Virus oder Falscher Alarm?

jkcgn1 · 18.05.2009, 00:53

Hallo,

mein kleiner Bruder hat leider was während meiner Abwesenheit heruntergeladen und Installiert, mein Virenscanner hat zwar keinen Alarm geschlagen, trotzdem habe ich den Installer mal durch virustotal laufen lassen und siehe da:

Code:

ATTFilter

Datei fo-fr298.exe empfangen 2009.05.17 20:43:07 (CET)
Status: Beendet
Ergebnis: 3/40 (7.50%)

Antivirus 	Version 	letzte aktualisierung 	Ergebnis
a-squared 	4.0.0.101 	2009.05.17 	-
AhnLab-V3 	5.0.0.2 	2009.05.16 	-
AntiVir 	7.9.0.168 	2009.05.17 	-
Antiy-AVL 	2.0.3.1 	2009.05.15 	-
Authentium 	5.1.2.4 	2009.05.17 	-
Avast 	4.8.1335.0 	2009.05.16 	-
AVG 	8.5.0.336 	2009.05.16 	-
BitDefender 	7.2 	2009.05.17 	-
CAT-QuickHeal 	10.00 	2009.05.15 	Backdoor.Small.hvo
ClamAV 	0.94.1 	2009.05.16 	-
Comodo 	1157 	2009.05.08 	-
DrWeb 	5.0.0.12182 	2009.05.17 	-
eSafe 	7.0.17.0 	2009.05.17 	-
eTrust-Vet 	31.6.6508 	2009.05.16 	-
F-Prot 	4.4.4.56 	2009.05.17 	-
F-Secure 	8.0.14470.0 	2009.05.16 	-
Fortinet 	3.117.0.0 	2009.05.17 	-
GData 	19 	2009.05.17 	-
Ikarus 	T3.1.1.49.0 	2009.05.17 	-
K7AntiVirus 	7.10.737 	2009.05.16 	-
Kaspersky 	7.0.0.125 	2009.05.17 	-
McAfee 	5618 	2009.05.17 	-
McAfee+Artemis 	5618 	2009.05.17 	-
McAfee-GW-Edition 	6.7.6 	2009.05.17 	-
Microsoft 	1.4602 	2009.05.17 	-
NOD32 	4080 	2009.05.15 	-
Norman 	6.01.05 	2009.05.16 	-
nProtect 	2009.1.8.0 	2009.05.17 	-
Panda 	10.0.0.14 	2009.05.17 	-
PCTools 	4.4.2.0 	2009.05.17 	-
Prevx 	3.0 	2009.05.17 	-
Rising 	21.29.62.00 	2009.05.17 	-
Sophos 	4.41.0 	2009.05.17 	-
Sunbelt 	3.2.1858.2 	2009.05.17 	-
Symantec 	1.4.4.12 	2009.05.17 	-
TheHacker 	6.3.4.1.326 	2009.05.17 	Backdoor/Small.hzg
TrendMicro 	8.950.0.1092 	2009.05.15 	-
VBA32 	3.12.10.5 	2009.05.17 	Backdoor.Win32.Small.hzj
ViRobot 	2009.5.15.1737 	2009.05.15 	-
VirusBuster 	4.6.5.0 	2009.05.17 	-

Muss ich mir nun Sorgen machen? eine Auswertung der Hijackthis-Logfiles brachte wohl nichts besorgniserregendes zu Tage!

Bitte um Hilfe. Beste Grüße

hier der Link: virustotal.com/de/analisis/18c5bcc0597023a9d9ea6ffe5f4ee2a1

4RobSen8 · 18.05.2009, 07:25

Hallo... und

Führe folgende Programme aus:
- Ccleaner
- Malewarebytes
- Superantispyware
- Blacklight scannen lassen

Lade BlackLight runter in einen eigenen Ordner, z.B. C:\programme\blacklight. Sollte der Download nicht klappen, dann probiere es mit diesem Link.
Starte in diesem Ordner blbeta.exe. Alle anderen Programme schließen.
Klick "I accept the agreement", "next", "Scan".
Wenn der Scan fertig ist beende Blacklight mit "Close".
Im Verzeichnis von Blacklight findest Du das erstellte Log fsbl-XXX.log, anstelle der XXX steht eine längere Folge von Ziffern.

4.) Erstelle mit HijackThis eine Liste der installierten Programme

Hijackthis starten --> klicke "Open the Misc Tool Section" -->
klicke "Misc Tools" --> klicke "Open uninstall Manager" --> klicke "Save List"

jkcgn1 · 18.05.2009, 15:33

Hallo, danke erstmal für deine Hilfe,

- CCleaner durchlaufen lassen.

- Malwarebytes hat eine Regdata gefunden. Problem wurde behoben:

Code:

ATTFilter

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges 

(Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

- Blacklight hat nichts gefunden:

Code:

ATTFilter

05/18/09 03:04:26 [Info]: BlackLight Engine 2.2.1092 initialized
05/18/09 03:04:26 [Info]: OS: 6.0 build 6001 (Service Pack 1)
05/18/09 03:04:26 [Note]: 7019 4
05/18/09 03:04:26 [Note]: 7005 0
05/18/09 03:12:32 [Note]: 7006 0
05/18/09 03:12:32 [Note]: 7027 0
05/18/09 03:12:34 [Note]: 7035 0
05/18/09 03:12:34 [Note]: 7026 0
05/18/09 03:12:34 [Note]: 7026 0
05/18/09 03:12:35 [Note]: FSRAW library version 1.7.1024
05/18/09 03:12:54 [Note]: 4015 77642
05/18/09 03:12:54 [Note]: 4027 77642 524288
05/18/09 03:12:54 [Note]: 4020 51015 393216
05/18/09 03:12:54 [Note]: 4018 51015 393216
05/18/09 03:18:33 [Note]: 4015 162107
05/18/09 03:18:33 [Note]: 4027 162107 262144
05/18/09 03:18:33 [Note]: 4020 10687 131072
05/18/09 03:18:33 [Note]: 4018 10687 131072
05/18/09 03:18:53 [Note]: 4015 548
05/18/09 03:18:53 [Note]: 4027 548 131072
05/18/09 03:18:53 [Note]: 4020 540 196608
05/18/09 03:18:53 [Note]: 4018 540 196608
05/18/09 03:20:30 [Note]: 4015 1658
05/18/09 03:20:30 [Note]: 4027 1658 65536
05/18/09 03:20:30 [Note]: 4020 608 65536
05/18/09 03:20:30 [Note]: 4018 608 65536
05/18/09 03:25:28 [Note]: 4015 2469
05/18/09 03:25:28 [Note]: 4027 2469 65536
05/18/09 03:25:28 [Note]: 4020 608 65536
05/18/09 03:25:28 [Note]: 4018 608 65536
05/18/09 10:59:50 [Note]: 7007 0

- SuperAntiSpawayre: Nur Tracking Cookie

- Hijacklog der Installieren Programme

Code:

ATTFilter

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
3DMark06
Active@ ISO Burner v 1.7
Adobe AIR
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe Reader 9 - Deutsch
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe WinSoft Linguistics Plugin
Adobe WinSoft Linguistics Plugin
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AGEIA PhysX v7.09.13
Apple Software Update
ATI PCI Express (3GIO) Filter Driver
ATITool Overclocking Utility
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Catalyst Control Center - Branding
CCleaner (remove only)
Choice Guard
Connect
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DOSShell 1.4
fonomo-pidgin 0.1.5
Fraps (remove only)
Free YouTube to Mp3 Converter version 3.1
FreePDF XP (Remove only)
G15_TeamSpeak (NSIS)
GTK+ Runtime 2.14.7 rev a (nur entfernen)
HijackThis 2.0.2
HWiNFO32 Version 2.38
Java(TM) 6 Update 13
kuler
Last.fm 1.5.4.24567
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (German) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office Groove MUI (German) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.21)
MSVCRT
Napster
Napster Burn Engine
Nettalk 6.5
PDF Settings CS4
Photoshop Camera Raw
Pidgin
PixiePack Codec Pack
QuickTime
Real Alternative 1.8.2
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
sipgate X-Lite 1105c ger
Skype™ 4.0
SpeedFan (remove only)
Suite Shared Configuration CS4
Sun Java Runtime Environment and JMF
SUPERAntiSpyware Free Edition
TeamSpeak 2 RC2
TextMaker Viewer
Trillian
TrueCrypt
Trust WB-1400T Webcam
UltraVNC 1.0.5.3
Uninstall 1.0.0.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update für Microsoft Office Excel 2007 Help (KB963678)
Update für Microsoft Office Powerpoint 2007 Help (KB963669)
Update für Microsoft Office Word 2007 Help (KB963665)
VideoLAN VLC media player 0.8.6i
VMware Workstation
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live-Uploadtool
World of Warcraft
World of Warcraft FREE Trial
XviD MPEG-4 Video Codec
You Don't Know Jack 4 1.00
Zattoo 3.3.1 Beta

Hm, und nun?

Sind die Funde von den Antivirendienste denn besorgniserregend? Habe auch mal den Onlinevirencheck bei CAT-QuickHeal gemacht, wo ganz abenteuerliche / viele Viren gefunden wurde (habe leider vergessen / es irgnoriert welche), von Programmen die - gehe ich mal von aus - sicher nicht mit Viren verseucht waren (Napster.exe zB war irgendein Trojan). War auch nicht der selbe Virus wie der, der in dem Installer gefunden wurde.

Ps. Hier noch der normale Hijack-log:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:59:52, on 18.05.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\sipgate X-Lite\sipgateXLite.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files (x86)\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\conime.exe
C:\Users\Michael\Downloads\HiJackThis.exe
C:\Windows\SysWOW64\notepad.exe
C:\Program Files\iTunes\iTunes.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files (x86)\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files (x86)\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\Michael\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: sipgate X-Lite.lnk = C:\Program Files (x86)\sipgate X-Lite\sipgateXLite.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {09175D10-323C-4127-A679-5FA02855A4B2} (onlnscan Control) - http://download6.quickheal.com/onlnscan/nt/activex/onlnscan.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: O&O Defrag - Unknown owner - C:\Windows\system32\oodag.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8054 bytes

Virus oder Falscher Alarm?

Plagegeister aller Art und deren Bekämpfung: Virus oder Falscher Alarm?