• Gesamte Community
    • Gesamte Community
    • Foren
    • Ideen
    • Blogs
Erweitert

Nicht was Sie suchen? Die Experten fragen!

Dieser Thread braucht eine Lösung.
Danksagungen0

Neuer Trojaner den Norton nicht erkennt

Hallo Forenmitglieder,

benötige mal dringend Eure Hilfe ! Habe mir gestern einen Trojaner eingefangen. Mail kam von vertrauter e-maill Adresse mit Zip-Anhang. Norton scannen lassen. Alles grün. Datei entpackt und gesehen, dass es eine PDF ist. Ebenfalls alles grün. Beim Aufmachen dann die Katastrophe. Keine PDF, sondern ein Programm am werkeln. Danach Norton Eraser und Norton Komplettscan laufen lassen. Keine Bedrohung gefunden. Spy&Robot hat auch nix gefunden. Trotzdem hat es mir keine Ruhe gelassen und ich habe nach der Datei im Internet gesucht und siehe da ein Trojaner. Die Datei heißt 1404UT_TPL_screen.

Anbei findet Ihr die Infos, die ich im Netz gefunden habe (spärlich, spärlich). Meine Fragen nun an Euch:

1. Was macht das Programm alles ?

2. Wie werde ich es wieder los ? Habe die Datei mit Eraser gelöscht ebenso wie die Datei Goviewer.exe, die es installiert hat. System auf alten Wiederherstellungspunkt zurückgesetzt. Norton und Spy&Robot nochmal drüber laufen lassen. Nix aber der Verdacht bleibt.

Brauche also Hilfe, Hilfe, Hilfe.

und hier die Infos, die ich gefunden habe:

Quelle: https://www.hybrid-analysis.com

Malicious 5

  • details

    2/56 Antivirus vendors marked sample as malicious (3% detection rate)

    source

    Based on Anti-Virus Test Result

    • details

      "a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" wrote 32 bytes to a foreign process "Goviewer.exe" (PID: 00002312)
      "a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" wrote 52 bytes to a foreign process "Goviewer.exe" (PID: 00002312)
      "a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" wrote 4 bytes to a foreign process "Goviewer.exe" (PID: 00002312)
      "Goviewer.exe" wrote 32 bytes to a foreign process "AcroRd32.exe" (PID: 00002400)
      "Goviewer.exe" wrote 52 bytes to a foreign process "AcroRd32.exe" (PID: 00002400)
      "Goviewer.exe" wrote 4 bytes to a foreign process "AcroRd32.exe" (PID: 00002400)

      source

      Based on API Call

      • details

        "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE", Key: "SCAVENGECACHEFILELIMIT")
        "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE", Key: "SCAVENGECACHEFILELIMIT")
        "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "DISABLECACHINGOFSSLPAGES")
        "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSHTTPNOCACHECHECK")
        "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSHTTPNOCACHECHECK")
        "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSSSLNOCACHECHECK")
        "Goviewer.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "BYPASSSSLNOCACHECHECK")

        source

        Based on Registry Access

        • details

          "Goviewer.exe" allocated 00000088 bytes of memory in "AcroRd32.exe" (Protection: "read/write")

          source

          Based on API Call

          • details

            "Goviewer.exe" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")
            "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")
            "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE")
            "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
            "Goviewer.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
            "AcroRd32.exe" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")
            "AcroRd32.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")
            "AcroRd32.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE")

            source

            Based on Registry Access

            • details

              "a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" read file "C:\Windows\win.ini"
              "Goviewer.exe" read file "C:\Windows\win.ini"
              "Goviewer.exe" read file "C:\Users\desktop.ini"
              "Goviewer.exe" read file "C:\Users\PSPUBWS\Desktop\desktop.ini"
              "Goviewer.exe" read file "C:\Users\PSPUBWS\Searches\desktop.ini"
              "Goviewer.exe" read file "C:\Users\PSPUBWS\Videos\desktop.ini"
              "Goviewer.exe" read file "C:\Users\PSPUBWS\Pictures\desktop.ini"

              source

              Based on API Call

              • details

                TrID distribution is very similar to the "CTB-Locker" family (e.g. SHA256: cbba56bd16222191f1468a1d93b63945394371cfb9ffe38f34a9575c5655e57a)

                source

                Based on TrID evaluation

                • details

                  "Local\WininetStartupMutex"
                  "Local\WininetConnectionMutex"
                  "Local\WininetProxyRegistryMutex"

                  source

                  Based on Created Mutant

                  • details

                    GetStartupInfoA
                    LoadLibraryW
                    GetModuleHandleA

                    source

                    Based on Static Parser

                    • details

                      "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "DE-DE")
                      "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "DE-DE")
                      "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")

                      source

                      Based on Registry Access

                      • details

                        "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1, Subtree: 2147483648)
                        "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1, Subtree: 2147483648)
                        "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\AcroRd32_RASAPI32" (Filter: 14, Subtree: 2147483648)
                        "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\AcroRd32_RASMANCS" (Filter: 14, Subtree: 2147483648)
                        "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4, Subtree: 2147483648)
                        "AcroRd32.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\Root" (Filter: 5, Subtree: 1)
                        "AcroRd32.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5, Subtree: 1)

                        source

                        Based on API Call

                        • details

                          "Goviewer.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS", Key: "", Value: "")
                          "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS", Key: "", Value: "")

                          source

                          Based on Registry Access

                          • details

                            "Goviewer.exe.153610" has type "PE32 executable (GUI) Intel 80386, for MS Windows"

                            source

                            Based on Dropped File

                            • details

                              "AcroRd32.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")

                              source

                              Based on Registry Access

                              • details

                                "Goviewer.exe" had access to "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\Local\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile")
                                "AcroRd32.exe" had access to "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\Local\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile")

                                source

                                Based on Touched Handle

                                • details

                                  "Goviewer.exe" (Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "WARNONHTTPSTOHTTPREDIRECT")

                                  source

                                  Based on Registry Access

                                  • details

                                    "AcroRd32.exe" opened "\Device\KsecDD"

                                    source

                                    Based on API Call

                                    • details

                                      "C:\Users\PSPUBWS\AppData\Local\Temp\Goviewer.exe" marked "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QA0UPEJW\checkip_dyndns_org[1].htm" for deletion
                                      "C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe" marked "\Device\HarddiskVolume2\Users\PSPUBWS\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal" for deletion

                                      source

                                      Based on API Call

                                      • details

                                        "Goviewer.exe" opened "C:\Users\PSPUBWS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QA0UPEJW\checkip_dyndns_org[1].htm" with delete access
                                        "AcroRd32.exe" opened "C:\Users\PSPUBWS\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal" with delete access
                                        "AcroRd32.exe" opened "C:\Users\PSPUBWS\AppData\Local\Adobe\Acrobat\11.0\AdobeFnt14.lst.2400" with delete access

                                        source

                                        Based on API Call

                                        • details

                                          "IESQMMUTEX_0_208"
                                          "Local\_!MSFTHISTORY!_"
                                          "Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
                                          "Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
                                          "Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
                                          "Local\WininetStartupMutex"
                                          "Local\WininetConnectionMutex"
                                          "Local\WininetProxyRegistryMutex"
                                          "Local\ZonesCounterMutex"
                                          "Local\ZoneAttributeCacheCounterMutex"

                                          source

                                          Based on Created Mutant

                                          • details

                                            "a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3" loaded module "C:\Windows\system32\RICHED32.dll" at 72200000
                                            "Goviewer.exe" loaded module "C:\Windows\system32\RICHED32.dll" at 72200000

                                            source

                                            Based on Loaded Module

                                            • details

                                              "Goviewer.exe" loaded module "IPHLPAPI.DLL" at base 74EB0000
                                              "Goviewer.exe" loaded module "URLMON.DLL" at base 75C00000
                                              "Goviewer.exe" loaded module "VERSION.DLL" at base 74ED0000
                                              "Goviewer.exe" loaded module "C:\WINDOWS\SYSTEM32\FWPUCLNT.DLL" at base 724F0000
                                              "Goviewer.exe" loaded module "SHELL32.DLL" at base 76710000
                                              "Goviewer.exe" loaded module "OLE32.DLL" at base 77630000
                                              "Goviewer.exe" loaded module "PROPSYS.DLL" at base 746A0000
                                              "Goviewer.exe" loaded module "COMCTL32.DLL" at base 747E0000

                                              source

                                              Based on API Call

                                              • details

                                                "Goviewer.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\logB22D.log"
                                                "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB4.tmp"
                                                "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB5.tmp"
                                                "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB6.tmp"
                                                "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB7.tmp"
                                                "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB8.tmp"
                                                "AcroRd32.exe" created file "C:\Users\PSPUBWS\AppData\Local\Temp\A9R8CB9.tmp"

                                                source

                                                Based on API Call

                                                • details

                                                  "Goviewer.exe.153610" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
                                                  "logB22D.log.153340" has type "data"
                                                  "viagra.pdf.160520" has type "PDF document, version 1.3"
                                                  "vikuc[1].png.160410" has type "data"
                                                  "checkip_dyndns_org[1].htm.159399" has type "HTML document, ASCII text, with CRLF line terminators"

                                                  source

                                                  Based on Dropped File

                                                  File Details

                                                  1404UK_TPL_screen.exe

                                                  Filename

                                                  1404UK_TPL_screen.exe

                                                  Size

                                                  29KiB (29696 bytes)

                                                  Type

                                                  PE32 executable (GUI) Intel 80386, for MS Windows

                                                  Architecture

                                                  32 Bit

                                                  MD5

                                                  622837d62e396098cb9925f5b1e4c763

                                                  SHA1

                                                  c7a2b636f5777a4fe2193425c34f5929dfcc546d

                                                  SHA256

                                                  a59016e67093c50a4b9207522946b1e16462016089952d925aaa00e1c33146d3

                                                  SHA512

                                                  dc1380f12b6f2cb30a2b8813608992c7c9214f444497c06f2e4233fa5271289d66cb2003077e6132ff325af0954714f9bbda731f6ddb8e293ab6abd2417ad3d5

                                                  SSDEEP

                                                  384:wnMS28LqA9sddG4bQjAEKVzYzsro8NXyhf6hjXwgyPQAAAAAAz1T72V:SMSz39+d/3EWQR8N8f6hjAPm1

                                                  IMPHASH

                                                  68c02398a41c216b9a8e20c599285018

                                                  Resources

                                                  Language

                                                  ITALIAN,ENGLISH

                                                  Icon

                                                  Visualization (PortEx)

                                                  PE Layout

                                                  Version Info

                                                  LegalCopyright

                                                  Copyright 2007-2010 Mecohot Inc.

                                                  InternalName

                                                  Mecohot Update

                                                  FileVersion

                                                  1.3.5.5

                                                  CompanyName

                                                  Mecohot Inc.

                                                  ProductName

                                                  Mecohot Update

                                                  ProductVersion

                                                  1.3.5.5

                                                  FileDescription

                                                  Mecohot Installer

                                                  OriginalFilename

                                                  MecohotInfo.exe

                                                  Translation

                                                  0x0410 0x04b1

                                                  Classification (TrID)

                                                  • 43.5% (.DLL) Win32 Dynamic Link Library (generic)

                                                  • 29.8% (.EXE) Win32 Executable (generic)

                                                  • 13.2% (.EXE) Generic Win/DOS Executable

                                                  • 13.2% (.EXE) DOS Executable Generic

                                                  • 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)

                                                  Labels: trojan

                                                  Antworten

                                                  Danksagungen0

                                                  Re: Neuer Trojaner den Norton nicht erkennt

                                                  Nochmals Man öffnet  keine email mit PDF oder so zeuch und sicher auch nicht umgestellt in der Windows Einstellung das man die Datei Endungen sieht da ist den meistens wenn man drüber fährt ein blabla.pdf.exe.

                                                  Kein Amazon,eBay oder irgent eine Firma sendet PDF einfach so und auch keine Firma oder so sendet ein email mit pdf dran wo den nicht mal der Kunde und Kunden Nummer und für was man zahlt bekannt drin steht im email, bei den Telekom Firmen kommen PDFs an aber hald den sieht man es aber sofort. ;-)  

                                                  Windows Neu installieren alle PWs sofort ändern gut ist. 

                                                  Und lernen Darau. ^^ Ich hab nämlich gehört das Menschen Lernfähig sind, naja bis auf Angela Merkel.^^

                                                  Windows 10 Enterprise 1903 18361.1 x64. Firefox 68a1 x64,ThunderBird 60.6 x64, MS Office 365 Personal Abo x64 Nicht vorhandene Viren Per Norton Security Premium x64 v 22.17.0.183* http://www.sysprofile.de/id178217 Es Grüßt ein Glücklicher NUR noch 64bit Kompatibler Marc Senn Ich liebe dich Reale Traum Frau Carla. Jetzt mit VDSL 100K Unterwegs
                                                  Danksagungen0

                                                  Re: Neuer Trojaner den Norton nicht erkennt

                                                  Und die Datei an Symantec senden, damit sie zukünftig erkannt wird.

                                                  Danksagungen0

                                                  Re: Neuer Trojaner den Norton nicht erkennt

                                                  @ EynMarc: Das ist ja alles Gut und Richtig, aber wäre es nicht viel besser, wenn man sich  auch auf eine für viel Geld bezahlte Software verlassen könnte?

                                                  Wenn sich das alles durch "Aufpassen" vermeiden lassen würde, bräuchte man doch gar keine Internet-Security.

                                                  Grüße

                                                  Danksagungen0

                                                  Re: Neuer Trojaner den Norton nicht erkennt

                                                  Es gibt leider keine Antivirensoftware die alles erkennt.

                                                  Danksagungen0

                                                  Re: Neuer Trojaner den Norton nicht erkennt

                                                  Malwarebytes besorgen, und Computer Scannen lassen .

                                                  Malwarebytes findet mehr als Norton !

                                                  Danksagungen0

                                                  Re: Neuer Trojaner den Norton nicht erkennt

                                                  Das ist ja das, was mich immer so ärgert. Man sollte doch verlangen können, das die Bezahl-Software von Norton zumindest das selbe findet, wie Malewarebytes. Das man diese Schadsoftware finden kann, zeigt ja dieses Programm.

                                                  Grüße

                                                  This thread is closed from further comment. Please visit the forum to start a new thread.