Win32/Olmarik Trojaner - unauffindbar |
||
---|---|---|
#0
| ||
02.03.2010, 17:25
Member
Themenstarter Beiträge: 43 |
||
|
||
02.03.2010, 17:35
Member
Beiträge: 3716 |
||
|
||
02.03.2010, 18:14
Member
Themenstarter Beiträge: 43 |
#18
Norman TDSS Cleaner
Version 1.6.2 Copyright © 1990 - 2009, Norman ASA. Built 2010/02/11 11:44:45 Norman Scanner Engine Version: 6.04.03 Nvcbin.def Version: 6.04.00, Date: 2010/02/11 11:44:45, Variants: 180418 Scan started: 02/03/2010 18:03:53 Running pre-scan cleanup routine: Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2 Logged on user: USER\ich No TDSS rootkit found Scanning bootsectors... Number of sectors found: 0 Number of sectors scanned: 0 Number of sectors not scanned: 0 Number of infections found: 0 Number of infections removed: 0 Total scanning time: 0s 10ms Scanning running processes and process memory... Number of processes/threads found: 1863 Number of processes/threads scanned: 1863 Number of processes/threads not scanned: 0 Number of infected processes/threads terminated: 0 Total scanning time: 1m 3s Scanning file system... Scanning: prescan Scanning: C:\WINDOWS\system32\* Scanning: postscan Running post-scan cleanup routine: Number of files found: 4031 Number of archives unpacked: 5 Number of files scanned: 4031 Number of files not scanned: 0 Number of files skipped due to exclude list: 0 Number of infected files found: 0 Number of infected files repaired/deleted: 0 Number of infections removed: 0 Total scanning time: 2m 47s |
|
|
||
02.03.2010, 18:22
Member
Beiträge: 3716 |
||
|
||
02.03.2010, 18:26
Member
Themenstarter Beiträge: 43 |
#20
Übrigens hatte norman vorher angezeigt: found and REMOVED TDSS rootkit ... nur mal nebenbei bemerkt.
--------------- SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 18:26 on 02/03/2010 by ich (Administrator - Elevation successful) ========== filefind ========== Searching for "atapi.sys" C:\WINDOWS\system32\drivers\atapi.sys --a--- 95616 bytes [15:58 11/08/2006] [16:59 02/03/2010] C4B52426B79C6F6664B70B8E63B1B837 C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys --a--- 95616 bytes [21:23 26/11/2006] [00:50 09/08/2006] C4B52426B79C6F6664B70B8E63B1B837 -=End Of File=- |
|
|
||
02.03.2010, 18:29
Member
Beiträge: 3716 |
#21
hast du norman 2 mal laufen lassen? schau mal bitte da gibts 2 mal nfix.txt ich benötige die erste bitte. + neues combofix logfile.
|
|
|
||
02.03.2010, 18:32
Member
Themenstarter Beiträge: 43 |
#22
ja, ich glaub sogar drei - war einmal abgestürzt.
Hier die beiden ersten - Combofix kommt danach 1. Norman TDSS Cleaner Version 1.6.2 Copyright © 1990 - 2009, Norman ASA. Built 2010/02/11 11:44:45 Norman Scanner Engine Version: 6.04.03 Nvcbin.def Version: 6.04.00, Date: 2010/02/11 11:44:45, Variants: 180418 Scan started: 02/03/2010 17:43:44 Running pre-scan cleanup routine: Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2 Logged on user: USER\ich Found and removed TDSS rootkit component (reboot and rescan required) Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> "" Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000 Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000 Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000 Changed service configuration for "lanmanworkstation" from 0x00000004 and 0x00000001 to 0x00000002 and 0xFFFFFFFF Started service "lanmanworkstation" Changed service configuration for "Browser" from 0x00000004 and 0x00000001 to 0x00000002 and 0xFFFFFFFF Failed to start service "Browser" (0x0000042C) Running post-scan cleanup routine: Number of files found: 0 Number of archives unpacked: 0 Number of files scanned: 0 Number of files not scanned: 0 Number of files skipped due to exclude list: 0 Number of infected files found: 0 Number of infected files repaired/deleted: 0 Number of infections removed: 0 Total scanning time: 4h 15m 57s 2. Norman TDSS Cleaner Version 1.6.2 Copyright © 1990 - 2009, Norman ASA. Built 2010/02/11 11:44:45 Norman Scanner Engine Version: 6.04.03 Nvcbin.def Version: 6.04.00, Date: 2010/02/11 11:44:45, Variants: 180418 Scan started: 02/03/2010 17:56:51 Running pre-scan cleanup routine: Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2 Logged on user: USER\ich Found and removed TDSS rootkit component (reboot and rescan required) Running post-scan cleanup routine: Number of files found: 0 Number of archives unpacked: 0 Number of files scanned: 0 Number of files not scanned: 0 Number of files skipped due to exclude list: 0 Number of infected files found: 0 Number of infected files repaired/deleted: 0 Number of infections removed: 0 Total scanning time: 3m 39s |
|
|
||
02.03.2010, 18:36
Member
Themenstarter Beiträge: 43 |
#23
obwohl combofix ist doch wieder so eine irre lange story - kommen wir ohne nicht weiter ?
Oder muss ich das jetzt noch mal machen? |
|
|
||
02.03.2010, 18:37
Member
Beiträge: 3716 |
#24
du könntest auch gmer machen, dass wollte ich sowieso noch sehen.
wie läuft der pc im moment? |
|
|
||
02.03.2010, 18:41
Member
Themenstarter Beiträge: 43 |
#25
pc läuft gut, also ganz regulär ohne Probleme.
Hab mich schon gewundert, denn normalerweise wäre er jetzt gaaaanz langsam. Ist er aber nicht. Soll ich jetzt beide machen? gmer und combo? |
|
|
||
02.03.2010, 18:53
Member
Beiträge: 3716 |
#26
nein, gmer reicht :-) klingt aber scon mal vielversprechend.
|
|
|
||
02.03.2010, 19:16
Member
Themenstarter Beiträge: 43 |
#27
ok
sollte bei gmer nur C: angeklickt sein? Hab jetzt D: auch markiert und er wird und wird nicht fertig |
|
|
||
02.03.2010, 19:19
Member
Beiträge: 3716 |
#28
c: reicht eigendlich, läuft die zeit und das was überprüft wird weiter? gmer kann schon 1 - 2 stunden dauern. du solltest nciht am pc arbeiten und möglichst alle laufenden programme abschalten, tu das bitte.
|
|
|
||
02.03.2010, 19:23
Member
Themenstarter Beiträge: 43 |
#29
jetzt hat er gestoppt - ist das okay so?
GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-02 19:22:59 Windows 5.1.2600 Service Pack 2 Running: 5wl9vts1.exe; Driver: d:\DOKUME~1\ich\LOKALE~1\Temp\pxtdapob.sys ---- System - GMER 1.0.15 ---- SSDT 83348A70 ZwAssignProcessToJobObject SSDT 833495F0 ZwDebugActiveProcess SSDT 83349020 ZwDuplicateObject SSDT 833481B0 ZwOpenProcess SSDT 833484B0 ZwOpenThread SSDT 83348EB0 ZwProtectVirtualMemory SSDT 83348D50 ZwSetContextThread SSDT 83348BD0 ZwSetInformationThread SSDT 83345A90 ZwSetSecurityObject SSDT 83348910 ZwSuspendProcess SSDT 833487B0 ZwSuspendThread SSDT 83348340 ZwTerminateProcess SSDT 83348640 ZwTerminateThread SSDT 83349440 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 130 804E278C 1 Byte [F0] .text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 7 Bytes [83, 34, 83, 40, 86, 34, 83] {XOR DWORD [EBX+EAX*4], 0x40; XCHG [EBX+EAX*4], DH} ---- User code sections - GMER 1.0.15 ---- .text D:\Programme\Winamp Remote\bin\OrbTray.exe[768] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 5 Bytes JMP 00413A70 D:\Programme\Winamp Remote\bin\OrbTray.exe (Orb/Orb Networks) .text D:\Programme\Windows Live\Messenger\msnmsgr.exe[1592] USER32.dll!CreateWindowExW 77D1FF30 5 Bytes JMP 28003CA0 D:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou) .text D:\Programme\Windows Live\Messenger\msnmsgr.exe[1592] ole32.dll!CoInitializeEx 774CEF7B 5 Bytes JMP 28002100 D:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou) .text d:\Programme\ESET\ESET NOD32 Antivirus\ekrn.exe[1708] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows (R) 2000 DDK provider) AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION 79191D0D0F81437A38FD741CACAF5445F0DEB6A1CE6FED8DF7498DA25F964AECA650E4EFAF57654F23AC87CF8A831C863F2D4A6B59AE6720DC77D31B4E0E21986C19E173B2B3DE50F7E4AC2F2F9BCE5FB8A754E1B37AB72EC8A65F7AE7EF7CE1586EC69B2EF8309979769ABCB8BBBEFAFA922B2127FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407A6171C11EC38DE3DA2D97226D213B555DFFA236C7CA606406DEAD7CC3BD0CC385E5AE4376A0B988E4355EA6C6A51882891844DB3919ADEDF70D03CB995856A27501994FC511C563DCDFA8941CF1C376975A621A1325B72D6C04806A7DA3170EFF47B1B74F47826D249D5707D3C9CE3D763F8F6D6A5387B1E19BA198CC842B6310FDC8A8EA6D09AB91C537CA9B5627C450818989246C0E4100D15CB83ACEA446EB49AE45E49187A3D01E07F72D4C226E4E1A4C1BC014ACF69FECAE8C9E920D78FCF97A21D56843E0E0773BE294755B852C54327DEDA70914EA8D0AFC4791E62DF1EBA31A559901740100272424D753D095B9E6E25E70DB1439620547A64E08A8EB16FEEF6727DE54C538949D63EC3F5EB9CDFAFE3D2C26C35AA37FB164C2CA8AE6FA23037D6CD418F5C0962A381A45540DCB9FA8F5AF634719717C365E205CB389048BC2D4E4874480983D Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION B9A2433F98219E2DB93B8EF3C12E20C3D2C59D91DA87C1032B0227B0F9C2B4744BCFFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C012091274FF467DA82AAA6933633E2946224291884459DF5F1AA8231978BFE24A2CDD205E3F552F26470D7B5FA6B0C80D93320436641EB6353760CFBCB3CE4DDA3E7AB03E8B0DE2FBF1E56E0DD9EBCE7AC4AAAA5C0F03F5C4477CE9B873CAB1742D6020AC41BCE68261D05072993C37D62F44CDB618B920E60F887F43F501C164E48F267ACADD89DBC9B7CFEF7146417968039E4EBCCD547D90A2A51B846F2C12DA9CDCBAD652770BF8A8A023A6CD430777EDBA353F26DFC727C5B5B106DE028D932964E26C2D6A67D9EAEAFB76EC1E8C945CF5F63BF32C584E7F624B1990B7A5FD704E6CCC97BA9D5519D890870C88163EF68C439FAEEDFFA280C2162210C8CDFD681F32682990842DEBF7696CCFCE3B05CAB62466EE32856DCDAA93760EED89130AE37107BABF44BC932C025DFE618AF2C50AA50E846A42C67DBF81DB735F9BBA8DF54B9451F430F57C496490C004F75C5C676F23EBCFCA2703932D00AD3333EC69B5527F2D7EEBF0FFB0B69B6B7DBA7542F0119C3E4FBF762D1D7663F356808D69E282F1E2A1625BE9194C5C ---- EOF - GMER 1.0.15 ---- |
|
|
||
02.03.2010, 19:30
Member
Beiträge: 3716 |
#30
ok, jetzt möchte ich, dass du die microsoft update seite besuchst und das spervicepack 3 + alle wichtigen updates aufspielst, dann ein frisches hijackthis log.
|
|
|
||
Ergebnis:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:24 on 02/03/2010 by ich (Administrator - Elevation successful)
No Context: atapi.sys
-=End Of File=-