Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Warsch. Vundo Trojaner eingefangen (https://www.trojaner-board.de/24426-warsch-vundo-trojaner-eingefangen.html)

Shauku 11.12.2005 15:17
Warsch. Vundo Trojaner eingefangen
 
Ich hab mir wahrscheinlich nen Vundo Trojaner eingefangen...:pfui: . Wie soll ich vorgehen?

Code:
Logfile of HijackThis v1.99.1
Scan saved at 15:16:05, on 11.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGNT.EXE
E:\Programme\ICQLite\ICQLite.exe
C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
E:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Programme\Nikon\NkView6\NkvMon.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
E:\Programme\Firefox\firefox.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\iexplore.exe
M:\KomaMail\Koma_Mail.exe
C:\WINDOWS\system32\wuauclt.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - E:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtstr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\jkklm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ICQ Lite] E:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] E:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = E:\Programme\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://E:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131793914091
O17 - HKLM\System\CCS\Services\Tcpip\..\{F01A7D3B-FA5F-44C5-9847-AB86F0DE4FE5}: NameServer = 217.237.150.141 217.237.150.97
O20 - Winlogon Notify: jkklm - C:\WINDOWS\system32\jkklm.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\SYSTEM32\vtstr.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Programme\Sygate\SPF\smc.exe

Shauku 11.12.2005 19:38
Krieg das Teil nach wie vor nicht weg. Ist einer von dieser heißgeliebten Loop-Sorte. Hab versucht, ihn per Hand aus der Registry zu schmeißen, Hijackthis springt nicht an, AntiVir sowieso nicht...
Hoffe, es nimmt sich jemand meines nicht allzu berauschenden Problems an... :kloppen:

Wildone 11.12.2005 20:36
Hallo,
versuche es mal mit dieser Anleitung und poste danach ein neues Logfile.


Grüße Wildone

Shauku 11.12.2005 21:30
Ich bin mir nicht wirklich sicher ob ichs wirklich mit Vundo zu tun habe:
Die Dateien auf die in dem Tut verwiesen wird:
C:\WINDOWS\System32\ddaya.dll
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\mllml.dll

Meine Problemchendateien:
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\jkklm.dll

Aber ich werds versuchen und dann das Log posten, jo. (Zu der Annahme "Vundo" bin ich durch Googeln der Datei vtstr.dll gekommen)

chaosman 11.12.2005 22:04
@Shauku
Hast recht wildone
schließe mich deine meinung an

chaosman:daumenhoch:

Wildone 11.12.2005 22:09
Hallo,
das ist definitiv Vundo(B) (zu erkennen an dem "MSEvents Object" in dem O2 Eintrag) die Dateinamen in der Anleitung sind nur Beispiele du mußt sie natürlich mit den bei dir infizierten Dateien durchführen.


Grüße Wildone

Shauku 11.12.2005 23:36
http://www.hijackthis.de/gfx/gut.gif

Mehr als Step 1 hab ich anscheinend nicht benötigt. Hab also nur http://secured2k.home.comcast.net/to...undoBeGone.exe im Abgesicherten Modus benutzen müssen. Bis jetzt ist er nicht wieder aufgetaucht. Ich lass grad AntiVir durchlaufen. Wenn sich noch was ändert, meld ich mich.

Code:
Logfile of HijackThis v1.99.1
Scan saved at 23:30:56, on 11.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGNT.EXE
E:\Programme\ICQLite\ICQLite.exe
C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
E:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
E:\Programme\Nikon\NkView6\NkvMon.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - E:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ICQ Lite] E:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = E:\Programme\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://E:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Translate English Word - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131793914091
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Programme\Sygate\SPF\smc.exe
Code:
[12/11/2005, 23:21:23] - VirtumundoBeGone v1.5 ( VirtumundoBeGone.exe)
[12/11/2005, 23:21:34] - Detected System Information:
[12/11/2005, 23:21:34] -  Windows Version: 5.1.2600, Service Pack 2
[12/11/2005, 23:21:34] -  Current Username: Shauku (Admin)
[12/11/2005, 23:21:34] -  Windows is in SAFE mode with Networking.
[12/11/2005, 23:21:34] - Searching for Browser Helper Objects:
[12/11/2005, 23:21:34] -  BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} ()
[12/11/2005, 23:21:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/11/2005, 23:21:34] -  Checking for HKLM\...\Winlogon\Notify\vtstr
[12/11/2005, 23:21:34] -  Found: HKLM\...\Winlogon\Notify\vtstr - This is probably Virtumundo.
[12/11/2005, 23:21:34] -  Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[12/11/2005, 23:21:34] - BHO list has been changed! Starting over...
[12/11/2005, 23:21:34] -  BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} (MSEvents Object)
[12/11/2005, 23:21:34] - ALERT: Found MSEvents Object!
[12/11/2005, 23:21:34] -  BHO 2: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/11/2005, 23:21:34] -  BHO 3: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[12/11/2005, 23:21:34] - ALERT: Found MSEvents Object!
[12/11/2005, 23:21:34] - Finished Searching Browser Helper Objects
[12/11/2005, 23:21:34] - *** Detected MSEvents Object
[12/11/2005, 23:21:34] - Trying to remove MSEvents Object...
[12/11/2005, 23:21:35] -    Terminating Process: IEXPLORE.EXE
[12/11/2005, 23:21:35] -    Terminating Process: RUNDLL32.EXE
[12/11/2005, 23:21:35] -    Disabling Automatic Shell Restart
[12/11/2005, 23:21:35] -    Terminating Process: EXPLORER.EXE
[12/11/2005, 23:21:35] -    Suspending the NT Session Manager System Service
[12/11/2005, 23:21:35] -    Terminating Windows NT Logon/Logoff Manager
[12/11/2005, 23:21:35] -    Re-enabling Automatic Shell Restart
[12/11/2005, 23:21:35] -  File to disable: C:\WINDOWS\system32\vtstr.dll
[12/11/2005, 23:21:35] -  Renaming C:\WINDOWS\system32\vtstr.dll -> C:\WINDOWS\system32\vtstr.dll.vir
[12/11/2005, 23:21:35] -  File successfully renamed!
[12/11/2005, 23:21:35] -  Removing HKLM\...\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[12/11/2005, 23:21:35] -  Removing HKCR\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[12/11/2005, 23:21:35] -  Adding Kill Bit for ActiveX for GUID: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[12/11/2005, 23:21:35] -  Deleting ATLEvents/MSEvents Registry entries
[12/11/2005, 23:21:35] -  Removing HKLM\...\Winlogon\Notify\vtstr
[12/11/2005, 23:21:35] - Searching for Browser Helper Objects:
[12/11/2005, 23:21:35] -  BHO 1: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/11/2005, 23:21:35] -  BHO 2: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[12/11/2005, 23:21:35] - ALERT: Found MSEvents Object!
[12/11/2005, 23:21:35] - Finished Searching Browser Helper Objects
[12/11/2005, 23:21:35] - *** Detected MSEvents Object
[12/11/2005, 23:21:35] - Trying to remove MSEvents Object...
[12/11/2005, 23:21:36] -    Terminating Process: IEXPLORE.EXE
[12/11/2005, 23:21:36] -    Terminating Process: RUNDLL32.EXE
[12/11/2005, 23:21:36] -    Disabling Automatic Shell Restart
[12/11/2005, 23:21:36] -    Terminating Process: EXPLORER.EXE
[12/11/2005, 23:21:36] -    Suspending the NT Session Manager System Service
[12/11/2005, 23:21:37] -    Terminating Windows NT Logon/Logoff Manager
[12/11/2005, 23:21:37] -    Re-enabling Automatic Shell Restart
[12/11/2005, 23:21:37] -  File to disable: C:\WINDOWS\system32\jkklm.dll
[12/11/2005, 23:21:37] -  Renaming C:\WINDOWS\system32\jkklm.dll -> C:\WINDOWS\system32\jkklm.dll.vir
[12/11/2005, 23:21:37] -  File successfully renamed!
[12/11/2005, 23:21:37] -  Removing HKLM\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/11/2005, 23:21:37] -  Removing HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/11/2005, 23:21:37] -  Adding Kill Bit for ActiveX for GUID: {B313D637-F405-4052-AC37-E2119AB3C8F8}
[12/11/2005, 23:21:37] -  Deleting ATLEvents/MSEvents Registry entries
[12/11/2005, 23:21:37] -  Removing HKLM\...\Winlogon\Notify\jkklm
[12/11/2005, 23:21:37] - Searching for Browser Helper Objects:
[12/11/2005, 23:21:37] -  BHO 1: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/11/2005, 23:21:37] - Finished Searching Browser Helper Objects
[12/11/2005, 23:21:37] - Finishing up...
[12/11/2005, 23:21:37] - A restart is needed.
[12/11/2005, 23:21:54] - Attempting to Restart via STOP error (Blue Screen!)

[12/11/2005, 23:24:50] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Shauku\Desktop\VirtumundoBeGone.exe" )
[12/11/2005, 23:24:59] - User choose NOT to continue. Exiting...
Auf welchen Werbebanner kann ich Klicken, dass ihr euch auch freut? :aplaus:


Alle Zeitangaben in WEZ +1. Es ist jetzt 18:19 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55