| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/Crypt.XPACK.Gen & TR/Vundo.GenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
16.08.2008, 14:24
| #5 |
 |  TR/Crypt.XPACK.Gen & TR/Vundo.Gen jup hatte die dateien von malwarbytes gelöscht gehabt. bearshare hab ich nun auch gelöscht, aber ging nur mit alt + entfernen. hab irgendwie keine uninstall datei gefunden bzw in der software liste war bearshare nicht aufgelistet. und naja wegen dem trojaner (TR/Monder.dfr), dazu kann ich dir nur sagen dass die A002987.dll betroffen war. hier der smitfraudfix log SmitFraudFix v2.337 Scan done at 15:00:52,48, 16.08.2008 Run from C:\Dokumente und Einstellungen\...\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe E:\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Dokumente und Einstellungen\...\Desktop\SmitfraudFix\Policies.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\... »»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\...\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\...\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programme »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Die derzeitige Homepage" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» RK »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{565536CE-7A2E-426F-BF48-EFC404C7B9FD}: DhcpNameServer=195.50.140.252 195.50.140.114 HKLM\SYSTEM\CS1\Services\Tcpip\..\{565536CE-7A2E-426F-BF48-EFC404C7B9FD}: DhcpNameServer=195.50.140.252 195.50.140.114 HKLM\SYSTEM\CS2\Services\Tcpip\..\{565536CE-7A2E-426F-BF48-EFC404C7B9FD}: DhcpNameServer=195.50.140.252 195.50.140.114 HKLM\SYSTEM\CS3\Services\Tcpip\..\{565536CE-7A2E-426F-BF48-EFC404C7B9FD}: DhcpNameServer=195.50.140.252 195.50.140.114 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=195.50.140.252 195.50.140.114 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=195.50.140.252 195.50.140.114 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=195.50.140.252 195.50.140.114 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=195.50.140.252 195.50.140.114 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ----------------------------------------------------------------------- ----------------------------------------------------------------------- und hier der RunScanner log (runscanner hab ich aber nicht im abgesicherten modus laufen lassen) Runscanner logfile h..p://www.runscanner.net * = signed file - = file not found 000 General info ---------------- Computer name : ...-1799EDE1F4 Creation time : 16.08.2008 15:12:24 Hosts <> 127.0.0.1 : 0 Hosts file location : %SystemRoot%\System32\drivers\etc IE version : 7.0.5730.13 OS : Microsoft Windows XP OS Build : 2600 OS SP : Service Pack 2 RunScanner Version : 1.6.3.0 User Language : Deutsch (Deutschland) User rights : Administrator Windows folder : C:\WINDOWS 001 Running processes --------------------- e:\ad-aware 2007\aawtray.exe * e:\ad-aware 2007\aawservice.exe (Lavasoft AB) * c:\programme\adobe\reader 8.0\reader\reader_sl.exe (Adobe Systems Incorporated) e:\ad-aware 2007\ad-watch2007.exe (Lavasoft AB) c:\programme\avira\antivir personaledition classic\avguard.exe (Avira GmbH) c:\programme\avira\antivir personaledition classic\sched.exe (Avira GmbH) c:\programme\avira\antivir personaledition classic\avgnt.exe (Avira GmbH) * c:\windows\system32\services.exe (Microsoft Corporation) c:\programme\gemeinsame dateien\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple, Inc.) * c:\windows\system32\alg.exe (Microsoft Corporation) * c:\windows\system32\csrss.exe (Microsoft Corporation) * c:\windows\system32\ctfmon.exe (Microsoft Corporation) * c:\windows\system32\rundll32.exe (Microsoft Corporation) * e:\firefox 3\firefox.exe (Mozilla Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * c:\windows\system32\svchost.exe (Microsoft Corporation) * e:\office\office12\groovemonitor.exe (Microsoft Corporation) * c:\programme\hp\hp software update\hpwuschd2.exe (Hewlett-Packard) * c:\programme\ipod\bin\ipodservice.exe (Apple Inc.) * e:\itunes\ituneshelper.exe (Apple Inc.) * c:\programme\java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.) * c:\windows\system32\lsass.exe (Microsoft Corporation) * c:\programme\gemeinsame dateien\ahead\lib\nmbgmonitor.exe (Nero AG) * c:\programme\gemeinsame dateien\ahead\lib\NMIndexStoreSvr.exe (Nero AG) * c:\programme\gemeinsame dateien\ahead\lib\nmindexingservice.exe (Nero AG) * c:\windows\system32\nvsvc32.exe (NVIDIA Corporation) * c:\windows\soundman.exe (Realtek Semiconductor Corp.) * c:\dokumente und einstellungen\...\desktop\runscanner\runscanner.exe (Runscanner.net) * c:\windows\system32\spoolsv.exe (Microsoft Corporation) e:\veohtv\veohclient.exe (Veoh Networks) * e:\daemon tools\daemon.exe (DT Soft Ltd.) e:\winamp\winampa.exe * c:\windows\explorer.exe (Microsoft Corporation) * c:\programme\windows live\messenger\msnmsgr.exe (Microsoft Corporation) * c:\programme\messenger\msmsgs.exe (Microsoft Corporation) * c:\windows\system32\winlogon.exe (Microsoft Corporation) * c:\windows\system32\smss.exe (Microsoft Corporation) * c:\windows\system32\wscntfy.exe (Microsoft Corporation) * c:\windows\system32\wdfmgr.exe (Microsoft Corporation) 002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys) ----------------------------------------------------------------- - c:\windows\system32\stnkkrpc.dll e:\ad-aware 2007\aawtray.exe e:\ad-aware 2007\ad-watch2007.exe (Lavasoft AB) c:\programme\avira\antivir personaledition classic\avgnt.exe (Avira GmbH) - d:\programme\bearshare\bearshare.exe * c:\programme\hp\hp software update\hpwuschd2.exe (Hewlett-Packard) - e:\hp\digital imaging\bin\hpqsrmon.exe * e:\itunes\ituneshelper.exe (Apple Inc.) C:\WINDOWS\system32\nwiz.exe e:\quicktime\qttask.exe (Apple Inc.) e:\winamp\winampa.exe 003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys) ----------------------------------------------------------------- * c:\programme\gemeinsame dateien\ahead\lib\nmbgmonitor.exe (Nero AG) * e:\daemon tools\daemon.exe (DT Soft Ltd.) - e:\winamp\winamp remote\bin\orbtray.exe e:\veohtv\veohclient.exe (Veoh Networks) 005 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart -------------------------------------------------------------------------- - Corrupt shortcut 010 HKLM\SYSTEM\CurrentControlSet\Services (Services) ----------------------------------------------------- * e:\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service) c:\programme\gemeinsame dateien\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Mobile Device) c:\programme\avira\antivir personaledition classic\avguard.exe (Avira AntiVir Personal – Free Antivirus Guard) c:\programme\avira\antivir personaledition classic\sched.exe (Avira AntiVir Personal – Free Antivirus Planer) * c:\programme\ipod\bin\ipodservice.exe (iPod-Dienst) * c:\programme\nero\nero 7\nero backitup\nbservice.exe (NBService) * c:\programme\gemeinsame dateien\ahead\lib\nmindexingservice.exe (NMIndexingService) - e:\trend\pccpfw.exe (Trend Micro Personal Firewall) - e:\trend\tmproxy.exe (Trend Micro Proxy Service) - e:\trend\tmntsrv.exe (Trend NT Realtime Service) 011 HKLM\SYSTEM\CurrentControlSet\Services (drivers) ---------------------------------------------------- c:\windows\system32\drivers\nsdriver.sys (Ad-Watch Connect Kernel Filter) c:\windows\system32\drivers\awrtrd.sys (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\aji1t7wl.sys (aji1t7wl) c:\windows\system32\drivers\aslm75.sys (aslm75) * c:\programme\avira\antivir personaledition classic\avgio.sys (avgio) * c:\programme\avira\antivir personaledition classic\avgntflt.sys (avgntflt) * C:\WINDOWS\system32\drivers\avipbb.sys (avipbb) c:\windows\system32\drivers\awrtpd.sys (AW Real-Time Scanner) - c:\windows\system32\drivers\changer.sys (Changer) - c:\windows\system32\drivers\tm_cfw.sys (Common Firewall Driver) c:\windows\system32\drivers\eio.sys (EIO) * C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM) - j:\install\gmsipci.sys (GMSIPCI) - c:\windows\system32\drivers\i2omgmt.sys (i2omgmt) - c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc) - c:\windows\system32\drivers\pcidump.sys (PCIDump) - c:\windows\system32\drivers\pdcomp.sys (PDCOMP) - c:\windows\system32\drivers\pdframe.sys (PDFRAME) - c:\windows\system32\drivers\pdreli.sys (PDRELI) - c:\windows\system32\drivers\pdrframe.sys (PDRFRAME) C:\WINDOWS\system32\drivers\rdsdrv.sys (rdsdrv) C:\WINDOWS\system32\drivers\sptd.sys (sptd) C:\WINDOWS\system32\drivers\ssmdrv.sys (ssmdrv) - c:\windows\system32\drivers\tmxpflt.sys (Tmfilter) - c:\windows\system32\drivers\tmpreflt.sys (Tmpreflt) - c:\windows\system32\drivers\tmtdi.sys (Trend Micro TDI Driver) - c:\windows\system32\drivers\vsapint.sys (Vsapint) - c:\windows\system32\drivers\wdica.sys (WDICA) 041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar ---------------------------------------------------------- e:\veohtv\plugins\reg\veohtoolbar.dll (Veoh Networks Inc) {D0943516-5076-4020-A3B5-AEFAF26AB263} 052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects ---------------------------------------------------------------------------------- GUID / CLSID not found {CB600FC3-054C-46DC-AE36-C1046F29A828} * g:\bitcomet\tools\bitcometbho_1.1.9.24.dll (BitComet) {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} 061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved --------------------------------------------------------------------------------- - deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3} c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D} c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47} * e:\itunes\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} * c:\programme\nero\nero 7\nero coverdesigner\coveredextension.dll (Nero AG) {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} * c:\programme\gemeinsame dateien\ahead\lib\nerodigitalext.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3} * c:\programme\gemeinsame dateien\ahead\lib\nerodigitalext.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8} c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48} c:\programme\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} e:\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers ------------------------------------------------------------ GUID / CLSID not found {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} * c:\programme\gemeinsame dateien\ahead\lib\nerodigitalext.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882} c:\programme\gemeinsame dateien\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627} 063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute --------------------------------------------------------------------- C:\WINDOWS\system32\lsdelete.exe 073 %windir%\Tasks ------------------ AppleSoftwareUpdate.job : c:\programme\apple software update\softwareupdate.exe (Apple Inc.) 100 Internet Explorer settings ------------------------------ Start Page HKCU : h..p://google.daemonsearch.com/intl/ 104 HKLM\Software\Microsoft\Code Store Database\Distribution Units ------------------------------------------------------------------ GUID / CLSID not found {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} c:\progra~1\gemein~1\nullsoft\activex\2.4\ampx.dll {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} 105 HKCU\Software\Microsoft\Internet Explorer\MenuExt ----------------------------------------------------- &D&ownload &with BitComet : res://G:\BitComet\BitComet.exe/AddLink.htm &D&ownload all video with BitComet : res://G:\BitComet\BitComet.exe/AddVideo.htm &D&ownload all with BitComet : res://G:\BitComet\BitComet.exe/AddAllLink.htm Nach Microsoft E&xel exportieren : res://E:\office\Office12\EXCEL.EXE/3000 170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ------------------------------------------------------------------------ {2f4dcf5c-01ba-11dd-9273-806d6172696f} : J:\setup.exe 173 HKCR\*\shellex\ContextMenuHandlers -------------------------------------- * c:\programme\nero\nero 7\nero coverdesigner\coveredextension.dll (Nero AG) {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} * c:\programme\nero\nero 7\nero backitup\nbshell.dll (Nero AG) c:\programme\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} e:\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers ------------------------------------------------------- * c:\programme\nero\nero 7\nero coverdesigner\coveredextension.dll (Nero AG) {73FCA462-9BD5-4065-A73F-A8E5F6904EF7} * c:\programme\nero\nero 7\nero backitup\nbshell.dll (Nero AG) c:\programme\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} e:\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 223 HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers -------------------------------------------------------------------------- * e:\malwarebytes' anti-malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3} 225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers ------------------------------------------------------------ * e:\malwarebytes' anti-malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3} * e:\malwarebytes' anti-malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3} * c:\programme\nero\nero 7\nero backitup\nbshell.dll (Nero AG) * c:\programme\nero\nero 7\nero backitup\nbshell.dll (Nero AG) c:\programme\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} c:\programme\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A} e:\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} e:\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers --------------------------------------------------------------- e:\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 229 HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers -------------------------------------------------------------------------- c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48} 230 HKCU\Software\Classes\Folder\Shellex\ColumnHandlers ------------------------------------------------------- GUID / CLSID not found OpenOffice.org Column Handler 231 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers ------------------------------------------------------- * c:\programme\gemeinsame dateien\ahead\lib\nerodigitalext.dll (Nero AG) NeroDigitalExt.NeroDigitalColumnHandler c:\programme\gemeinsame dateien\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) PDF Column Info _____________________________________________________________________________________________________________ Geändert von Creak (16.08.2008 um 14:37 Uhr) |
| Themen zu TR/Crypt.XPACK.Gen & TR/Vundo.Gen |
| abgesicherten modus, ad-aware, ad-watch, antivirus, antvir, avira, bho, browser, computer, das bild, desktop, dll dateien, firefox, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, logfile, plug-in, problem, proxy, quara, rundll, senden, software, spyware, system, tr/crypt.xpack.ge, tr/crypt.xpack.gen, tr/vundo.gen, trojaner, trojaner eingefangen, virenprogram, windows, windows xp |
Baum-Darstellung