|
AVZ - Neues Tool gegen Malware. Hallo Zusammen, seit Kurzem erschien AVZ 4.19 (Autor Oleg Zaitsew [Oлег Зайцев], Russland) in englischer Sprache (DL-Link). Das Programm ist in Rußland bereits seit ein Paar Jahren bekannt und hilft in machen Fällen ganz gut. Das Programm, lt. Aussage vom Autor, stellt ein Mix aus TrojanHunter und AdAware dar. Die von Malware betroffenen User könnten das Tool gleich ausprobieren. Fragen an Autor können per E-Mail an in der Info-Tafel angegebene Adresse in Englisch geschickt werden. Wer sich mit dem Englischen nicht wohl füllt, bitte an mich eine PM senden: ich werde eure Anfrage übersetzen und im russischsprachigen Forum setzen oder direkt zum Autor senden. |
hmm ? Dr.Web (R) daemon for Linux v4.33 (4.33.0.09211) Copyright © Igor Daniloff, 1992-2005 File size: 1638.1K avz4en.zip - archive ZIP >avz4en.zip/avz4/avz.cnt - OK >avz4en.zip/avz4/avz.exe packed by UPX In file >>avz4en.zip/avz4/avz.exe probably found virus DLOADER.Trojan >avz4en.zip/avz4/AVZ.HLP - OK >avz4en.zip/avz4/avz.sys - OK >avz4en.zip/avz4/avz.url - OK >avz4en.zip/avz4/avzsg.sys - OK >avz4en.zip/avz4/Base/extract.avz - OK >avz4en.zip/avz4/Base/keylogger.avz - OK >avz4en.zip/avz4/Base/lang_en.avz - OK >avz4en.zip/avz4/Base/main.avz - OK >avz4en.zip/avz4/Base/main001.avz - OK >avz4en.zip/avz4/Base/main002.avz - OK >avz4en.zip/avz4/Base/main003.avz - OK >avz4en.zip/avz4/Base/main004.avz - OK >avz4en.zip/avz4/Base/main005.avz - OK >avz4en.zip/avz4/Base/neural.avz - OK >avz4en.zip/avz4/Base/neurald.avz - OK >avz4en.zip/avz4/Base/neurale.avz - OK >avz4en.zip/avz4/Base/neuralm.avz - OK >avz4en.zip/avz4/Base/ports.avz - OK >avz4en.zip/avz4/Base/repair.avz - OK >avz4en.zip/avz4/Base/rootkit.avz - OK >avz4en.zip/avz4/Base/scripts.avz - OK >avz4en.zip/avz4/Base/signf001.avz - OK >avz4en.zip/avz4/Base/signf002.avz - OK >avz4en.zip/avz4/Base/signfusr.avz - OK >avz4en.zip/avz4/Base/syscheck.avz - OK >avz4en.zip/avz4/version.txt - OK |
@iso9001 Dr.Web daemon for Linux & probably dazu ;). |
Also mein Dr.Web erkennt daran mit aktivierter Heuristik nichts. Hat dies evtl. schon jemand eingeschickt? |
Zitat:
|
Zitat:
|
>>>> Danger - the avz.exe file has been modified: its current CRC is not listed in Trusted Objects Database AVZ Antiviral Toolkit log; AVZ version is 4.32 Scanning started at 27.08.2009 00:39:34 Database loaded: signatures - 238532, NN profile(s) - 2, malware removal microprograms - 56, signature database released 26.08.2009 00:12 Heuristic microprograms loaded: 374 PVS microprograms loaded: 9 Digital signatures of system files loaded: 137134 Heuristic analyzer mode: Maximum heuristics mode Malware removal mode: enabled Windows version is: 5.1.2600, Service Pack 2 ; AVZ is run with administrator rights System Restore: Disabled 1. Searching for Rootkits and other software intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:NtCreateFile (123) intercepted, method - CodeHijack (not defined) Function ntdll.dll:NtCreateProcess (134) intercepted, method - CodeHijack (not defined) Function ntdll.dll:NtCreateProcessEx (135) intercepted, method - CodeHijack (not defined) Function ntdll.dll:NtDeviceIoControlFile (154) intercepted, method - CodeHijack (not defined) Function ntdll.dll:NtOpenFile (204) intercepted, method - CodeHijack (not defined) Function ntdll.dll:NtQueryInformationProcess (243) intercepted, method - CodeHijack (not defined) Function ntdll.dll:ZwCreateFile (933) intercepted, method - CodeHijack (not defined) Function ntdll.dll:ZwCreateProcess (944) intercepted, method - CodeHijack (not defined) Function ntdll.dll:ZwCreateProcessEx (945) intercepted, method - CodeHijack (not defined) Function ntdll.dll:ZwDeviceIoControlFile (963) intercepted, method - CodeHijack (not defined) Function ntdll.dll:ZwOpenFile (1013) intercepted, method - CodeHijack (not defined) Function ntdll.dll:ZwQueryInformationProcess (1052) intercepted, method - CodeHijack (not defined) Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.4 Searching for masking processes and drivers Searching for masking processes and drivers - complete Driver loaded successfully 1.5 Checking IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = F7454A35 -> C:\WINDOWS\System32\drivers\e49dd731.sys \FileSystem\ntfs[IRP_MJ_CLOSE] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 89B9E1F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 89B9E1F8 -> hook not defined \driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F7455887 -> C:\WINDOWS\System32\drivers\e49dd731.sys Checking - complete 2. Scanning RAM Number of processes found: 32 Extended process analysis: 1772 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 180 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Listens on TCP ports ! [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 500 C:\WINDOWS\System32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 608 C:\WINDOWS\system32\svchost.exe [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 948 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 1056 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 172 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 488 C:\WINDOWS\system32\nvsvc32.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 704 C:\Programme\samsung\Samsung Network Manager\SNMWLANService.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows Extended process analysis: 1644 C:\WINDOWS\system32\svchost.exe [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 1876 C:\WINDOWS\System32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Capable of sending mail ?! [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 1920 C:\WINDOWS\System32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Capable of sending mail ?! [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 436 C:\WINDOWS\System32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Capable of sending mail ?! [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 2536 C:\WINDOWS\system32\wbem\wmiapsrv.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 3640 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? >>> The real size is supposed to be = 22380544 Extended process analysis: 3148 C:\WINDOWS\System32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 3256 C:\WINDOWS\System32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder Extended process analysis: 13052 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 11244 C:\WINDOWS\system32\taskmgr.exe [ES]:Program code includes networking-related functionality [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 38980 C:\WINDOWS\system32\wiwow64.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 42452 C:\WINDOWS\system32\svchost.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Extended process analysis: 39152 C:\WINDOWS\system32\sofatnet.exe [ES]:Program code includes networking-related functionality [ES]:Application has no visible windows [ES]:Located in system folder [ES]:Loads RASAPI DLL - may use dialing ? Number of modules loaded: 302 Scanning RAM - complete 3. Scanning disks C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\9VWS09C6\bbsuper1[1].htm - PE file with non-standard extension(dangerousness level is 5%) File quarantined succesfully (C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\9VWS09C6\bbsuper1[1].htm) File quarantined succesfully (C:\WINDOWS\system32\10.tmp) C:\WINDOWS\system32\10.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\14.tmp) C:\WINDOWS\system32\14.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\1A.tmp) C:\WINDOWS\system32\1A.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\1C.tmp) C:\WINDOWS\system32\1C.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\1E.tmp) C:\WINDOWS\system32\1E.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\21.tmp) C:\WINDOWS\system32\21.tmp >>>>> Email-Worm.Win32.Joleee.cws deleted successfully File quarantined succesfully (C:\WINDOWS\system32\26.tmp) C:\WINDOWS\system32\26.tmp >>>>> Email-Worm.Win32.Joleee.cwm deleted successfully File quarantined succesfully (C:\WINDOWS\system32\3C.tmp) C:\WINDOWS\system32\3C.tmp >>>>> Email-Worm.Win32.Joleee.cwm deleted successfully File quarantined succesfully (C:\WINDOWS\system32\42.tmp) C:\WINDOWS\system32\42.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\A.tmp) C:\WINDOWS\system32\A.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\B.tmp) C:\WINDOWS\system32\B.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully File quarantined succesfully (C:\WINDOWS\system32\C.tmp) C:\WINDOWS\system32\C.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully Direct reading: C:\WINDOWS\system32\drivers\sptd.sys File quarantined succesfully (C:\WINDOWS\system32\E.tmp) C:\WINDOWS\system32\E.tmp >>>>> Email-Worm.Win32.Mydoom.iw deleted successfully Direct reading: D:\331aa155a4e18f478495237f\DeleteTemp.exe Direct reading: D:\331aa155a4e18f478495237f\dlmgr.dll Direct reading: D:\331aa155a4e18f478495237f\GenComp.dll Direct reading: D:\331aa155a4e18f478495237f\HtmlLite.dll Direct reading: D:\331aa155a4e18f478495237f\Setup.EXE Direct reading: D:\331aa155a4e18f478495237f\setupres.1025.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1028.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1029.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1030.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1031.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1032.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1035.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1036.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1037.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1038.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1040.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1041.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1042.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1043.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1044.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1045.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1046.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1049.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1053.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.1055.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.2052.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.2070.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.3082.dll Direct reading: D:\331aa155a4e18f478495237f\setupres.dll Direct reading: D:\331aa155a4e18f478495237f\SitSetup.DLL Direct reading: D:\331aa155a4e18f478495237f\VS70UIMgr.dll Direct reading: D:\331aa155a4e18f478495237f\VSBaseReqs.dll Direct reading: D:\331aa155a4e18f478495237f\VSScenario.dll Direct reading: D:\331aa155a4e18f478495237f\VS_Setup.dll Direct reading: D:\331aa155a4e18f478495237f\vs_setup.msi Direct reading: D:\331aa155a4e18f478495237f\WapRes.1025.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1028.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1029.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1030.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1031.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1032.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1035.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1036.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1037.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1038.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1040.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1041.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1042.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1043.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1044.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1045.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1046.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1049.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1053.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.1055.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.2052.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.2070.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.3082.dll Direct reading: D:\331aa155a4e18f478495237f\WapRes.dll Direct reading: D:\331aa155a4e18f478495237f\WapUI.dll Direct reading: D:\331aa155a4e18f478495237f\wcu\dotNetFramework\dotNetFX20\Netfx20a_x86.msi Removing traces of deleted files... 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious software Checking - disabled by user 7. Heuristic system check >>> Suspicion for service/driver reg key masking "e49dd731" >>> Suspicion for service/driver reg key masking "kbiwkmcuunjeta" >>> Suspicion for service/driver reg key masking "xexkins" Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminaldienste) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst) >> Services: potentially dangerous service allowed: Schedule (Taskplaner) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe) >> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard >> HDD autorun is allowed >> Network drives autorun is allowed >> Removable media autorun is allowed Checking - complete Files scanned: 84080, extracted from archives: 63599, malicious software found 13, suspicions - 0 Scanning finished at 27.08.2009 00:50:21 Time of scanning: 00:10:49 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\System32\drivers\e49dd731.sys) Quarantine file (direct disk reading) "%S" - failed (error) hi ich habe genau das befolgt was da stand und kopier mal meinen scan rein ich habe mir da was eingefangen das ich mit garkeinem tool löschen kann ...kannst du vllt hier was erkennen???thx im vorraus |
:hallo: Lies dir bitte folgendes durch http://www.trojaner-board.de/anleitu...uncements.html und erstelle ein neues Thema mit den Reporten von den Programmen aus Punkt 2. |
|
| Alle Zeitangaben in WEZ +1. Es ist jetzt 11:27 Uhr. |
Copyright ©2000-2024, Trojaner-Board