Bundes-Trojaner roper0dun.exe
Guten Tag zusammen!
Ich habe mir scheinbar letzte Woche Donnerstag einen Budestrojaner eingefangen. Öffenete sich im Browser halt son UKash Fenster, welches sich nicht schließen ließ. Habe mich dann im abgesicherten Modus angemeldet und eine gewisse roper0dun.exe aus dem Startup entfernt, danach kam das Fenster nach nem Neustart nicht mehr.
Ich hab gerade erstmal nen Bild von den Bitdefender Meldungen gemacht, ich hoffe die kann man lesen: http://www.picurrax.de/img_4b603e850...818203_raw.jpg
Nach dem Neustart habe ich mit Bitdefender einen Tiefensystemscan durchgeführt. Dieser hat folgendes gemacht: Code:
Objektpfad Name der Bedrohung Abschluss Status
Datei: C:\Users\mambo\AppData\Local\Mozilla\Firefox\Profiles\w3p9m2y5.default\Cache\F\DC\9C151d01=>(INFECTED_JS) PDF:Exploit.PDF-JS.FI In Quarantäne verschoben
Datei: C:\Users\mambo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3993f5d1-45926a09 Trojan.Generic.KDV.706954 Gelöscht
Datei: C:\Users\mambo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\2596e17a-2855182e Trojan.Generic.KDV.711774 Gelöscht
Danach hab ich noch OTL mit irgendwelchen Einstellungen laufen lassen, die ich hier im Forum gefunden habe. Hier mal der LOG Code:
All processes killed
========== OTL ==========
No active process named MotoConnectService.exe was found!
No active process named ClipInc-Server.exe was found!
No active process named CLCapSvc.exe was found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\
deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0F0870DA-0D3F-4E93-909B-282D117970B9}\ not
found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F0870DA-0D3F-4E93-909B-282D117970B9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not
found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not found.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted
successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0F0870DA-0D3F-4E93-909B-282D117970B9}\ not
found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F0870DA-0D3F-4E93-909B-282D117970B9}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not
found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Prefs.js: true removed from browser.search.useDBForOrder
Prefs.js: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 removed from extensions.enabledItems
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\ not found.
File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\ not found.
File C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Mouse Suite 98 Daemon not found.
File C:\Windows\System32\ICO.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer not found.
Starting removal of ActiveX control {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF40ACC5-E1BB-4AFF-AC72-
04C2F616BCA7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not
found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}\ not found.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
File C:\Users\Astrid\Desktop\Defogger.exe not found.
File C:\Users\Astrid\Desktop\Defogger.exe not found.
File C:\Windows\tasks\GoogleUpdateTaskMachineCore.job not found.
File C:\ProgramData\nud0repor.pad not found.
File C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk not found.
File C:\Users\Astrid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk not found.
File C:\ProgramData\nud0repor.pad not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\mambo\Desktop\cmd.bat deleted successfully.
C:\Users\mambo\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: mambo
->Temp folder emptied: 4681608309 bytes
->Temporary Internet Files folder emptied: 456387013 bytes
->Java cache emptied: 4935155 bytes
->FireFox cache emptied: 64735737 bytes
->Google Chrome cache emptied: 19035479 bytes
->Flash cache emptied: 1124792 bytes
User: Public
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 318618900 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 279904
bytes
RecycleBin emptied: 810 bytes
Total Files Cleaned = 5.290,00 mb
[EMPTYFLASH]
User: All Users
User: Default
User: Default User
User: mambo
->Flash cache emptied: 0 bytes
User: Public
User: UpdatusUser
Total Flash Files Cleaned = 0,00 mb
OTL by OldTimer - Version 3.2.59.1 log created on 08302012_142721
Files\Folders moved on Reboot...
C:\Users\mambo\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
Am Ende habe ich noch einen Malwarebytes Tiefenscan gemacht. Dieser hat allerdings nichts gefunden.
Nun frage ich mich ob der Virus vollständig entfernt wurde?
Und was hat der Virus gemacht? Mein Blizzar Account wurde aufgrund "verdächtiger Aktivitäten" gesperrt. Das macht mich gerade etwas stutzig. Abgesehen davon hat sich mein Steam nicht mehr automatisch eingeloggt, weiß nicht warum.
Ich bin für jeglichen Rat dankbar! | 