Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   BOO/Dosump.A im Bootsektor gefunden (https://www.trojaner-board.de/113095-boo-dosump-a-bootsektor-gefunden.html)

JoElZi 04.04.2012 00:17
BOO/Dosump.A im Bootsektor gefunden
 
Avira hat den Virsu BOO/Dosump.A im Bootsektor gefunden. Ich habe schon gesucht, aber keine Suchmaschine hat mir irgendetwas zu diesem Virus sagen können. Hier die Log-Files (Defogger hat nichts gemeldet):

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-04-04 00:58:45
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030U
Running: 2vjd0e99.exe; Driver: C:\Users\Admin\AppData\Local\Temp\fwldrpod.sys


---- System - GMER 1.0.15 ----

SSDT 8AE4CAE6 ZwCreateSection
SSDT 8AE4CAF0 ZwRequestWaitReplyPort
SSDT 8AE4CAEB ZwSetContextThread
SSDT 8AE4CAF5 ZwSetSecurityObject
SSDT 8AE4CAFA ZwSystemDebugControl
SSDT 8AE4CA87 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueue + 405 82C879FC 4 Bytes [E6, CA, E4, 8A] {OUT 0xca, AL; IN AL, 0x8a}
.text ntoskrnl.exe!KeInsertQueue + 729 82C87D20 4 Bytes [F0, CA, E4, 8A]
.text ntoskrnl.exe!KeInsertQueue + 75D 82C87D54 4 Bytes [EB, CA, E4, 8A] {JMP 0xffffffffffffffcc; IN AL, 0x8a}
.text ntoskrnl.exe!KeInsertQueue + 7C1 82C87DB8 4 Bytes [F5, CA, E4, 8A] {CMC ; RETF 0x8ae4}
.text ntoskrnl.exe!KeInsertQueue + 809 82C87E00 4 Bytes [FA, CA, E4, 8A] {CLI ; RETF 0x8ae4}
.text ...
? C:\Users\Admin\AppData\Local\Temp\mbr.sys Das System kann die angegebene Datei nicht finden. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027875488f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197eef8c9f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ef16d4b
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00027875488f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197eef8c9f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197ef16d4b (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures@Adobe Flash Player Updater.job.fp -1637939173

---- EOF - GMER 1.0.15 ----

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Admin at 1:12:49 on 2012-04-04
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.1789.827 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Users\***\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\mobsync.exe
C:\Users\***\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\conime.exe
C:\Users\***\AppData\Local\Programs\Opera\opera.exe
C:\Windows\system32\NOTEPAD.EXE
C:\program files\avira\antivir desktop\avcenter.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp:\\www.samsungcomputer.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp:\\www.samsungcomputer.com
mDefault_Page_URL = hxxp:\\www.samsungcomputer.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SwissAcademic.Citavi.Picker.IEPicker: {609d670f-b735-4da7-ac6d-f3bd358e325e} - mscoree.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [GMX_GMX Upload-Manager] "c:\program files\gmx\gmx upload-manager\DAVSRV.EXE" /hide
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRunOnce: [NSIS.Library.RegTool.v3] "c:\program files\gmx\gmx upload-manager\NSIS.Library.RegTool.v3.{83D919A3-294E-432C-A8D9-9B8DB3159903}.exe" /S
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: NoHotStart = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {619D670F-B735-4da7-AC6D-F3BD358E325E} - {609D670F-B735-4da7-AC6D-F3BD358E325E} - mscoree.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E4CF4E86-D0DC-4864-8F0E-4F6EA2526334} - hxxps://img.ui-portal.de/webde/smartdrive/activex/gmxnet_osupload_2002.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3861AC4B-0AFF-4C4A-9D1C-DBA6CCCD3C16} : DhcpNameServer = 141.2.90.1 141.2.149.10 141.2.22.74
TCP: Interfaces\{C77E67E2-256E-4D50-BB84-BE9ADB6E830F} : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-18 36000]
R1 uigxrdr;uigxrdr;c:\windows\system32\drivers\uigxrdr.SYS [2012-3-28 144384]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-18 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-18 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-18 74640]
R2 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-6-8 21504]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2007-7-11 13312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-28 253600]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-1-5 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-1-5 8456]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-3-24 126696]
S4 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2011-6-8 21504]
.
=============== Created Last 30 ================
.
2012-03-30 15:23:19 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2df2dce9-1b14-46ae-8fb2-0d2cff42aae4}\mpengine.dll
2012-03-28 20:28:05 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-28 20:14:51 7680 ----a-w- c:\windows\system32\uigxnp.dll
2012-03-28 20:14:51 144384 ----a-w- c:\windows\system32\drivers\uigxrdr.SYS
2012-03-28 20:14:50 -------- d-----w- c:\users\admin\appdata\local\GMX
2012-03-28 20:14:50 -------- d-----w- c:\programdata\GMX
2012-03-28 20:14:40 -------- d-----w- c:\program files\GMX
2012-03-14 09:56:46 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-14 09:56:44 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 09:56:44 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 09:56:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 09:56:43 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 09:56:43 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 09:56:40 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 09:55:34 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 09:55:33 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
==================== Find3M ====================
.
2012-03-29 20:58:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 07:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-16 19:33:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 1:14:07,16 ===============

cosinus 05.04.2012 15:24
Das ist ein Fehlalarm. Siehe http://www.trojaner-board.de/113097-...tml#post808787


Alle Zeitangaben in WEZ +1. Es ist jetzt 16:58 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131