Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   TR/Sirefef BV 2 Befall auf .dll Dateien im System (https://www.trojaner-board.de/113994-tr-sirefef-bv-2-befall-dll-dateien-system.html)

Saibotto 23.04.2012 18:29
TR/Sirefef BV 2 Befall auf .dll Dateien im System
 
Guten Tag,

gestern habe ich mir den Trojaner Sirefef BV 2 eingefangen. Beim Surfen im Internet poppte eine Aufforderung zu einem Java-Update auf, genau wie ich sie auch kenne, weshalb ich auf Fortsetzen geklickt habe. Kurz darauf meldete sich dann AntiVir mit dem Hinweis, dass 2 Viren entdeckt wurden. Ich konnte diese über AntiVir nicht entfernen. Ausserdem hörte ich Stimmen, wenn ich im Firefox war.

Nach meiner Suche im Internet, fand ich das Programm "ZeroAccessRemovalTool Sirefef" von malwarecity. Dieses hat einen Scan laufen lassen und zwei Viren entdeckt und auch entfernt; seitdem merke ich nichts mehr von dem Befall. Allerdings habe ich hier im Forum gelesen, dass man nach einem Trojaner immer den PC formatieren sollte. Habe mir eine Anleitung dazu auch schon im Forum durchgelesen.

Zwecks Datensicherung habe ich mir heute eine externe USB-Platte gekauft. Meine Frage nun: Kann ich UNetBootin auf die externe Platte machen und davon meinen infizierten Rechner booten und auf dieselbe Platte meine Dateien zur Rettung ziehen? Was wäre, wenn das nicht auf Anhieb klappt und der Rechner normal mit Vista startet? Setzt sich der Trojaner dann direkt auch auf die USB-Platte?

Mit freundlichen Grüßen,
Tobi

DDS.txt:
[code]
.DDS Logfile:
Code:
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 1.6.0_26
Run by Tobi at 16:20:36 on 2012-04-23
Microsoft® Windows Vista™ Home Premium  6.0.6002.2.1252.49.1031.18.3197.2203 [GMT 2:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\PACKARD BELL\Packard Bell PowerSave Solution\ePowerSvc.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NewTech Infosystems\Packard Bell MyBackup\IScheduleSvc.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\PACKARD BELL\Packard Bell PowerSave Solution\ePowerTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PACKARD BELL\SetupMyPC\SmpSys.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\PACKARD BELL\Packard Bell PowerSave Solution\ePowerEvent.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Tobi\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&s=2&o=vp32&d=0709&m=easynote_lj61
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0407&s=2&o=vp32&d=0709&m=easynote_lj61
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SmpcSys] c:\program files\packard bell\setupmypc\SmpSys.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Acer ePower Management] c:\program files\packard bell\packard bell powersave solution\ePowerTrayLauncher.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [VideoWebCamera] "c:\program files\videowebcamera\VideoWebCamera.exe" -a
mRun: [PLFSetI] c:\program files\PLFSetI.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube Download - c:\users\tobi\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\tobi\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: Interfaces\{B9185514-078F-45F7-8300-AB33287111E2} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\tobi\appdata\roaming\mozilla\firefox\profiles\gv446x4c.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\gamespy\comrade\npcomrade.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\tobi\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\avira\antivir desktop\sched.exe [2010-5-21 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-21 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-21 66616]
R2 ePowerSvc;Acer ePower Service;c:\program files\packard bell\packard bell powersave solution\ePowerSvc.exe [2009-3-20 703008]
R2 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-28 1373576]
R2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\newtech infosystems\packard bell mybackup\IScheduleSvc.exe [2009-3-10 44800]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-3-20 223232]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-3-20 23096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2008-1-21 21504]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;"c:\program files\google\google desktop search\googledesktop.exe" --> c:\program files\google\google desktop search\GoogleDesktop.exe [?]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-22 22:34:52        92672        ----a-w-        c:\programdata\kL0eM4PP.exe
2012-04-22 21:46:55        335504        ----a-w-        c:\windows\system32\drivers\TrufosAlt.sys
2012-04-22 21:15:17        0        --sha-w-        c:\windows\system32\dds_trash_log.cmd
2012-04-22 18:32:35        6734704        ----a-w-        c:\programdata\microsoft\windows defender\definition updates\{a362aad0-237b-4378-85a8-353fada55330}\mpengine.dll
2012-04-12 01:11:39        5120        ----a-w-        c:\windows\system32\wmi.dll
2012-04-12 01:11:39        172032        ----a-w-        c:\windows\system32\wintrust.dll
2012-04-12 01:11:39        157696        ----a-w-        c:\windows\system32\imagehlp.dll
2012-04-12 01:11:39        12800        ----a-w-        c:\windows\system32\drivers\fs_rec.sys
2012-04-12 01:10:10        3550080        ----a-w-        c:\windows\system32\ntoskrnl.exe
2012-04-12 01:10:09        3602816        ----a-w-        c:\windows\system32\ntkrnlpa.exe
2012-04-11 15:35:05        2409784        ----a-w-        c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M  ====================
.
2012-02-28 01:18:55        1799168        ----a-w-        c:\windows\system32\jscript9.dll
2012-02-28 01:11:21        1427456        ----a-w-        c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07        1127424        ----a-w-        c:\windows\system32\wininet.dll
2012-02-28 01:03:16        2382848        ----a-w-        c:\windows\system32\mshtml.tlb
2012-02-23 08:18:36        237072        ------w-        c:\windows\system32\MpSigStub.exe
2012-02-14 15:45:30        219648        ----a-w-        c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30        160768        ----a-w-        c:\windows\system32\d3d10_1.dll
2012-02-13 14:12:08        1172480        ----a-w-        c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57        683008        ----a-w-        c:\windows\system32\d2d1.dll
2012-02-13 13:44:40        1068544        ----a-w-        c:\windows\system32\DWrite.dll
2012-02-07 09:02:40        1070352        ----a-w-        c:\windows\system32\MSCOMCTL.OCX
2012-02-02 15:16:25        2044416        ----a-w-        c:\windows\system32\win32k.sys
.
============= FINISH: 16:21:16,52 ===============
--- --- ---


attach.txt:
Code:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 30.07.2009 15:55:25
System Uptime: 23.04.2012 16:14:52 (0 hours ago)
.
Motherboard: Packard Bell    |  | SJV70-PU   
Processor: AMD Athlon(tm) X2 Dual-Core QL-64 | Socket S1G2 | 2100/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 285 GiB total, 35,032 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft-6zu4-Adapter
Device ID: ROOT\*6TO4MP\0008
Manufacturer: Microsoft
Name: Microsoft-6zu4-Adapter #9
PNP Device ID: ROOT\*6TO4MP\0008
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft-6zu4-Adapter
Device ID: ROOT\*6TO4MP\0010
Manufacturer: Microsoft
Name: Microsoft-6zu4-Adapter #11
PNP Device ID: ROOT\*6TO4MP\0010
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft-ISATAP-Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: Microsoft-ISATAP-Adapter #3
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9 - Deutsch
Adobe Shockwave Player 11.5
All Aspect Warfare Demo
AMD USB Audio Driver Filter
AMX Mod X Installer 1.8.1
Anno 1404 (Demo)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
ATI Catalyst Install Manager
ATV Mudracer 1.1
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Backup Manager Basic
Battlefield 2
Battlefield 2(TM)
BF2SP64
Bonjour
bwin Casino
Call of Duty Modern Warfare 2
Call of Juarez: Bound in Blood Demo
Canon iP2600 series
Canon iP2600 series Benutzerregistrierung
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cisco Systems VPN Client 5.0.07.0290
CodeBlocks
Compatibility Pack für 2007 Office System
Counter-Strike
Counter-Strike 1.6
CyberLink PowerDVD 8
DHTML Editing Component
Europe MapleStory
Facebook Video Calling 1.2.0.159
Free Audio CD Burner version 1.4
Free PDF to Word Doc Converter v1.1
Free YouTube Download version 3.0.13.815
FreeStar Free WAV MP3 Converter 1.0.4
GameSpy Comrade
Google Desktop
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Identity Card
InfoCentre
iTunes
Java Auto Updater
Java(TM) 6 Update 26
Junk Mail filter update
Launch Manager
LogMeIn Hamachi
Medal of Honor Beta
MetaBoli
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile DEU Language Pack
Microsoft Age of Empires II
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (German) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (German) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office PowerPoint Viewer 2007 (German)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (German) 2007
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MicroStation V8i (SELECTseries 1) 08.11.07.171
Mozilla Firefox 11.0 (x86 de)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8 Essentials
neroxml
Norton Internet Security
Norton Security Scan
Packard Bell Customer Registration
Packard Bell MyBackup
Packard Bell PowerSave Solution
Packard Bell Recovery Management
PackardBell ScreenSaver
PokerStars
Poladroid
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Reason 4.0
ReBirth RB-338 2.0
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile DEU Language Pack (KB2518870)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
SetupMyPC
Skype™ 4.1
SpeedFan (remove only)
Steam
Stronghold 2
Synaptics Pointing Device Driver
System Requirements Lab CYRI
TrackMania Nations ESWC 0.1.7.5
UF-MIDI.1.05 Vista Unofficial
Uninstall 1.0.0.1
Update für Microsoft Office Excel 2007 Help (KB963678)
Update für Microsoft Office Outlook 2007 Help (KB963677)
Update für Microsoft Office Powerpoint 2007 Help (KB963669)
Update für Microsoft Office Word 2007 Help (KB963665)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2598306) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Updator
Vegas Pro 9.0
Video Web Camera
Visual Basic for Applications (R) Core
Visual Basic for Applications (R) Core - German
VLC media player 1.0.1
Windows Live-Uploadtool
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Fotogalerie
Windows Live Mail
Windows Live Messenger
Windows Live Sync
Windows Live Writer
WinRAR
.
==== End Of File ===========================
gmer.txt:
[code]
GMER Logfile:
Code:
GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-04-23 17:36:45
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000083 Hitachi_ rev.PB3O
Running: bgiu7bjg.exe; Driver: C:\Users\Tobi\AppData\Local\Temp\uwldipod.sys


---- System - GMER 1.0.15 ----

SSDT            8D1BA84E                                                                                                            ZwCreateSection
SSDT            8D1BA853                                                                                                            ZwSetContextThread
SSDT            8D1BA7EF                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text          ntkrnlpa.exe!KeSetEvent + 215                                                                                        826F6998 4 Bytes  [4E, A8, 1B, 8D]
.text          ntkrnlpa.exe!KeSetEvent + 56D                                                                                        826F6CF0 4 Bytes  [53, A8, 1B, 8D]
.text          ntkrnlpa.exe!KeSetEvent + 621                                                                                        826F6DA4 4 Bytes  [EF, A7, 1B, 8D]
.text          C:\Windows\system32\DRIVERS\atikmdag.sys                                                                            section is writeable [0x8F210000, 0x231284, 0xE8000020]
.text          cdrom.sys                                                                                                            8F142000 121 Bytes  [64, 3A, 5C, 6C, 6F, 6E, 67, ...]
.text          cdrom.sys                                                                                                            8F14207A 1 Byte  [44]
.text          cdrom.sys                                                                                                            8F14207A 7 Bytes  [44, 00, 6F, 00, 73, 00, 44] {INC ESP; ADD [EDI+0x0], CH; JAE 0x6; INC ESP}
.text          cdrom.sys                                                                                                            8F142082 1 Byte  [65]
.text          cdrom.sys                                                                                                            8F142082 47 Bytes  [65, 00, 76, 00, 69, 00, 63, ...]
.text          ...                                                                                                                 
?              C:\Windows\system32\DRIVERS\cdrom.sys                                                                                suspicious PE modification
.text          C:\Windows\system32\DRIVERS\atksgt.sys                                                                              section is writeable [0x9F871300, 0x3B6D8, 0xE8000020]
.text          C:\Windows\system32\DRIVERS\lirsgt.sys                                                                              section is writeable [0x9F8B4300, 0x1BEE, 0xE8000020]
?              C:\Users\Tobi\AppData\Local\Temp\mbr.sys                                                                            Das System kann die angegebene Datei nicht finden. !

---- User code sections - GMER 1.0.15 ----

?              C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\smss.exe                                                  image checksum mismatch; time/date stamp mismatch;

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                                                              Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                   
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                  C:\Program Files\Daemon\DAEMON Tools Lite\
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                              0x55 0xCE 0xC7 0xDB ...
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                           
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0xA1 0x67 0x03 0xD3 ...
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                     
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0x80 0xF5 0xC0 0xBC ...
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)               
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                      C:\Program Files\Daemon\DAEMON Tools Lite\
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                  0x55 0xCE 0xC7 0xDB ...
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)       
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0xA1 0x67 0x03 0xD3 ...
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x80 0xF5 0xC0 0xBC ...

---- EOF - GMER 1.0.15 ----
--- --- ---


Kleines Update:
Der Virus hat sich soeben wieder gemeldet. Das Programm war also für die Katz.

markusg 23.04.2012 19:05
hi,
kannst du den bericht des removal tools posten?
für eine weitere analyse benötige ich mal folgendes.
c:\Users\Tobi\AppData\LocalLow\Sun\Java\Deployment\cache
dort rechtsklick auf den ordner cache, diesen mit winrar oder einem anderen programm packen, und im upload channel hochladen bitte

Trojaner-Board Upload Channel

Saibotto 23.04.2012 19:50
Hallo,
danke für Deine Antwort. Der Ordner Deployment ist leer...

markusg 23.04.2012 19:51
mal nen rechtsklick, eigenschaften, gucken ob er auch wirklich leer ist.

Saibotto 23.04.2012 19:52
Größe: 0 Bytes
Inhalt: 0 Dateien und 0 Ordner

markusg 23.04.2012 19:55
ok.
wegen der daten sicherung, das können wir auch unter windows machen.
1. Datenrettung:2. Formatieren, Windows neu instalieren:3. PC absichern: http://www.trojaner-board.de/96344-a...-rechners.html
ich werde außerdem noch weitere punkte dazu posten.
4. alle Passwörter ändern!
5. nach PC Absicherung, die gesicherten Daten prüfen und falls sauber: zurückspielen.
6. werde ich dann noch was zum absichern von Onlinebanking mit Chip Card Reader + Star Money sagen.

Saibotto 23.04.2012 20:01
Genau diese Auflistung habe ich in einem anderen Thread gesehen und mich damit beschäftigt. Für die Datensicherung mit PartedMagic braucht man ja eben einen bootfähigen USB-Stick. Meine Frage ist, ob das die externe Festplatte sein könnte, die ich später aber auch benutzen will, um die Dateien zu retten.

markusg 23.04.2012 20:04
hi, ja müsste gehen.
kann es dir aber nicht 100 %ig sicher sagen

Saibotto 23.04.2012 20:12
Ok. Eins wäre da noch. Um bei UNetbootin bei Laufwerk H:\ zu wählen, also meine externe Festplatte, muss diese auf fat32 formatiert sein. Ich habe auch schon Programme gefunden, die das machen, allerdings bleiben von den 320 GB Platz nicht viel, oder? Kann man solch eine Formatierung wieder rückgängig machen?

markusg 23.04.2012 20:30
ja du kannst dein zeug ja dann wieder zurück kopieren.
oder du haust dir ubuntu auf ne cd:
Download | Ubuntu
startest dein pc darüber im probier modus und kopierst dann deine daten auf die externe

Saibotto 23.04.2012 20:49
Erstmal großes danke für deine Hilfe! Kann ich auch auf meinem infizierten Rechner Ubuntu runterladen und auf eine DVDR brennen oder ist dann irgendwie der Trojaner mitdrauf? Der Rechner meines Mitbewohners hat nämlich leider keinen Brenner und einen USB-Stick habe ich zur Zeit leider auch nicht parat.

markusg 24.04.2012 13:23
besser wäre nen anderer pc. aber wenns nicht anders geht kannst du auch deinen nutzen

Saibotto 24.04.2012 17:42
Also ich habe mir heute noch einen USB-Stick gekauft. Darauf werde ich jetzt Ubuntu machen, um mit dem Stick dann meinen infizierten Rechner zu booten. Kann ich mir absolut sicher sein, dass der Trojaner die externe Festplatte nicht infiziert, wenn ich diese an den Rechner schliesse währrend Ubunt läuft?

markusg 24.04.2012 17:52
naja, absolute sicherheit gibts nicht :d
aber ich kenne bisher keine variannte die unter linux läuft, also du kannst dir zu 99 % sicher sein.


Alle Zeitangaben in WEZ +1. Es ist jetzt 08:34 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131