 Malicious Software
Rising 21.11.12.00 2009.01.06 Trojan.Win32.Undef.van
SecureWeb-Gateway 6.7.6 2009.01.06 Trojan.Dldr.Small.ahhm
Sophos 4.37.0 2009.01.06 Mal/EncPk-EQ
Sunbelt 3.2.1809.2 2008.12.22 Trojan.FakeAlert
TheHacker 6.3.1.4.205 2009.01.05 Trojan/Downloader.Small.ahhm
TrendMicro 8.700.0.1004 2009.01.06 TROJ_FAKEAV.LIL
VBA32 3.12.8.10 2009.01.06 Trojan-Downloader.Win32.Agent.auij
ViRobot 2009.1.6.1546 2009.01.06 Trojan.Win32.FakeAV.15000
VirusBuster 4.5.11.0 2009.01.06 Trojan.Klik.A
weitere Informationen
File size: 15000 bytes
MD5...: 708d325c4ae65816a9c6054f669a5f56
SHA1..: 7b4008bfbed5571fe181fa66ee87454a09b6f90a
SHA256: 8bb155620f995e250e3d3e09387ba58ba3d2b66c51d5a3bdf2022266c9178d45
SHA512: 622c2d5e33a07570e83c97344af7c19355b643656b1ab4f5e5a546250782a635
2bf023a6082b4eabf6d880ea2b1cfac6f4c068bdd011c073afd86e1c852dc350
ssdeep: 192:c9K93Uh1O7UqUBaziELVcl4TsG1OSo5R2OGXkB4utk6ZZh+A:c9K9H7UjMma
1g5R6l
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10001008
timedatestamp.....: 0x49440237 (Sat Dec 13 18:43:03 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0x1000 0x1000 0x400 3.47 c76420ac393e361622667080ca491e0c
.idata 0x2000 0x2000 0x1600 7.79 611eb23166eeb0db5f00112248c7e54b
.data 0x4000 0x1000 0x800 4.79 cce38e99840c175acea0e1a6a96c5b10
.reloc 0x5000 0x2000 0x200 0.15 b9a28a389cd5a88277ec15d90cd77044
( 3 imports )
> KERNEL32.DLL: Sleep, GetProcAddress, ExitProcess, GetConsoleCursorInfo, Heap32ListFirst, GetStringTypeExW, PrepareTape, GetPrivateProfileStructW, CreateIoCompletionPort, GetAtomNameA, IsDBCSLeadByte, GlobalGetAtomNameA, IsBadHugeReadPtr, GetCurrencyFormatA, FindFirstChangeNotificationA, SetCommMask, GetTapeStatus, GetDefaultCommConfigW, PeekNamedPipe, Thread32First, EnumSystemCodePagesA, EnumCalendarInfoExA, EndUpdateResourceA
> USER32.DLL: SendMessageCallbackW, ArrangeIconicWindows, BroadcastSystemMessageW, UnregisterClassW, DlgDirListComboBoxA, LoadCursorW, CopyRect, GetClassInfoW, InvalidateRgn, UnregisterHotKey, GetWindowTextW, GetFocus, GetKBCodePage, SendInput, OpenWindowStationA, DdeConnect, GetWindowDC, GetMenuItemCount, DialogBoxIndirectParamW, RealChildWindowFromPoint, ChangeDisplaySettingsW, GetSysColor, UnregisterClassA, SetWinEventHook, CreateDesktopA, ToAscii, SetSysColorsTemp, WinHelpA, PackDDElParam
> GDI32.DLL: SetTextJustification, GetICMProfileA, GetObjectW, GetTextFaceW, CreateICA, EnumICMProfilesA, CreatePatternBrush, StartPage, AnimatePalette, GetWindowExtEx, GetMetaFileW, GetCharacterPlacementW, GetStockObject, BeginPath, GetMetaFileA, GetBitmapDimensionEx, SetBkMode, SetViewportOrgEx, PolyDraw, GetBkMode, CreateDIBPatternBrushPt, GetColorAdjustment, GetEnhMetaFileHeader, CreatePenIndirect, GetBkColor, GetBoundsRect, DeleteColorSpace, CancelDC, DeleteMetaFile
( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
Geändert von bakeneko (06.01.2009 um 20:51 Uhr) |
|
07.01.2009, 11:34
| #7 |
| | Vundo/Virtumonde (vermutlich) Die gadcom war "verschwunden", bei Malwarebytes aber wieder da...hmmm. Code:
ATTFilter Malwarebytes' Anti-Malware 1.32
Datenbank Version: 1625
Windows 5.1.2600 Service Pack 2
07.01.2009 10:22:41
mbam-log-2009-01-07 (10-22-41).txt
Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|)
Durchsuchte Objekte: 131606
Laufzeit: 1 hour(s), 52 minute(s), 39 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 24
Infizierte Registrierungsschlüssel: 46
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 1
Infizierte Dateien: 100
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
C:\WINDOWS\system32\arqcykfe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cbXqNeCV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fccccaAq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\axlrsp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wtdhhh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qergrj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\itbhyl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\glezxi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qcrpie.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ugtpei.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gromqd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vpswlf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lceaff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dcfkxh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wzdgxc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\slpilz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awengh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bldqdp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tmeubo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xkcgcq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\syswwb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\quykcz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ejmdtq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rsekd83jde.dll (Trojan.BHO) -> Delete on reboot.
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{662ef556-1d32-46e0-888b-3303695194cd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{662ef556-1d32-46e0-888b-3303695194cd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccccaaq (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8b4428ae-08d2-4526-9ba1-82c10c2dfb48} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8b4428ae-08d2-4526-9ba1-82c10c2dfb48} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8265984b-f5af-4bcd-b76d-ed8751cf6316} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c2df60b2-cd83-4536-8f86-3388ce8d611f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22d2dbb0-9e59-48e4-9877-f40ea3000887} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{284b08e1-4c87-4e9f-888a-e5d253816c13} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9c8753b1-4982-4424-b491-b6d96b9eeb68} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{24bfb204-db08-40de-931f-146ec2d76dc1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1dc53d1b-abc3-4d1b-9eaa-0775ca396f5c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a7e9372-e1a3-4097-b698-b18dbd4864bb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3674d453-26e8-453e-83be-f63d51ac6fd0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{438180cf-7066-42ae-bd38-e35a13df9878} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f8598c3-cffa-4a68-9f38-ac379f083028} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{417fa668-b115-4f9c-85d8-dbdf6e7c301f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{768f19e8-64c5-46a8-9b38-22390f35a520} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c1626168-8745-4738-9918-58389052b3cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c1626168-8745-4738-9918-58389052b3cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{44ee0707-d9a4-4569-afb3-a547b6926d2f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{215def8e-02a6-452d-a92d-810447bd569b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d202a703-c1d6-48f0-8b49-0f4e304eda3c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6ccb48c5-569e-4931-b865-8f60f2038828} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6cf9f31f-17c1-4fb8-8515-5c0bcbe2ca17} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{662ef556-1d32-46e0-888b-3303695194cd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2496af42 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxqnecv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxqnecv -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
C:\Dokumente und Einstellungen\***\Anwendungsdaten\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
Infizierte Dateien:
C:\WINDOWS\system32\cbXqNeCV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VCeNqXbc.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VCeNqXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccccaAq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ahqftnjt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tjntfqha.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\arqcykfe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\efkycqra.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iibmrwtg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gtwrmbii.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdiixahs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shaxiidj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrcqcslr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlscqcrj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjopnwpm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mpwnpojk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mbhdqwce.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ecwqdhbm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ngqsleor.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roelsqgn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\paqcplmc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmlpcqap.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfeyggtf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftggyefp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbvjdwdp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pdwdjvbq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yijhmhxn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nxhmhjiy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ylujqqpp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppqqjuly.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ypngsfhq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qhfsgnpy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ytgpbhed.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dehbpgty.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rsekd83jde.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\axlrsp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wtdhhh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qergrj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\itbhyl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\glezxi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qcrpie.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ugtpei.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gromqd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vpswlf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lceaff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dcfkxh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wzdgxc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\slpilz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awengh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bldqdp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tmeubo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xkcgcq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\syswwb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\quykcz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ejmdtq.dll (Trojan.Vundo) -> Delete on reboot.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\2257539428.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\TDSS60a5.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\0PYBW1MN\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BYJTTXNF\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FESFVHK5\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\SFTB6MN1\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP657\A1330617.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iljjrlfg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aiyqoqel.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awytlnst.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dapjurjt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gsgebhix.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lnnonsll.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tavhkuca.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnpur.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoitu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSyoqm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uwahhiit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfGvtQk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnmkigH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnMefc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twqiibst.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\renrjbnw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsdpmubv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXRJBUM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\arortafu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iuysduut.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mykiuxyw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qhxbkase.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vygppz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnlcbjqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xwthsmao.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjduwht.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ywvtdbsa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ioxbsosa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abitgvlf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enxaiqnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmxwe.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\TDSS60d4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSdxgp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkao.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Code:
ATTFilter
01/07/09 10:38:43 [Info]: BlackLight Engine 2.2.1092 initialized
01/07/09 10:38:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/07/09 10:38:43 [Note]: 7019 4
01/07/09 10:38:43 [Note]: 7005 0
01/07/09 10:38:47 [Note]: 7006 0
01/07/09 10:38:47 [Note]: 7011 1684
01/07/09 10:38:47 [Note]: 7035 0
01/07/09 10:38:48 [Note]: 7026 0
01/07/09 10:38:48 [Note]: 7026 0
01/07/09 10:38:53 [Note]: FSRAW library version 1.7.1024
01/07/09 11:20:50 [Note]: 7007 0
Geändert von bakeneko (07.01.2009 um 12:28 Uhr) |
|
07.01.2009, 16:22
| #8 | |
| | Vundo/Virtumonde (vermutlich)Zitat:
Seit wann hast du denn schon Probleme? ciao, andreas |
|
07.01.2009, 17:03
| #9 | |
| | Vundo/Virtumonde (vermutlich)Zitat:
Party!  Der machte schon immer wieder mal n paar kleiner Probleme... aber direkt mit dem was ich im Eingangspost beschrieben habe seit ca. 5 Tagen. Ja, ich bin langsam  Ich hab, wie der log zeigt mal den Kram mit Malwarebytes gelöscht und auch neu gebootet und geh grad noch mal damit drüber, um zu sehen was da nun angezeigt wird. |
|
07.01.2009, 17:28
| #10 |
| | Vundo/Virtumonde (vermutlich) So, das ist auch durch. Komischerweise hat er noch mal 2 Einträge gefunden, aber zumindest nicht mehr 100. Code:
ATTFilter Malwarebytes' Anti-Malware 1.32
Datenbank Version: 1627
Windows 5.1.2600 Service Pack 2
07.01.2009 16:19:58
mbam-log-2009-01-07 (16-19-58).txt
Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 128811
Laufzeit: 1 hour(s), 18 minute(s), 41 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 2
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
|
|
07.01.2009, 18:23
| #11 |
| | Vundo/Virtumonde (vermutlich) Superantispyware war dafür fündig. Code:
ATTFilter SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/07/2009 at 05:12 PM
Application Version : 4.21.1004
Core Rules Database Version : 3698
Trace Rules Database Version: 1674
Scan type : Complete Scan
Total Scan Time : 00:43:35
Memory items scanned : 551
Memory threats detected : 3
Registry items scanned : 6010
Registry threats detected : 60
File items scanned : 26549
File threats detected : 14
Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\OYQTRX.DLL
C:\WINDOWS\SYSTEM32\OYQTRX.DLL
C:\WINDOWS\SYSTEM32\PNUGAJ.DLL
C:\WINDOWS\SYSTEM32\PNUGAJ.DLL
C:\WINDOWS\SYSTEM32\NROHQZ.DLL
C:\WINDOWS\SYSTEM32\NROHQZ.DLL
Parasite.WareOut
HKLM\Software\Classes\CLSID\{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}
HKCR\CLSID\{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}
HKCR\CLSID\{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}\InprocServer32
FLKPT.DLL
HKU\S-1-5-21-407680594-2896395932-1110299642-1009\Software\Microsoft\Internet Explorer\URLSearchHooks#{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}
Adware.Tracking Cookie
**********************************
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
Rogue.Component/Trace
HKLM\Software\Microsoft\2496BDCC
HKLM\Software\Microsoft\2496BDCC#2496bdcc
HKLM\Software\Microsoft\2496BDCC#Version
HKLM\Software\Microsoft\2496BDCC#2496104c
HKLM\Software\Microsoft\2496BDCC#249679a9
HKU\S-1-5-21-407680594-2896395932-1110299642-1009\Software\Microsoft\CS41275
HKU\S-1-5-21-407680594-2896395932-1110299642-1009\Software\Microsoft\FIAS4018
Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSserv
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSl
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssservers
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssmain
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsslog
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssadw
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssinit
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssurls
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsspanels
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsserrors
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSproc
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED
Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP657\A1335709.DLL
Trojan.Dropper/Gen
C:\T_ONLINE\DRELREST.EXE
Adware.Vundo/Variant-Trace
C:\WINDOWS\SYSTEM32\SVCMLXYB.INI
Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSMTPE.DAT
|
|
07.01.2009, 18:26
| #12 |
| | Vundo/Virtumonde (vermutlich) ComboFix wird noch mehr finden. ciao, andreas |
|
07.01.2009, 18:43
| #13 |
| | Vundo/Virtumonde (vermutlich) Das sind ja gute Aussichten  Superantispyware war schon ziemlich gut. Allerdings konnt ich jetzt bein restart 4 mal nicht normal booten. Nur in den abgesicherten Modus. Dann kam beim 3./4. mal die Meldung das ein paar Dateien nicht geladen werden konnten (aus System32, also vemutlich infizierte oder Vundo). Jetzt funzt es wieder. Normal/Okay oder nicht? |
|
07.01.2009, 18:47
| #14 |
| | Vundo/Virtumonde (vermutlich) Nö, alles andere als normal. Poste ein aktuelles HJT-Log bevor du weitermachst. ComboFix noch nicht starten. War eh etwas verblüfft, das SUPERAntiSpyware die Sachen, die MbAm schon gelöscht hat, noch einmal löschen kann. Kontrolliere die Systemwiederherstellung. Sie muss ausgeschaltet sein. ciao, andreas |
|
07.01.2009, 18:50
| #15 |
| | Vundo/Virtumonde (vermutlich) Okay. Was nun? Noch einmal von vorn? |
|
| Themen zu Vundo/Virtumonde (vermutlich) |
| .dll, ad-aware, adobe, dateien, dll, einstellungen, eraser, explorer.exe, firefox, format, hkus\s-1-5-18, internet explorer, kaspersky, microsoft, monitor, mozilla, msn, pop-ups, programme, rundll, schutz, seiten, skype.exe, system, temp, windows, windows xp |
Linear-Darstellung
