Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   TR/Dropper.Gen in Systemwiederherstellung (https://www.trojaner-board.de/70329-tr-dropper-gen-systemwiederherstellung.html)

mylargo 23.02.2009 14:52
TR/Dropper.Gen in Systemwiederherstellung
 
Fakten:
Hi ihr Virusbekämpfer!

TR/Dropper.gen in:
1. C:\System Volume Information \restore {55940C15-EDF0-4323-BF63-E5991C3E6FA6}\RP101\A0019632.exe
2. C:\System Volume Information \restore {55940C15-EDF0-4323-BF63-E5991C3E6FA6}\RP101\A0019682.exe

Beide waren in Quarantäne und sind nun auf dem Desktop im Ordner "Verdächtig" wiederhergestellt.

HiJack

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:40, on 23.02.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\MAUS_H~1\S1_2k.exe
C:\Programme\NetMeter\NetMeter.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [La_View Mouse] C:\PROGRA~1\MAUS_H~1\S1_2k.exe
O4 - HKCU\..\Run: [C:\Programme\NetMeter\NetMeter.exe] C:\Programme\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{39BA2FAA-C3AD-41B5-96D9-664C0D8926E2}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{39BA2FAA-C3AD-41B5-96D9-664C0D8926E2}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{39BA2FAA-C3AD-41B5-96D9-664C0D8926E2}: NameServer = 192.168.2.1
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3577 bytes

Scan mit Virustotal:

1.A0019632.exe
Code:
Antivirus          Version          letzte aktualisierung          Ergebnis
a-squared        4.0.0.93        2009.02.23        -
AhnLab-V3        2009.2.23.2        2009.02.23        -
AntiVir        7.9.0.87        2009.02.23        TR/Dropper.Gen
Authentium        5.1.0.4        2009.02.23        -
Avast        4.8.1335.0        2009.02.23        -
AVG        8.0.0.237        2009.02.23        -
BitDefender        7.2        2009.02.23        -
CAT-QuickHeal        10.00        2009.02.22        -
ClamAV        0.94.1        2009.02.23        -
Comodo        986        2009.02.20        -
DrWeb        4.44.0.09170        2009.02.23        -
eSafe        7.0.17.0        2009.02.19        -
eTrust-Vet        31.6.6369        2009.02.23        -
F-Prot        4.4.4.56        2009.02.23        -
F-Secure        8.0.14470.0        2009.02.23        -
Fortinet        3.117.0.0        2009.02.23        -
GData        19        2009.02.23        -
Ikarus        T3.1.1.45.0        2009.02.23        -
K7AntiVirus        7.10.639        2009.02.21        -
Kaspersky        7.0.0.125        2009.02.23        -
McAfee        5533        2009.02.22        -
McAfee+Artemis        5533        2009.02.22        -
Microsoft        1.4306        2009.02.23        Trojan:Win32/Skintrim.gen!D
NOD32        3881        2009.02.23        a variant of Win32/Injector.IQ
Norman        6.00.06        2009.02.20        -
nProtect        2009.1.8.0        2009.02.23        -
Panda        10.0.0.10        2009.02.22        -
PCTools        4.4.2.0        2009.02.23        -
Prevx1        V2        2009.02.23        -
Rising        21.18.02.00        2009.02.23        -
SecureWeb-Gateway        6.7.6        2009.02.23        Trojan.Dropper.Gen
Sophos        4.39.0        2009.02.23        -
Sunbelt        3.2.1855.2        2009.02.17        -
Symantec        10        2009.02.23        -
TheHacker        6.3.2.5.263        2009.02.23        -
TrendMicro        8.700.0.1004        2009.02.23        -
VBA32        3.12.10.0        2009.02.22        -
ViRobot        2009.2.23.1618        2009.02.23        -
VirusBuster        4.5.11.0        2009.02.22        -
weitere Informationen
File size: 626213 bytes
MD5...: fa823c133a8b54abc8bc21dc26e5f259
SHA1..: 8c2509579cd9588fe93fdcc261848e44de64bce5
SHA256: a8b4f14f433d2d187e628985fe6126dcf4fc87de463c841eda38dbf2f199ad9e
SHA512: 638aa69231dac85490fa60c27fef733a454d02e226f17bbc4f049bd0fe937d85
38c107099cc3c9c571a81b9176a9eda49d5e288df7867e7f5fdcc0364f5c1907
ssdeep: 12288:UtDDbplUVrZmkdf0tlYBvsmwu0WRLJ3smW9rqzykd0P6tyntM7y5qeS:uy
xB2+sr8LJ3dW9rqz6P4yM7gqeS
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4036f0
timedatestamp.....: 0x47b6d8d0 (Sat Feb 16 12:36:32 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x38d46 0x2a00 6.04 7ab63541e52e0d1b36cfc7e102844691
.rdata 0x3a000 0xa18 0xc00 4.86 811ec3e3172248d429530667acf699ad
.data 0x3b000 0x48e15 0x49000 7.43 b5c0eb5f7f170c6ee0888e708b2098dd
.rsrc 0x84000 0x4260 0x4400 5.81 8a2d44c48b8c6dfcd769045826d020dc

( 9 imports )
> GDI32.dll: RectVisible, StrokePath, StretchDIBits, CreateDCW, SetTextCharacterExtra, GetCharacterPlacementA, GetMapMode, GetTextCharacterExtra, SetEnhMetaFileBits, CopyEnhMetaFileA
> SHELL32.dll: SHChangeNotify, FindExecutableA, SHLoadInProc, SHGetSpecialFolderPathW
> USER32.dll: SetTimer, SetWindowPos, CopyIcon, TileWindows, RegisterClipboardFormatW, GetMenuItemInfoW, CharLowerW, GetWindowDC, SetDlgItemInt, CheckMenuItem, ShowCaret, ChangeClipboardChain, CheckRadioButton, GetDCEx, SetWindowPlacement, InsertMenuA, GetDC, IsClipboardFormatAvailable, LoadMenuA
> ole32.dll: CreateStreamOnHGlobal, OleConvertIStorageToOLESTREAM
> KERNEL32.dll: VirtualProtect, ReadConsoleInputW, ReleaseSemaphore, SetEvent, EnumDateFormatsW, GetPrivateProfileStringW, _hread, GetFileAttributesExA, GetEnvironmentStringsW, ExitProcess, ClearCommBreak, GetBinaryTypeA, SetHandleCount, EndUpdateResourceA, SetEnvironmentVariableW, GlobalReAlloc, GetCPInfo, GetCommModemStatus, GetCommState, IsProcessorFeaturePresent, GetBinaryTypeW, SetProcessAffinityMask
> VERSION.dll: VerQueryValueA
> ADVAPI32.dll: MakeAbsoluteSD, RegOpenKeyExW, OpenThreadToken, QueryServiceConfigW, RegSaveKeyW, BuildSecurityDescriptorW, RevertToSelf, RegDeleteKeyA, SetFileSecurityW, RegEnumValueW, ChangeServiceConfigW, CryptSignHashW, RegRestoreKeyA, RegConnectRegistryA, RegSetValueExA, CreateServiceA, InitializeAcl
> WS2_32.dll: -, WSAResetEvent, WSALookupServiceBeginA, -
> MSVCRT.dll: longjmp, _strtime, ferror, _getcwd, ctime, _mbsnbcmp, fputws

( 0 exports )
2. A0019682.exe
Code:
Antivirus          Version          letzte aktualisierung          Ergebnis
a-squared        4.0.0.93        2009.02.23        -
AhnLab-V3        2009.2.23.2        2009.02.23        -
AntiVir        7.9.0.87        2009.02.23        TR/Dropper.Gen
Authentium        5.1.0.4        2009.02.23        -
Avast        4.8.1335.0        2009.02.23        -
AVG        8.0.0.237        2009.02.23        -
BitDefender        7.2        2009.02.23        -
CAT-QuickHeal        10.00        2009.02.22        -
ClamAV        0.94.1        2009.02.23        -
Comodo        983        2009.02.20        -
DrWeb        4.44.0.09170        2009.02.23        -
eSafe        7.0.17.0        2009.02.19        -
eTrust-Vet        31.6.6369        2009.02.23        -
F-Prot        4.4.4.56        2009.02.23        -
F-Secure        8.0.14470.0        2009.02.23        -
Fortinet        3.117.0.0        2009.02.23        -
GData        19        2009.02.23        -
Ikarus        T3.1.1.45.0        2009.02.23        -
K7AntiVirus        7.10.639        2009.02.21        -
Kaspersky        7.0.0.125        2009.02.23        -
McAfee        5533        2009.02.22        -
McAfee+Artemis        5533        2009.02.22        -
Microsoft        1.4306        2009.02.23        Trojan:Win32/Skintrim.gen!D
NOD32        3881        2009.02.23        a variant of Win32/Injector.IQ
Norman        6.00.06        2009.02.20        -
nProtect        2009.1.8.0        2009.02.23        -
Panda        10.0.0.10        2009.02.22        -
PCTools        4.4.2.0        2009.02.23        -
Prevx1        V2        2009.02.23        -
Rising        21.18.02.00        2009.02.23        -
SecureWeb-Gateway        6.7.6        2009.02.23        Trojan.Dropper.Gen
Sophos        4.39.0        2009.02.23        -
Sunbelt        3.2.1855.2        2009.02.17        -
Symantec        10        2009.02.23        -
TheHacker        6.3.2.5.263        2009.02.23        -
TrendMicro        8.700.0.1004        2009.02.23        -
VBA32        3.12.10.0        2009.02.22        -
ViRobot        2009.2.23.1618        2009.02.23        -
VirusBuster        4.5.11.0        2009.02.22        -
weitere Informationen
File size: 626374 bytes
MD5...: 7172679ed2dcb0ed6ad96ea39c312bc8
SHA1..: cef31fc5bc85b90c60e503d2710d16366cee47e1
SHA256: 73b86aa4080bf93bbda2722756c9e3d62c3492b812774f2aeb78b0d4b2a07d30
SHA512: 636e8b32a313b007eea0f0478fdc8efd4a9326baadbc57603adf5f59c3c6cfb7
2129280c9ff462dbb4626ad4e1831108b82fd5c8a70c75a8cd66631a6df19860
ssdeep: 12288:UtDDbplUVrZmkdf0tlYBvsmwufWRLJ3smW9rqzykd0P6tyntM7y5qeS:uy
xB2+srNLJ3dW9rqz6P4yM7gqeS
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4036f0
timedatestamp.....: 0x47b6d8d0 (Sat Feb 16 12:36:32 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x38d46 0x2a00 6.04 7ab63541e52e0d1b36cfc7e102844691
.rdata 0x3a000 0xa18 0xc00 4.86 811ec3e3172248d429530667acf699ad
.data 0x3b000 0x48e15 0x49000 7.43 b5c0eb5f7f170c6ee0888e708b2098dd
.rsrc 0x84000 0x4260 0x4400 5.81 8a2d44c48b8c6dfcd769045826d020dc

( 9 imports )
> GDI32.dll: RectVisible, StrokePath, StretchDIBits, CreateDCW, SetTextCharacterExtra, GetCharacterPlacementA, GetMapMode, GetTextCharacterExtra, SetEnhMetaFileBits, CopyEnhMetaFileA
> SHELL32.dll: SHChangeNotify, FindExecutableA, SHLoadInProc, SHGetSpecialFolderPathW
> USER32.dll: SetTimer, SetWindowPos, CopyIcon, TileWindows, RegisterClipboardFormatW, GetMenuItemInfoW, CharLowerW, GetWindowDC, SetDlgItemInt, CheckMenuItem, ShowCaret, ChangeClipboardChain, CheckRadioButton, GetDCEx, SetWindowPlacement, InsertMenuA, GetDC, IsClipboardFormatAvailable, LoadMenuA
> ole32.dll: CreateStreamOnHGlobal, OleConvertIStorageToOLESTREAM
> KERNEL32.dll: VirtualProtect, ReadConsoleInputW, ReleaseSemaphore, SetEvent, EnumDateFormatsW, GetPrivateProfileStringW, _hread, GetFileAttributesExA, GetEnvironmentStringsW, ExitProcess, ClearCommBreak, GetBinaryTypeA, SetHandleCount, EndUpdateResourceA, SetEnvironmentVariableW, GlobalReAlloc, GetCPInfo, GetCommModemStatus, GetCommState, IsProcessorFeaturePresent, GetBinaryTypeW, SetProcessAffinityMask
> VERSION.dll: VerQueryValueA
> ADVAPI32.dll: MakeAbsoluteSD, RegOpenKeyExW, OpenThreadToken, QueryServiceConfigW, RegSaveKeyW, BuildSecurityDescriptorW, RevertToSelf, RegDeleteKeyA, SetFileSecurityW, RegEnumValueW, ChangeServiceConfigW, CryptSignHashW, RegRestoreKeyA, RegConnectRegistryA, RegSetValueExA, CreateServiceA, InitializeAcl
> WS2_32.dll: -, WSAResetEvent, WSALookupServiceBeginA, -
> MSVCRT.dll: longjmp, _strtime, ferror, _getcwd, ctime, _mbsnbcmp, fputws

( 0 exports )
AVZguard
Siehe Anhang

Die Sache mit der Maus ist wohl ein Fehlalarm (csv datei, da es ein treiber von der hersteller hompage ist)

So keine funde hier mhm :/

beide dateien löschen?

mylargo 23.02.2009 16:12
Malwarebytes Anti-Malware Ergebnis:

Code:
Malwarebytes' Anti-Malware 1.34
Datenbank Version: 1795
Windows 5.1.2600 Service Pack 3

23.02.2009 16:08:51
mbam-log-2009-02-23 (16-08-51).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 111513
Laufzeit: 24 minute(s), 41 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Wohl eher auch uninteressant, weils von HiJack kommt...

mylargo 24.02.2009 21:07
ok ich sag mal closed... habs gelöscht und mehrere scanner zeigen nix mehr an, antwort kam leider net aber war ja auch einiges über suchfunktion zu finden... hfgl


Alle Zeitangaben in WEZ +1. Es ist jetzt 01:24 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19