TR/Monder.140288 lässt mir keine Ruhe

04.07.2008, 10:57

Sabina

Ehrenmitglied

Beiträge: 29434

#16 Mr. Blume

Avenger
http://virus-protect.org/artikel/tools/avenger.html
setze ein Häkchen in: "Automatically disable any rootkits found"
Das Häkchen "Scan for Rootkits" sollte auch angehakt sein.
kopiere in das weisse Feld:

Zitat

Registry keys to delete:
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\00000000a8d8a5c4
HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\00000000a8d8a5c4
HKLM\SYSTEM\ControlSet002\Services\00000000a8d8a5c4
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\00000000a8d8a5c4
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\00000000a8d8a5c4
HKLM\SYSTEM\CurrentControlSet\Services\00000000a8d8a5c4
HKLM\SYSTEM\ControlSet004\Control\SafeBoot\Minimal\00000000a8d8a5c4
HKLM\SYSTEM\ControlSet004\Control\SafeBoot\Network\00000000a8d8a5c4
HKLM\SYSTEM\ControlSet004\Services\00000000a8d8a5c4
Files to delete:
C:\WINDOWS\Temp\tmp7D.tmp.00000000a8d8a5c4.tmp
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\Temp\scs9.tmp
C:\WINDOWS\Temp\3A5.tmp
C:\WINDOWS\Temp\5BC.tmp
C:\WINDOWS\Temp\scs9.tmp
C:\WINDOWS\Temp\tmp1.tmp
C:\WINDOWS\Temp\tmp11.tmp
C:\WINDOWS\Temp\tmp12.tmp
C:\WINDOWS\Temp\tmp13.tmp
C:\WINDOWS\Temp\tmp14.tmp
C:\WINDOWS\Temp\tmp2.tmp
C:\WINDOWS\Temp\tmp3.tmp
C:\WINDOWS\Temp\tmp4.tmp
C:\WINDOWS\Temp\tmp5.tmp
C:\WINDOWS\Temp\tmp5BD.tmp
C:\WINDOWS\Temp\tmp5BE.tmp
C:\WINDOWS\Temp\tmp6.tmp
C:\WINDOWS\Temp\tmp653.tmp
C:\WINDOWS\Temp\tmp654.tmp
C:\WINDOWS\Temp\tmp655.tmp
C:\WINDOWS\Temp\tmp656.tmp
C:\WINDOWS\Temp\tmp657.tmp
C:\WINDOWS\Temp\tmp658.tmp
C:\WINDOWS\Temp\tmp659.tmp
C:\WINDOWS\Temp\tmp65A.tmp
C:\WINDOWS\Temp\tmp65B.tmp
C:\WINDOWS\Temp\tmp65C.tmp
C:\WINDOWS\Temp\tmp65D.tmp
C:\WINDOWS\Temp\tmp65E.tmp
C:\WINDOWS\Temp\tmp6C3.tmp
C:\WINDOWS\Temp\tmp6C4.tmp
C:\WINDOWS\Temp\tmp6C7.tmp
C:\WINDOWS\Temp\tmp6C8.tmp
C:\WINDOWS\Temp\tmp7.tmp
C:\WINDOWS\Temp\tmp70C.tmp
C:\WINDOWS\Temp\tmp70D.tmp
C:\WINDOWS\Temp\tmp77.tmp
C:\WINDOWS\Temp\tmp78.tmp
C:\WINDOWS\Temp\tmp795.tmp
C:\WINDOWS\Temp\tmp796.tmp
C:\WINDOWS\Temp\tmp7A.tmp
C:\WINDOWS\Temp\tmp7B.tmp
C:\WINDOWS\Temp\tmp7D.tmp
C:\WINDOWS\Temp\tmp820.tmp
C:\WINDOWS\Temp\tmp821.tmp
C:\WINDOWS\Temp\tmp824.tmp
C:\WINDOWS\Temp\tmp825.tmp
C:\WINDOWS\Temp\tmp858.tmp
C:\WINDOWS\Temp\tmp859.tmp
C:\WINDOWS\Temp\tmp882.tmp
C:\WINDOWS\Temp\tmp883.tmp
C:\WINDOWS\Temp\tmp884.tmp
C:\WINDOWS\Temp\tmp885.tmp
C:\WINDOWS\Temp\tmp886.tmp
Folders to delete:
C:\WINDOWS\system32\.00000000a8d8a5c4
C:\WINDOWS\SYSTEM32\wsnpoem

schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

Klicke: Execute

bestätige, dass der Rechner neu gestartet wird - klicke "yes"

nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt), kopiere es ab - mit rechtem Mausklick - kopieren - einfügen

«
wende gmer noch mal an + poste den Report hier

«
__________
MfG Sabina

rund um die PC-Sicherheit

04.07.2008, 12:44

Mr. Blume

Member

Themenstarter

Beiträge: 13

#17 Hallo Sabina,

hier der Avenger Log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "00000000a8d8a5c4" found!
DisplayName: Microsoft DDE+ server
ImagePath: C:\WINDOWS\system32\.00000000a8d8a5c4\00000000a8d8a5c4.exe
Driver disabled successfully.

Rootkit scan completed.

Registry key "HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Network\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet002\Services\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Services\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet004\Control\SafeBoot\Minimal\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet004\Control\SafeBoot\Network\00000000a8d8a5c4" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet004\Services\00000000a8d8a5c4" deleted successfully.
File "C:\WINDOWS\Temp\tmp7D.tmp.00000000a8d8a5c4.tmp" deleted successfully.
File "C:\WINDOWS\Temp\tmp7.tmp" deleted successfully.

*******************

Finished! Terminate.

und der gmer-Report:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-04 12:39:56
Windows 5.1.2600 Service Pack 2

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [01A07376] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Programme\Mozilla Firefox\firefox.exe[1820] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [01A073CC] C:\Programme\Mozilla Firefox\extensions\talkback@mozilla.org\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

---- EOF - GMER 1.0.14 ----

Gruß
Mr. Blume

04.07.2008, 18:10

Sabina

Ehrenmitglied

Beiträge: 29434

#18 0.
entferne Avenger samt Backup und leere den Papierkorb

1.
boote in den abgesicherten modus , scanne mit Antivirus
Erkennungsstufe "hoch" einstellen - (Expertenmodus anhaken)
poste dann hier den scanreport

2.
lade avz, scanne + poste den report
http://virus-protect.org/artikel/tools/avz.html
__________
MfG Sabina

rund um die PC-Sicherheit

05.07.2008, 13:12

Mr. Blume

Member

Themenstarter

Beiträge: 13

#19 Hallo und sorry das es etwas länger gedauert hat

Hier 2 Antivir-Reports, den ersten hatte ich aus Versehen abgebrochen, da Antivir in diesem jedoch den Trojaner TR/Monder.140288 gefunden hatte und im 2. Suchlauf nicht bemerkt wurde, dachte ich das beide Suchläufe von Wichtigkeit sein könnten.

1. Antivir-Report (abgebrochen):

Avira AntiVir Personal
Erstellungsdatum der Reportdatei: Freitag, 4. Juli 2008 23:36

Der Suchlauf über die Masterbootsektoren wird begonnen:
Masterbootsektor HD0
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf über die Bootsektoren wird begonnen:
Bootsektor 'C:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'F:\'
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf auf Verweise zu ausführbaren Dateien (Registry) wird begonnen.
Die Registry wurde durchsucht ( '39' Dateien ).

Der Suchlauf über die ausgewählten Dateien wird begonnen:

Beginne mit der Suche in 'C:\' <Windows>
C:\pagefile.sys
[WARNUNG] Die Datei konnte nicht geöffnet werden!
C:\avenger\.00000000a8d8a5c4\00000000a8d8a5c4.core.dll
[FUND] Ist das Trojanische Pferd TR/Monder.140288
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '489e9827.qua' verschoben!

Hier der 2. Suchlauf:

Avira AntiVir Personal
Erstellungsdatum der Reportdatei: Freitag, 4. Juli 2008 23:45

Der Suchlauf über die ausgewählten Dateien wird begonnen:

Beginne mit der Suche in 'C:\' <Windows>
C:\pagefile.sys
[WARNUNG] Die Datei konnte nicht geöffnet werden!
Beginne mit der Suche in 'F:\' <Download>
F:\alt\Dokumente und Einstellungen\Toni\Eigene Dateien\Eigene Dateien\eminem.exe
[WARNUNG] Aus diesem Archiv können keine weiteren Dateien ausgepackt werden. Das Archiv wird geschlossen.

Ende des Suchlaufs: Samstag, 5. Juli 2008 02:50
Benötigte Zeit: 3:05:10 min

und noch der avz-log:

Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 05.07.2008 12:37:23
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Medium heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: enabled
System booted in Safe Mode
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
Driver communication failure [00000002] - [1]
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
Driver communication failure [00000002] - [1]
2. Scanning memory
Number of processes found: 12
Number of modules loaded: 150
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 63576, extracted from archives: 47182, malicious software found 0, suspicions - 0
Scanning finished at 05.07.2008 12:51:20
Time of scanning: 00:13:58
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

mit freundlichen Grüßen
Mr. Blume

05.07.2008, 13:47

Sabina

Ehrenmitglied

Beiträge: 29434

#20 hatte ich nicht geschrieben, dass du Avenger + backup vom System entfernen solltest, vor dem Scan mit Avira ??
entferne C:\avenger (falls noch vorhanden) + leere den Papierkorb

«
entferne alle tmp-Dateien unter
C:\WINDOWS\Temp\
falls noch welche vorhanden sind.

«
dann sollte wieder alles i.o. sein

__________
MfG Sabina

rund um die PC-Sicherheit

Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:

»
»
» MDM.exe will mich nicht in ruhe lassen
»
»

Seite(n): 1 2