GVU-WebCam Trojaner, abgesicherter Modus nicht zugänglich

aharonov · 03.01.2013, 00:20

Hi Pete,
das war jetzt leider nicht übermässig erfolgreich. Wir versuchen's nochmals auf eine andere Art und kümmern uns dabei auch noch um die Funde von ESET.

Hinweise:

Zitat:

F:\Installs\vlc-2.0.0-win32.exe Win32/StartPage.OPH trojan

Die saubere Originalquelle für den vlc-player ist videolan.org und nicht vlc.de oder ähnliches.

Zitat:

F:\docs\market\stock market books\stock_market_books.rar probably a variant of Win32/Agent.NPORNUL trojan
F:\docs\The Best Of Fine Woodworking_The Taunton Press 2002\The Best Of Fine Woodworking_The Taunton Press 2002\The Best Of Fine Woodworking_The Taunton Press 2002 PDF/Exploit.Gen trojan
F:\docs\Drawing\Vilppu.Studio-NECK.Anatomy\Vilppu.Studio-NECK.Anatomy.part01.rar Win32/Adware.Gator.Trickler.F application
F:\docs\Drawing\Vilppu.Studio-UPPER.TORSO.Anatomy\Vilppu.Studio-UPPER.TORSO.Anatomy.part1.rar Win32/Adware.Gator.Trickler.F application

Bei solchen Downloads wär ich generell sehr vorsichtig. Diese Archive sind wohl nicht sauber, ich würd sie löschen.

Schritt 1

Starte bitte die OTL.exe.
Kopiere nun den Inhalt aus der Codebox in die Textbox.

Code:

ATTFilter

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Windows-Verwaltungsinstrumentation"
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,02,00,00,00,03,00,03,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
"Description"="Bietet eine standardm„áige Schnittstelle und Objektmodell zum Zugreifen auf Verwaltungsinformationen ber das Betriebssystem, Ger„te, Anwendungen und Dienste. Die meiste Windows-basierte Software kann nicht ordnungsgem„á ausgefhrt werden, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, k”nnen die Dienste, die von diesem Dienst ausschlieálich abh„ngig sind, nicht mehr gestartet werden."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,\
  00,6c,00,6c,00,00,00
"ServiceMain"="ServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Enum]
"0"="Root\\LEGACY_WINMGMT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000]
"Service"="winmgmt"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Windows Management Instrumentation"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\Control]
"ActiveService"="winmgmt"

:files
F:\docs\market\Books - rapid\Stock books 056\Forex\Forex_BrainTrading_system\Braintrading.exe
F:\docs\The Best Of Fine Woodworking_The Taunton Press 2002\The Best Of Fine Woodworking_The Taunton Press 2002\start.pdf
F:\Installs\vlc-2.0.0-win32.exe

:Commands
[emptytemp]

Schliesse bitte nun alle Programme.
Klicke nun bitte auf den Fix Button.
OTL kann gegebenfalls einen Neustart verlangen. Bitte dies zulassen.
Nach dem Neustart findest Du ein Textdokument auf deinem Desktop.
(Auch zu finden unter C:\_OTL\MovedFiles\<time_date>.txt)
Kopiere nun den Inhalt hier in deinen Thread.

Schritt 2

Starte nochmals Farbars Service Scanner mit Doppelklick auf FSS.exe.
Gehe sicher, dass folgende Optionen angehakt sind:
- Internet Services
- Windows Firewall
- System Restore
- Security Center/Action Center
- Windows Update
- Windows Defender
- Other Services
Klicke auf Scan.
Wenn das Tool fertig ist, wird es eine FSS.txt auf dem Desktop erstellen.

Poste bitte dessen Inhalt hier.

Bitte poste in deiner nächsten Antwort:

Fixlog von OTL
Log von FSS

Pete_w · 03.01.2013, 09:39

Moin moin,

hier die zwei logs:

OTL

Code:

ATTFilter

All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"Type"|dword:00000020 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"Start"|dword:00000002 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"ErrorControl"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"ImagePath"|hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"DisplayName"|"Windows-Verwaltungsinstrumentation" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"DependOnService"|hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"DependOnGroup"|hex(7):00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"ObjectName"|"LocalSystem" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"FailureActions"|hex:80,51,01,00,00,00,00,00,00,00,00,00,02,00,00,00,03,00,03,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\\"Description"|"Bietet eine standardm„áige Schnittstelle und Objektmodell zum Zugreifen auf Verwaltungsinformationen ber das Betriebssystem, Ger„te, Anwendungen und Dienste. Die meiste Windows-basierte Software kann nicht ordnungsgem„á ausgefhrt werden, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, k”nnen die Dienste, die von diesem Dienst ausschlieálich abh„ngig sind, nicht mehr gestartet werden." /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Parameters\\"ServiceDll"|hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,62,00,65,00,6d,00,5c,00,57,00,4d,00,49,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Parameters\\"ServiceMain"|"ServiceMain" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Security\\"Security"|hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Enum\\"0"|"Root\\LEGACY_WINMGMT\\0000" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Enum\\"Count"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\winmgmt\Enum\\"NextInstance"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\\"NextInstance"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\\"Service"|"winmgmt" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\\"Legacy"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\\"ConfigFlags"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\\"Class"|"LegacyDriver" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\\"ClassGUID"|"{8ECC055D-047F-11D1-A537-0000F8753ED1}" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\\"DeviceDesc"|"Windows Management Instrumentation" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMGMT\0000\Control\\"ActiveService"|"winmgmt" /E : value set successfully!
========== FILES ==========
File move failed. F:\docs\market\Books - rapid\Stock books 056\Forex\Forex_BrainTrading_system\Braintrading.exe scheduled to be moved on reboot.
File\Folder F:\docs\The Best Of Fine Woodworking_The Taunton Press 2002\The Best Of Fine Woodworking_The Taunton Press 2002\start.pdf not found.
F:\Installs\vlc-2.0.0-win32.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Sönke
->Temp folder emptied: 3826928 bytes
->Temporary Internet Files folder emptied: 2346170 bytes
->FireFox cache emptied: 4767494 bytes
->Flash cache emptied: 1049 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 34780 bytes
RecycleBin emptied: 4087669368 bytes
 
Total Files Cleaned = 3.909,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 01032013_085137

Files\Folders moved on Reboot...
File\Folder F:\docs\market\Books - rapid\Stock books 056\Forex\Forex_BrainTrading_system\Braintrading.exe not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Braintrading.exe wurde mittels Avira Antivirus gelöscht. Hatte vergessen diesen aus zu schalten.

Log von FSS

Code:

ATTFilter

Farbar Service Scanner Version: 23-12-2012
Ran by Sönke (administrator) on 03-01-2013 at 08:57:53
Running from "C:\Dokumente und Einstellungen\Sönke\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy: 
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2008-04-14 13:00] - [2008-04-14 13:00] - 0127488 ____A (Microsoft Corporation) C29A1C9B75BA38FA37F8C44405DEC360

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll
[2008-04-14 13:00] - [2009-04-20 18:17] - 0045568 ____A (Microsoft Corporation) 407F3227AC618FD1CA54B335B083DE07

C:\WINDOWS\system32\ipnathlp.dll
[2008-04-14 13:00] - [2008-04-14 13:00] - 0334336 ____A (Microsoft Corporation) CAD058D5F8B889A87CA3EB3CF624DCEF

C:\WINDOWS\system32\netman.dll
[2008-04-14 13:00] - [2008-04-14 13:00] - 0198144 ____A (Microsoft Corporation) E6D88F1F6745BF00B57E7855A2AB696C

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2012-07-15 12:59] - [2008-04-14 13:00] - 0145408 ____A (Microsoft Corporation) 6F3F3973D97714CC5F906A19FE883729

C:\WINDOWS\system32\srsvc.dll
[2012-07-15 13:01] - [2008-04-14 13:00] - 0171520 ____A (Microsoft Corporation) FE77A85495065F3AD59C5C65B6C54182

C:\WINDOWS\system32\Drivers\sr.sys
[2012-07-15 13:01] - [2008-04-14 13:00] - 0073472 ____A (Microsoft Corporation) 50FA898F8C032796D3B1B9951BB5A90F

C:\WINDOWS\system32\wscsvc.dll
[2008-04-14 13:00] - [2008-04-14 13:00] - 0080896 ____A (Microsoft Corporation) 300B3E84FAF1A5C1F791C159BA28035D

C:\WINDOWS\system32\wbem\WMIsvc.dll
[2012-07-15 12:59] - [2008-04-14 13:00] - 0145408 ____A (Microsoft Corporation) 6F3F3973D97714CC5F906A19FE883729

C:\WINDOWS\system32\wuauserv.dll
[2012-07-15 13:01] - [2008-04-14 13:00] - 0006656 ____A (Microsoft Corporation) 7B4FE05202AA6BF9F4DFD0E6A0D8A085

C:\WINDOWS\system32\qmgr.dll
[2012-07-15 13:01] - [2008-04-14 13:00] - 0409088 ____A (Microsoft Corporation) D6F603772A789BB3228F310D650B8BD1

C:\WINDOWS\system32\es.dll
[2008-04-14 13:00] - [2008-07-07 21:26] - 0253952 ____A (Microsoft Corporation) AF4F6B5739D18CA7972AB53E091CBC74

C:\WINDOWS\system32\cryptsvc.dll
[2008-04-14 13:00] - [2008-04-14 13:00] - 0062464 ____A (Microsoft Corporation) 611F824E5C703A5A899F84C5F1699E4D

C:\WINDOWS\system32\svchost.exe
[2008-04-14 13:00] - [2008-04-14 13:00] - 0014336 ____A (Microsoft Corporation) 4FBC75B74479C7A6F829E0CA19DF3366

C:\WINDOWS\system32\rpcss.dll
[2008-04-14 13:00] - [2009-02-09 11:51] - 0401408 ____A (Microsoft Corporation) 3127AFBF2C1ED0AB14A1BBB7AAECB85B

C:\WINDOWS\system32\services.exe
[2008-04-14 13:00] - [2009-02-09 12:21] - 0111104 ____A (Microsoft Corporation) A3EDBE9053889FB24AB22492472B39DC


Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

GVU-WebCam Trojaner, abgesicherter Modus nicht zugänglich

Plagegeister aller Art und deren Bekämpfung: GVU-WebCam Trojaner, abgesicherter Modus nicht zugänglich

GVU-WebCam Trojaner, abgesicherter Modus nicht zugänglich

GVU-WebCam Trojaner, abgesicherter Modus nicht zugänglich

Ähnliche Themen: GVU-WebCam Trojaner, abgesicherter Modus nicht zugänglich