Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   BOO/Dosump.A im Bootsektor gefunden (https://www.trojaner-board.de/113095-boo-dosump-a-bootsektor-gefunden.html)

JoElZi 04.04.2012 00:17
BOO/Dosump.A im Bootsektor gefunden
 
Avira hat den Virsu BOO/Dosump.A im Bootsektor gefunden. Ich habe schon gesucht, aber keine Suchmaschine hat mir irgendetwas zu diesem Virus sagen können. Hier die Log-Files (Defogger hat nichts gemeldet):

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-04-04 00:58:45
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030U
Running: 2vjd0e99.exe; Driver: C:\Users\Admin\AppData\Local\Temp\fwldrpod.sys


---- System - GMER 1.0.15 ----

SSDT 8AE4CAE6 ZwCreateSection
SSDT 8AE4CAF0 ZwRequestWaitReplyPort
SSDT 8AE4CAEB ZwSetContextThread
SSDT 8AE4CAF5 ZwSetSecurityObject
SSDT 8AE4CAFA ZwSystemDebugControl
SSDT 8AE4CA87 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInsertQueue + 405 82C879FC 4 Bytes [E6, CA, E4, 8A] {OUT 0xca, AL; IN AL, 0x8a}
.text ntoskrnl.exe!KeInsertQueue + 729 82C87D20 4 Bytes [F0, CA, E4, 8A]
.text ntoskrnl.exe!KeInsertQueue + 75D 82C87D54 4 Bytes [EB, CA, E4, 8A] {JMP 0xffffffffffffffcc; IN AL, 0x8a}
.text ntoskrnl.exe!KeInsertQueue + 7C1 82C87DB8 4 Bytes [F5, CA, E4, 8A] {CMC ; RETF 0x8ae4}
.text ntoskrnl.exe!KeInsertQueue + 809 82C87E00 4 Bytes [FA, CA, E4, 8A] {CLI ; RETF 0x8ae4}
.text ...
? C:\Users\Admin\AppData\Local\Temp\mbr.sys Das System kann die angegebene Datei nicht finden. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027875488f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197eef8c9f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ef16d4b
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00027875488f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197eef8c9f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197ef16d4b (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures@Adobe Flash Player Updater.job.fp -1637939173

---- EOF - GMER 1.0.15 ----

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Admin at 1:12:49 on 2012-04-04
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.1789.827 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Users\***\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\mobsync.exe
C:\Users\***\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\conime.exe
C:\Users\***\AppData\Local\Programs\Opera\opera.exe
C:\Windows\system32\NOTEPAD.EXE
C:\program files\avira\antivir desktop\avcenter.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp:\\www.samsungcomputer.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp:\\www.samsungcomputer.com
mDefault_Page_URL = hxxp:\\www.samsungcomputer.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SwissAcademic.Citavi.Picker.IEPicker: {609d670f-b735-4da7-ac6d-f3bd358e325e} - mscoree.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [GMX_GMX Upload-Manager] "c:\program files\gmx\gmx upload-manager\DAVSRV.EXE" /hide
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRunOnce: [NSIS.Library.RegTool.v3] "c:\program files\gmx\gmx upload-manager\NSIS.Library.RegTool.v3.{83D919A3-294E-432C-A8D9-9B8DB3159903}.exe" /S
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: NoHotStart = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {619D670F-B735-4da7-AC6D-F3BD358E325E} - {609D670F-B735-4da7-AC6D-F3BD358E325E} - mscoree.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E4CF4E86-D0DC-4864-8F0E-4F6EA2526334} - hxxps://img.ui-portal.de/webde/smartdrive/activex/gmxnet_osupload_2002.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3861AC4B-0AFF-4C4A-9D1C-DBA6CCCD3C16} : DhcpNameServer = 141.2.90.1 141.2.149.10 141.2.22.74
TCP: Interfaces\{C77E67E2-256E-4D50-BB84-BE9ADB6E830F} : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-18 36000]
R1 uigxrdr;uigxrdr;c:\windows\system32\drivers\uigxrdr.SYS [2012-3-28 144384]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-18 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-18 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-18 74640]
R2 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-6-8 21504]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\drivers\KMDFMEMIO.sys [2007-7-11 13312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-28 253600]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-1-5 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-1-5 8456]
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-3-24 126696]
S4 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2011-6-8 21504]
.
=============== Created Last 30 ================
.
2012-03-30 15:23:19 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2df2dce9-1b14-46ae-8fb2-0d2cff42aae4}\mpengine.dll
2012-03-28 20:28:05 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-28 20:14:51 7680 ----a-w- c:\windows\system32\uigxnp.dll
2012-03-28 20:14:51 144384 ----a-w- c:\windows\system32\drivers\uigxrdr.SYS
2012-03-28 20:14:50 -------- d-----w- c:\users\admin\appdata\local\GMX
2012-03-28 20:14:50 -------- d-----w- c:\programdata\GMX
2012-03-28 20:14:40 -------- d-----w- c:\program files\GMX
2012-03-14 09:56:46 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-14 09:56:44 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 09:56:44 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 09:56:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 09:56:43 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 09:56:43 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 09:56:40 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 09:55:34 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 09:55:33 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
==================== Find3M ====================
.
2012-03-29 20:58:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 07:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-16 19:33:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 1:14:07,16 ===============

cosinus 05.04.2012 15:24
Das ist ein Fehlalarm. Siehe http://www.trojaner-board.de/113097-...tml#post808787


Alle Zeitangaben in WEZ +1. Es ist jetzt 12:38 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129