Virtumonde

infected187 · 25.05.2008, 15:48

Teil2 des logs:

Zitat:

[...]
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-24 07:05 1232896]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 18:51 486856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35 202024]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:34 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-31 05:44 36864]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 00:24 620152]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 18:06 81920]
"CTHelper"="CTHELPER.EXE" [2008-02-20 21:58 19456 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 21:58 19968 C:\Windows\System32\CTXFIHLP.EXE]
"Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-11-25 10:53 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG /SILENT /FAIL=1" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1067182651-4116881732-1640251941-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{DD6A625D-1134-429B-B02D-EFFA41676EFF}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{190F2DEC-C077-44C8-9E13-C0F8B32A851F}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{7BF44723-DFDE-4D0C-9FE8-BF5FBD52872B}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{A19A5ED8-51A3-495B-8782-B2C1F639FFC3}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{AC9F82AF-59CD-4B7A-BCB9-AB2A8030CA94}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{22CE2129-CD2E-4F43-ABBC-CDFC471B9D81}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{CEEDD7FB-B01E-4AF5-A30F-85C4A6A071AF}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{6321732C-0804-475E-BF21-0311A37B6F34}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{4C1A480A-6BDF-4FDD-9CF7-44464886DA75}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{205A6D1E-D17F-473D-9EE8-CFA339FF0AC0}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{1FA08924-0E38-445C-8111-724CAA7FFC01}"= UDP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"{76A6682E-DF25-4CF4-8366-DF52F7CFB4D6}"= TCP:C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2
"TCP Query User{DE05980A-5882-4346-B9CC-42E5E34109F1}C:\\program files\\qip\\qip.exe"= UDP:C:\program files\qip\qip.exe:Quiet Internet Pager
"UDP Query User{DEAB160C-1714-473F-B485-EA74A97894CD}C:\\program files\\qip\\qip.exe"= TCP:C:\program files\qip\qip.exe:Quiet Internet Pager
"TCP Query User{32AD9290-D06C-4B7F-916C-D46289FF220B}C:\\program files\\qip\\qip.exe"= UDP:C:\program files\qip\qip.exe:Quiet Internet Pager
"UDP Query User{5F6E0393-1B4C-49EA-A468-2419711AA7A3}C:\\program files\\qip\\qip.exe"= TCP:C:\program files\qip\qip.exe:Quiet Internet Pager
"TCP Query User{5770B632-00DF-40D4-887E-42BE968098ED}C:\\program files\\electronic arts\\crytek\\crysis\\bin32\\crysis.exe"= UDP:C:\program files\electronic arts\crytek\crysis\bin32\crysis.exe:Crysis
"UDP Query User{84059958-E5CF-49D1-BCAD-13DFFEC38CE1}C:\\program files\\electronic arts\\crytek\\crysis\\bin32\\crysis.exe"= TCP:C:\program files\electronic arts\crytek\crysis\bin32\crysis.exe:Crysis
"TCP Query User{CFEF5791-D197-4B57-95AB-50DFBA405427}C:\\program files\\ea games\\battlefield 2\\bf2.exe"= UDP:C:\program files\ea games\battlefield 2\bf2.exe:BF2
"UDP Query User{F6E28F8D-C52D-4685-A9B4-82EE8D51B31F}C:\\program files\\ea games\\battlefield 2\\bf2.exe"= TCP:C:\program files\ea games\battlefield 2\bf2.exe:BF2
"TCP Query User{466D2A59-7896-4A6F-9E90-F3E23ED07A3F}C:\\program files\\empire interactive\\flatout2\\flatout2.exe"= UDP:C:\program files\empire interactive\flatout2\flatout2.exe:FlatOut2
"UDP Query User{B762BC4A-F455-4F28-B389-B02B56B57D7B}C:\\program files\\empire interactive\\flatout2\\flatout2.exe"= TCP:C:\program files\empire interactive\flatout2\flatout2.exe:FlatOut2
"TCP Query User{E3E832D2-8872-402D-8034-AD1AF707E705}C:\\program files\\activision\\call of duty 4 - modern warfare\\iw3mp.exe"= UDP:C:\program files\activision\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"UDP Query User{F0DED792-6EBA-412E-B9CB-3CE15CE12D2C}C:\\program files\\activision\\call of duty 4 - modern warfare\\iw3mp.exe"= TCP:C:\program files\activision\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"TCP Query User{5178C9AA-EF12-4A5B-9A1F-6D99E4AAA574}C:\\program files\\thq\\company of heroes\\reliccoh.exe"= UDP:C:\program files\thq\company of heroes\reliccoh.exe:RelicCOH
"UDP Query User{9C113F90-E6F2-4926-B287-8497CA951503}C:\\program files\\thq\\company of heroes\\reliccoh.exe"= TCP:C:\program files\thq\company of heroes\reliccoh.exe:RelicCOH
"TCP Query User{6EFDEA0B-4E8E-4764-A549-8372DA7AC9A3}C:\\program files\\gamers.irc\\mirc.exe"= UDP:C:\program files\gamers.irc\mirc.exe:mIRC
"UDP Query User{839DD901-8B1B-48B4-8A41-7991A74D2B84}C:\\program files\\gamers.irc\\mirc.exe"= TCP:C:\program files\gamers.irc\mirc.exe:mIRC
"TCP Query User{43968401-64A4-4A8D-BD89-698B15323B95}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{77EE6752-FD25-408B-A855-79303757F373}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"TCP Query User{E90DB471-AB38-43E2-BD2C-FBC9029FEC96}C:\\program files\\opera\\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{55ABA55B-B239-4078-9D92-F6D6DCA3C409}C:\\program files\\opera\\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser
"{8DD1362C-09DE-4A33-9DAA-95541B6FB4C2}"= UDP:C:\Program Files\Unreal Tournament 3 (LG)\Binaries\UT3.exe:Unreal Tournament 3
"{546EE025-1C38-486C-A73E-2B4C617E9EB1}"= TCP:C:\Program Files\Unreal Tournament 3 (LG)\Binaries\UT3.exe:Unreal Tournament 3
"{E04910A4-5E29-4AB8-9236-5EF19BD3E016}"= UDP:E:\Games\Assassins Creed1\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{675864B4-E14C-4128-A76A-71677D34A40D}"= TCP:E:\Games\Assassins Creed1\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{89F9E961-BB22-4696-9F1E-81A108149DB7}"= UDP:E:\Games\Assassins Creed1\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{AEC780E1-A138-44EE-A326-CAF39CE4DB44}"= TCP:E:\Games\Assassins Creed1\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{CAFE5B95-41FE-4C89-AEB1-E5A663BC61AC}"= UDP:E:\Games\Assassins Creed1\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{701BF602-97BA-4FB1-8AC8-3811D5C15531}"= TCP:E:\Games\Assassins Creed1\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{F33B6FEF-4ADE-4EAE-B70B-2F732CB51EA4}"= UDP:E:\Games\PES2008\PES2008.exe:Pro Evolution Soccer 2008
"{037DF64D-D9B9-4DFB-8B55-0D7CB09AE58D}"= TCP:E:\Games\PES2008\PES2008.exe:Pro Evolution Soccer 2008
"TCP Query User{E63CFF50-B807-4438-B7E3-98BA3EF71285}C:\\program files\\hlsw\\hlsw.exe"= UDP:C:\program files\hlsw\hlsw.exe:HLSW
"UDP Query User{0C2E4EEB-63DB-4E61-891D-7AA3AD705BA5}C:\\program files\\hlsw\\hlsw.exe"= TCP:C:\program files\hlsw\hlsw.exe:HLSW
"{A0CAC836-2CBB-4186-BD69-13C276797AE6}"= UDP:E:\Games\UT2004\System\UT2004.exe:UT2004
"{B7748A96-445A-4BB4-B0DF-74C42208EB73}"= TCP:E:\Games\UT2004\System\UT2004.exe:UT2004
"TCP Query User{D1CF8DD2-5C46-4B09-80E6-B76C459EAA89}C:\\program files\\opera\\opera.exe"= UDP:C:\program files\opera\opera.exe:Opera Internet Browser
"UDP Query User{43ED48DB-1424-445D-851A-62E01CB5C465}C:\\program files\\opera\\opera.exe"= TCP:C:\program files\opera\opera.exe:Opera Internet Browser
"TCP Query User{0F280C52-A79E-46DD-91C1-D131DFF02792}C:\\program files\\teamspeak2_rc2server\\server_windows.exe"= UDP:C:\program files\teamspeak2_rc2server\server_windows.exe:Server
"UDP Query User{49690D80-DBE3-4A4E-98E2-842692164493}C:\\program files\\teamspeak2_rc2server\\server_windows.exe"= TCP:C:\program files\teamspeak2_rc2server\server_windows.exe:Server
"TCP Query User{5206BE88-FEB7-4A16-B40D-DF0DBEE80DAD}C:\\program files\\dc++\\dcplusplus.exe"= UDP:C:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{E93D0BB0-4C14-4F08-8AA4-DFE32C313D2B}C:\\program files\\dc++\\dcplusplus.exe"= TCP:C:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{EB32530C-6FF2-4084-9B33-8ABA001CC4DF}C:\\users\\****\\desktop\\sft-loader_2008_rc1\\leecher.exe"= UDP:C:\users\****\desktop\sft-loader_2008_rc1\leecher.exe:leecher.exe
"UDP Query User{245A6ECC-52A4-4AF6-98AB-CBAFB2628D2F}C:\\users\\****\\desktop\\sft-loader_2008_rc1\\leecher.exe"= TCP:C:\users\****\desktop\sft-loader_2008_rc1\leecher.exe:leecher.exe
"TCP Query User{E7383750-77E3-403D-97A4-A0C24F884843}C:\\program files\\sft-loader_2008_rc1\\leecher.exe"= UDP:C:\program files\sft-loader_2008_rc1\leecher.exe:SFT Loader
"UDP Query User{68786439-1768-42E2-B708-E8878809171D}C:\\program files\\sft-loader_2008_rc1\\leecher.exe"= TCP:C:\program files\sft-loader_2008_rc1\leecher.exe:SFT Loader
"{61511C71-9E4F-4157-A2EB-3FCF17FD7716}"= UDP:E:\Games\AssassinsCreed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{609CD670-D210-4088-8CCF-9789442AFD56}"= TCP:E:\Games\AssassinsCreed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{F1B67998-EAF0-4E01-9D34-FE5FC5AE654E}"= UDP:E:\Games\AssassinsCreed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{A2456D9D-27FA-4A01-BA1D-25F962578985}"= TCP:E:\Games\AssassinsCreed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{97DD2E46-EFB7-4810-AC4A-567F8863A472}"= UDP:E:\Games\AssassinsCreed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{2EF9ED63-88DA-4810-997C-80B00624DEC0}"= TCP:E:\Games\AssassinsCreed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"TCP Query User{CDE354EA-907E-4E7D-B4A7-FA9302E1A4AD}C:\\program files\\sft-loader_2008_rc1\\leecher.exe"= UDP:C:\program files\sft-loader_2008_rc1\leecher.exe:SFT Loader
"UDP Query User{478BEB9C-E9E8-457F-AAC5-F23FC3A96C04}C:\\program files\\sft-loader_2008_rc1\\leecher.exe"= TCP:C:\program files\sft-loader_2008_rc1\leecher.exe:SFT Loader
"TCP Query User{65DA375C-E4AB-4E6F-8470-3CFFFFC31103}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C166478B-FE18-4A16-B2B1-6FC0CAB045EF}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{7027D8F3-E339-4961-A82D-97BB6A622E7F}C:\\program files\\beyond compare 2\\bc2.exe"= UDP:C:\program files\beyond compare 2\bc2.exe:Beyond Compare
"UDP Query User{CC4F26DA-CAD5-4EE3-BCFC-D5DA3BBF064B}C:\\program files\\beyond compare 2\\bc2.exe"= TCP:C:\program files\beyond compare 2\bc2.exe:Beyond Compare
"{CF4A63AB-2DCD-4C84-BD26-0496D6B7C2E4}"= UDP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{97C78F23-362F-4435-AEAA-2E226AFD8E79}"= TCP:C:\Program Files\SmartFTP Client\SmartFTP.exe:SmartFTP Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 20:24]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 ha20x2k;Creative 20X HAL Driver;C:\Windows\system32\drivers\ha20x2k.sys [2008-02-25 10:44]
R3 UsbFltr;Razer Copperhead Driver;C:\Windows\system32\drivers\copperhd.sys [2005-11-02 10:54]
R3 yukonwlh;NDIS6.0 Miniporttreiber für Marvell Yukon-Ethernet-Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 09:30]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187.sys [2006-06-17 00:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Autorun.exe root.ini

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cef663c5-26aa-11dd-a759-806e6f6e6963}]
\shell\AutoRun\command - F:\Autorun.exe root.ini

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db5455b3-055d-11dd-90ba-0018f3646f58}]
\shell\AutoRun\command - I:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Inhalt des "geplante Tasks" Ordners
"2008-05-25 14:45:24 C:\Windows\Tasks\User_Feed_Synchronization-{B1D78F01-6B1E-423E-9675-66D40948AE1D}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 16:45:56
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-05-25 16:46:49
ComboFix-quarantined-files.txt 2008-05-25 14:46:37
ComboFix2.txt 2008-05-25 00:55:50
ComboFix3.txt 2008-05-25 00:47:45
ComboFix4.txt 2008-05-25 00:18:33

8 Verzeichnis(se), 10,942,926,848 Bytes frei
16 Verzeichnis(se), 10,917,335,040 Bytes frei

388 --- E O F --- 2008-05-21 19:24:30

Virtumonde

Plagegeister aller Art und deren Bekämpfung: Virtumonde

Virtumonde

Ähnliche Themen: Virtumonde