| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: setup.exe blockiertWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
09.06.2008, 16:35
| #16 |
 |  setup.exe blockiert ok werd mir das mal runterladen und nachher die logfiles posten |
|
10.06.2008, 12:56
| #17 |
| | setup.exe blockiert ich muss nur noch combofix scannen
__________________ |
|
12.06.2008, 14:57
| #18 |
| | setup.exe blockiert hat ein bisschen länger gedauert weil combofix erst beim 4. mal ein logfile ausspuckte
__________________hier die logfiles: combofix: ComboFix 08-06-08.8 - Matthias 2008-06-09 17:56:01.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.612 [GMT 2:00] ausgeführt von:: C:\Dokumente und Einstellungen\Matthias\Desktop\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . (((((((((((((((((((((((((((((((((((( Weitere L”schungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM97e346d1.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\lcftatht.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MUDMnnnn.ini C:\WINDOWS\system32\MUDMnnnn.ini2 C:\WINDOWS\system32\wcyqqojo.ini C:\WINDOWS\system32\wqtncfes.ini ((((((((((((((((((((((( Dateien erstellt von 2008-05-09 bis 2008-06-09 )))))))))))))))))))))))))))))) . 2008-06-09 15:14 . 2008-06-09 15:14 <DIR> d-------- C:\Programme\PrevxCSI 2008-06-09 15:14 . 2008-06-09 16:15 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PrevxCSI 2008-06-09 15:14 . 2008-06-09 15:14 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys 2008-06-07 23:51 . 2008-06-07 23:51 <DIR> d-------- C:\Programme\Siber Systems 2008-06-07 23:51 . 2008-06-07 23:51 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RoboForm 2008-06-06 20:49 . 2008-06-06 20:49 <DIR> d-------- C:\Programme\Infogrames 2008-06-06 20:49 . 2008-06-06 20:49 <DIR> d-------- C:\Dokumente und Einstellungen\katharina\WINDOWS 2008-06-03 18:42 . 2008-06-03 18:42 230 --a------ C:\WINDOWS\system32\spupdsvc.inf 2008-06-03 17:38 . 2008-06-03 17:38 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware 2008-06-03 17:38 . 2008-06-03 17:38 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\Malwarebytes 2008-06-03 17:38 . 2008-06-03 17:38 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2008-06-03 17:38 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-03 17:38 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-03 14:08 . 2008-06-03 14:08 8,224 --a------ C:\GDIPFONTCACHEV1.DAT 2008-06-03 13:49 . 2003-07-06 14:07 372,736 --a------ C:\WINDOWS\system32\IJL_11.DLL 2008-06-03 13:27 . 2008-06-03 13:27 <DIR> d-------- C:\Dokumente und Einstellungen\Fuß 2008-06-03 13:27 . <DIR> C:\Dokumente und Einstellungen\Fu¯\Lokale Einstellungen 2008-06-03 13:27 . <DIR> C:\Dokumente und Einstellungen\Fu¯\Lokale Einstellungen 2008-06-02 22:23 . 2008-06-09 18:29 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-06-02 22:15 . 2008-06-02 22:15 <DIR> d-------- C:\Programme\Softwin 2008-06-02 22:15 . 2008-06-02 22:18 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\BitDefender 2008-06-02 22:10 . 2008-06-02 22:16 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Softwin 2008-06-02 21:43 . 2008-06-03 10:55 <DIR> d-------- C:\Programme\VAV 2008-06-02 21:43 . 2008-05-28 09:10 45,056 --a------ C:\WINDOWS\system32\vav.cpl 2008-06-02 19:37 . 2008-06-02 19:37 <DIR> d-------- C:\Programme\XPCD 2008-06-02 17:32 . 2008-06-02 20:19 <DIR> d-------- C:\pebuilder3110a 2008-06-01 13:13 . 2008-06-07 17:27 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\LimeWire 2008-06-01 13:09 . 2008-06-01 13:10 <DIR> d-------- C:\Programme\LimeWire 2008-06-01 12:44 . 2008-06-02 23:02 <DIR> d-------- C:\Programme\CopyKiller 2008-06-01 12:44 . 2006-08-13 22:37 198,848 --a------ C:\WINDOWS\system32\MCI32.OCX 2008-06-01 12:44 . 2006-08-13 22:44 4,608 --a------ C:\WINDOWS\system32\W95INF32.DLL 2008-06-01 12:44 . 2006-08-13 22:44 2,272 --a------ C:\WINDOWS\system32\W95INF16.DLL 2008-05-31 16:09 . 2008-05-31 16:09 <DIR> d-------- C:\Programme\Audacity 2008-05-29 13:24 . 2008-06-05 21:25 1,355 --a------ C:\WINDOWS\imsins.BAK 2008-05-26 14:37 . 2008-05-26 14:37 <DIR> d--hs---- C:\found.000 2008-05-25 13:01 . 2008-05-25 13:05 <DIR> d-------- C:\Programme\Ashampoo 2008-05-22 13:22 . 2008-05-22 13:24 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\Vso 2008-05-22 13:22 . 2008-05-22 13:22 87,608 --a------ C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\inst.exe 2008-05-22 13:22 . 2008-05-22 13:22 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2008-05-22 13:22 . 2008-05-22 13:22 47,360 --a------ C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\pcouffin.sys 2008-05-22 13:21 . 2008-05-22 13:21 <DIR> d-------- C:\Programme\VSO 2008-05-21 21:31 . 2008-05-21 21:31 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\concept design 2008-05-21 16:49 . 2008-05-21 16:49 <DIR> d-------- C:\Programme\k700 Remote Profiler 2008-05-21 16:29 . 2008-05-21 16:30 <DIR> d-------- C:\Programme\BTcntrl 2008-05-21 13:32 . 2008-05-21 13:32 <DIR> d-------- C:\Programme\Sony 2008-05-21 11:13 . 2008-05-21 11:13 <DIR> d-------- C:\Programme\Smart PC Solutions 2008-05-21 10:52 . 2008-05-21 10:52 <DIR> d-------- C:\Programme\Zattoo 2008-05-20 22:06 . 2008-06-09 18:31 <DIR> d-------- C:\backups 2008-05-20 21:38 . 2008-05-20 22:02 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\alles 2008-05-20 21:18 . 2008-05-20 21:18 <DIR> d-------- C:\Programme\MAIET 2008-05-20 17:51 . 2008-05-20 17:51 <DIR> d-------- C:\test 2008-05-19 16:07 . 2008-06-08 17:08 <DIR> d-------- C:\Programme\Steam 2008-05-18 16:23 . 2008-05-18 16:23 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\Ahead 2008-05-17 15:35 . 2003-12-27 23:24 45,312 --a------ C:\WINDOWS\system32\drivers\PVR5910.sys 2008-05-16 15:56 . 2008-05-16 16:52 <DIR> d--h----- C:\MyS2GApp 2008-05-12 17:06 . 2008-05-12 17:14 <DIR> d-------- C:\Programme\XMedia Recode 2008-05-12 16:55 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll 2008-05-12 16:55 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe 2008-05-12 16:55 . 2008-02-07 16:15 408,576 --a------ C:\WINDOWS\system32\Smab.dll 2008-05-12 16:55 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll 2008-05-12 16:55 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe 2008-05-12 16:55 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe 2008-05-12 16:55 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll 2008-05-12 16:55 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll 2008-05-12 16:55 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe 2008-05-12 16:55 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll 2008-05-12 16:53 . 2008-05-12 16:53 <DIR> d-------- C:\Programme\eRightSoft 2008-05-12 15:37 . 2008-05-17 16:26 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\dwhelper 2008-05-11 14:50 . 2008-05-11 14:50 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-05-10 19:25 . 2008-05-11 16:06 <DIR> d-------- C:\Programme\Punch! 2008-05-10 12:51 . 2008-05-25 13:37 <DIR> d-------- C:\Programme\StealthNet 2008-05-10 12:17 . 2008-05-10 12:17 <DIR> d-------- C:\Programme\Sonavis 2008-05-10 12:17 . 2008-05-10 12:17 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Sonavis 2008-05-10 12:17 . 2008-05-10 12:17 <DIR> d-------- C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\Sonavis 2008-05-10 12:17 . 2008-05-10 12:17 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sonavis (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-09 16:32 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP 2008-06-03 16:58 --------- d-----w C:\Programme\Mozilla Firefox 3 Beta 2 2008-06-03 08:55 --------- d-sh--w C:\Programme\KGB 2008-06-03 05:34 --------- d-sh--w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MPK 2008-06-02 21:34 --------- d-----w C:\Programme\SuperScan 2008-05-25 11:37 --------- d-----w C:\Programme\DivX 2008-05-23 07:45 --------- d-----w C:\Programme\Thoosje Sidebar V2.3 2008-05-21 11:32 --------- d--h--w C:\Programme\InstallShield Installation Information 2008-05-19 06:46 --------- d-----w C:\Programme\Unlocker 2008-05-17 08:55 --------- d-----w C:\Programme\GratisSMS 2008-05-11 09:10 --------- d-----w C:\Programme\Gemeinsame Dateien\Elecard 2008-05-08 10:44 --------- d-----w C:\Programme\jv16 PowerTools 2008-05-06 15:25 --------- d-----w C:\Programme\Bertelsmann DAS PHOTO DigitalPhotoService 2008-05-06 14:36 --------- d-----w C:\Programme\Sony Ericsson 2008-05-03 17:59 --------- d-----w C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\MyPhoneExplorer 2008-05-03 08:10 --------- d-----w C:\Programme\Passware 2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys 2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys 2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys 2008-04-28 16:40 --------- d-----w C:\Programme\CDopen 2008-04-28 12:10 159,744 ----a-w C:\WINDOWS\LgxSetup.exe 2008-04-28 12:10 --------- d-----w C:\Programme\Gemeinsame Dateien\Logox.4.0 2008-04-28 12:07 --------- d-----w C:\Programme\Gemeinsame Dateien\WebSpeech.4.0 2008-04-26 18:31 --------- d-----w C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\tor 2008-04-26 11:48 --------- d-----w C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\Browzar 2008-04-26 11:29 --------- d-----w C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\Tor 2008-04-26 11:27 --------- d-----w C:\Programme\Vidalia Bundle 2008-04-26 09:53 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-04-26 09:53 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf 2008-04-26 08:50 20,520 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys 2008-04-26 08:50 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys 2008-04-26 08:50 1,419,232 ----a-w C:\WINDOWS\system32\wdfcoinstaller01005.dll 2008-04-26 08:49 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony Ericsson 2008-04-25 15:05 15,211 ----a-w C:\WINDOWS\system32\Data_1.bin 2008-04-25 14:02 --------- d-----w C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\ArcSoft 2008-04-25 14:00 --------- d-----w C:\Programme\PhotoScape 2008-04-24 18:08 --------- d-----w C:\Programme\Logon Loader 2008-04-24 17:10 2,324,736 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-04-24 17:10 2,324,736 ----a-w C:\WINDOWS\system32\LOGOOS.EXE 2008-04-23 16:53 --------- d-----w C:\Programme\BootXP2 2008-04-23 15:36 --------- d-----w C:\Programme\TaskSwitchXP 2008-04-23 14:24 --------- d-----w C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\ViStart 2008-04-23 13:53 --------- d-----w C:\Programme\TopDesk Trial 2008-04-21 14:24 --------- d-----w C:\Programme\Jowood 2008-04-15 15:02 --------- d-----w C:\Programme\Ateksoft 2008-04-14 13:40 --------- d-----w C:\Programme\Classroom Spy Pro 2008-04-14 12:02 --------- d-----w C:\Programme\HideWizard 2008-04-13 16:56 --------- d-----w C:\Programme\VR-NetWorld 2008-04-13 11:42 --------- d-----w C:\Programme\Windows Media-Komponenten 2008-04-13 09:14 --------- d-----w C:\Programme\Bluetooth Remote Control 2008-04-12 14:07 --------- d-----w C:\Programme\WHidePro 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 07:56 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-17 13:16 126,976 ----a-w C:\WINDOWS\sleep.exe 2008-03-15 10:35 36,728 ----a-w C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2007-11-23 11:02 11,671 ----a-w C:\Programme\cpuz-readme.txt 2007-09-04 12:57 147 ----a-w C:\Programme\cpuz.ini 2006-11-29 13:03 44,111 ----a-w C:\Programme\Piranha.RPT 2005-03-25 16:08 49,152 ----a-w C:\Programme\latency.exe 2005-02-13 19:07 251,663 ------w C:\Programme\minirt24.gz 2005-01-16 08:40 1,944 ------r C:\Programme\syslinux.cfg 2004-08-22 08:55 24,398 ------r C:\Programme\logo.16 2004-06-04 07:43 7,836 ------r C:\Programme\ldlinux.sys 2004-06-03 09:00 85 ------r C:\Programme\boot.msg 2004-06-03 08:59 256 ------r C:\Programme\german.kbd 2002-10-19 02:41 295,715 ----a-w C:\Programme\hip_en.exe 2002-10-19 01:51 403,183 ----a-w C:\Programme\winhip_en.exe 2002-10-19 01:36 29,139 ----a-w C:\Programme\hip.htm 2002-10-19 01:36 28,194 ----a-w C:\Programme\hip.txt 2001-02-08 12:52 24,576 --sha-w C:\WINDOWS\system32\comsysh.exe 2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll 2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll . ------- Sigcheck ------- 2005-01-04 22:06 2181888 6cc1b14e5a791cdf0b78f1ff6969e125 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe 2004-08-04 14:00 2183296 dc888c9c4ca0eea7a3cb7e6b610f75c7 C:\WINDOWS\$NtUninstallKB891070$\ntoskrnl.exe 2005-03-02 20:11 2181888 eb5538a452e0e99169e2b6cdb62ff9d2 C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe 2006-12-19 20:43 2184320 00c476049fecf1d3a05c783015b9b518 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe 2007-02-28 18:06 2184448 e1de7a10d46959560c3b617227d95c19 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe 2008-04-24 19:10 2324736 ffd71a700185d87156f5585176c94673 C:\WINDOWS\system32\ntoskrnl.exe 2007-02-28 18:06 2184448 e1de7a10d46959560c3b617227d95c19 C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-02-13 15:18 23552 1ea6f0ab57ce0e11a8721073491f575f C:\WINDOWS\system32\ctfmon.exe 2008-02-13 15:18 23552 1ea6f0ab57ce0e11a8721073491f575f C:\WINDOWS\system32\dllcache\ctfmon.exe . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35009B6F-9C1B-40AE-8D7F-C42B8B6C6081}] C:\WINDOWS\system32\nnnnMDUM.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4832f203-2104-4705-b473-9f7739e59bbc}] C:\WINDOWS\system32\hrfosbfv.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "C"="" [] "WMPNSCFG"="C:\Programme\Windows Media Player\WMPNSCFG.exe" [2006-11-03 10:56 204288] "RoboForm"="C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-06-07 23:51 160592] "b306a"="c:\programme\siabqlvfjskoh\jgwopez.exe" [2006-03-18 13:49 1562264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "C:\PROGRAMME\A-SQUARED HIJACKFREE"="" [] "b306a"="c:\programme\siabqlvfjskoh\jgwopez.exe" [2006-03-18 13:49 1562264] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoFileAssociate"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="%windir%\\Resources\\LogonUI\\black-vistaII\\logonui.exe" dirdat.txt: Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 94D0-75E2 Verzeichnis von c:\ 2008-06-10 13:32 0 dirdat.txt 2008-06-10 13:29 1,332,793,344 hiberfil.sys 2008-06-10 13:29 4,293,918,720 pagefile.sys 2008-06-03 14:08 8,224 GDIPFONTCACHEV1.DAT 2008-06-01 15:02 100 index.ini 2008-05-27 16:32 67,177 fireshot_dbg.txt 2008-05-27 16:32 4,871 mozlog.txt 2008-05-10 17:10 97 RTSPNetSrc.log 2008-04-30 19:39 74 Dokumente 2008-04-24 16:37 192 boot.ini 2008-02-11 21:00 213 BOOT.BXP 2008-01-10 18:32 2,315 param_calc.txt 2008-01-10 18:26 0 cit2.txt 2007-11-24 01:19 1,236,992 cpuz.exe 2007-11-23 13:02 11,671 cpuz-readme.txt 2007-11-16 22:59 1,024 .rnd Verzeichnis von C:\WINDOWS\system32 2008-06-10 13:31 2,206 wpa.dbl 2008-06-10 13:29 0 bdss.log 2008-06-10 06:33 81,984 bdod.bin 2008-06-03 18:42 230 spupdsvc.inf 2008-06-03 18:17 0 clkcnt.txt 2008-05-28 09:10 45,056 vav.cpl 2008-05-25 14:17 406,328 perfh009.dat 2008-05-25 14:17 63,528 perfc009.dat 2008-05-25 14:17 421,618 perfh007.dat 2008-05-25 14:17 76,906 perfc007.dat 2008-05-25 14:17 980,900 PerfStringBackup.INI 2008-05-25 14:06 492 oeminfo.ini 2008-05-20 20:32 550 runkgb.lnk 2008-05-16 19:53 219,648 uxtheme.ubx 2008-05-11 14:50 552 d3d8caps.dat 2008-05-09 23:35 16,863,864 MRT.exe 2008-04-26 10:50 1,419,232 wdfcoinstaller01005.dll 2008-04-25 17:06 35,488 Bitmap_66.bmp 2008-04-25 17:06 7,256 Bitmap_65.bmp 2008-04-25 17:06 4,856 Bitmap_64.bmp 2008-04-25 17:06 1,416 Bitmap_63.bmp 2008-04-25 17:06 35,488 Bitmap_62.bmp 2008-04-25 17:06 2,136 Bitmap_61.bmp 2008-04-25 17:06 13,510 Bitmap_59.bmp 2008-04-25 17:06 2,136 Bitmap_60.bmp 2008-04-25 17:06 6,966 Bitmap_58.bmp 2008-04-25 17:06 13,510 Bitmap_57.bmp 2008-04-25 17:06 16,888 Bitmap_56.bmp 2008-04-25 17:06 17,266 Bitmap_55.bmp 2008-04-25 17:06 938 Bitmap_54.bmp 2008-04-25 17:06 938 Bitmap_53.bmp 2008-04-25 17:06 2,136 Bitmap_52.bmp 2008-04-25 17:06 2,136 Bitmap_51.bmp 2008-04-25 17:06 2,406 Bitmap_50.bmp 2008-04-25 17:06 2,406 Bitmap_49.bmp 2008-04-25 17:06 2,136 Bitmap_48.bmp 2008-04-25 17:06 2,136 Bitmap_47.bmp 2008-04-25 17:06 1,344 Bitmap_46.bmp 2008-04-25 17:06 1,036,854 Bitmap_45.bmp 2008-04-25 17:05 35,488 Bitmap_44.bmp 2008-04-25 17:05 7,256 Bitmap_43.bmp 2008-04-25 17:05 4,856 Bitmap_42.bmp 2008-04-25 17:05 1,416 Bitmap_41.bmp 2008-04-25 17:05 2,136 Bitmap_39.bmp 2008-04-25 17:05 35,488 Bitmap_40.bmp 2008-04-25 17:05 2,136 Bitmap_38.bmp 2008-04-25 17:05 13,510 Bitmap_37.bmp 2008-04-25 17:05 6,966 Bitmap_36.bmp 2008-04-25 17:05 13,510 Bitmap_35.bmp 2008-04-25 17:05 16,888 Bitmap_34.bmp 2008-04-25 17:05 17,266 Bitmap_33.bmp 2008-04-25 17:05 938 Bitmap_32.bmp 2008-04-25 17:05 938 Bitmap_31.bmp 2008-04-25 17:05 2,136 Bitmap_30.bmp 2008-04-25 17:05 2,136 Bitmap_29.bmp 2008-04-25 17:05 2,406 Bitmap_28.bmp 2008-04-25 17:05 2,406 Bitmap_27.bmp 2008-04-25 17:05 2,136 Bitmap_26.bmp 2008-04-25 17:05 2,136 Bitmap_25.bmp 2008-04-25 17:05 1,344 Bitmap_24.bmp 2008-04-25 17:05 1,036,854 Bitmap_23.bmp 2008-04-25 17:05 15,211 Data_1.bin 2008-04-25 17:02 35,488 Bitmap_22.bmp 2008-04-25 17:02 7,256 Bitmap_21.bmp 2008-04-25 17:02 4,856 Bitmap_20.bmp 2008-04-25 17:02 1,416 Bitmap_19.bmp 2008-04-25 17:02 2,136 Bitmap_17.bmp 2008-04-25 17:02 35,488 Bitmap_18.bmp 2008-04-25 17:02 13,510 Bitmap_15.bmp 2008-04-25 17:02 2,136 Bitmap_16.bmp 2008-04-25 17:02 6,966 Bitmap_14.bmp 2008-04-25 17:02 13,510 Bitmap_13.bmp 2008-04-25 17:02 16,888 Bitmap_12.bmp 2008-04-25 17:02 938 Bitmap_10.bmp 2008-04-25 17:02 17,266 Bitmap_11.bmp 2008-04-25 17:02 938 Bitmap_9.bmp 2008-04-25 17:02 2,136 Bitmap_8.bmp 2008-04-25 17:02 2,406 Bitmap_6.bmp 2008-04-25 17:02 2,136 Bitmap_7.bmp 2008-04-25 17:02 2,136 Bitmap_4.bmp 2008-04-25 17:02 2,136 Bitmap_3.bmp 2008-04-25 17:02 2,406 Bitmap_5.bmp 2008-04-25 17:02 1,036,854 Bitmap_1.bmp 2008-04-25 17:02 1,344 Bitmap_2.bmp 2008-04-24 19:10 2,324,736 ntoskrnl.exe 2008-04-24 19:10 2,324,736 LOGOOS.EXE 2008-04-10 13:31 162,728 FNTCACHE.DAT 2008-04-04 16:01 6,641 jupdate-1.6.0_05-b13.log 2008-03-25 18:46 109,248 MSWINSCK.OCX 2008-03-25 06:51 187,168 msjint40.dll VBG: [06/10/2008, 6:36:52] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Matthias\Desktop\VirtumundoBeGone.exe" ) [06/10/2008, 6:37:05] - Detected System Information: [06/10/2008, 6:37:05] - Windows Version: 5.1.2600, Service Pack 2 [06/10/2008, 6:37:05] - Current Username: Matthias (Admin) [06/10/2008, 6:37:05] - Windows is in SAFE mode with Networking. [06/10/2008, 6:37:05] - Searching for Browser Helper Objects: [06/10/2008, 6:37:05] - BHO 1: {35009B6F-9C1B-40AE-8D7F-C42B8B6C6081} () [06/10/2008, 6:37:05] - WARNING: BHO has no default name. Checking for Winlogon reference. [06/10/2008, 6:37:05] - Checking for HKLM\...\Winlogon\Notify\nnnnMDUM [06/10/2008, 6:37:05] - Key not found: HKLM\...\Winlogon\Notify\nnnnMDUM, continuing. [06/10/2008, 6:37:05] - BHO 2: {4832f203-2104-4705-b473-9f7739e59bbc} () [06/10/2008, 6:37:05] - WARNING: BHO has no default name. Checking for Winlogon reference. [06/10/2008, 6:37:05] - Checking for HKLM\...\Winlogon\Notify\hrfosbfv [06/10/2008, 6:37:05] - Key not found: HKLM\...\Winlogon\Notify\hrfosbfv, continuing. [06/10/2008, 6:37:05] - BHO 3: {724d43a9-0d85-11d4-9908-00400523e39a} () [06/10/2008, 6:37:05] - WARNING: BHO has no default name. Checking for Winlogon reference. [06/10/2008, 6:37:05] - Checking for HKLM\...\Winlogon\Notify\roboform [06/10/2008, 6:37:05] - Key not found: HKLM\...\Winlogon\Notify\roboform, continuing. [06/10/2008, 6:37:05] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class) [06/10/2008, 6:37:05] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} () [06/10/2008, 6:37:05] - WARNING: BHO has no default name. Checking for Winlogon reference. [06/10/2008, 6:37:05] - No filename found. Continuing. [06/10/2008, 6:37:05] - BHO 6: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO) [06/10/2008, 6:37:05] - BHO 7: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class) [06/10/2008, 6:37:05] - Finished Searching Browser Helper Objects [06/10/2008, 6:37:05] - Finishing up... [06/10/2008, 6:37:05] - Nothing found! Exiting... FixVundo: Symantec Trojan.Vundo Removal Tool 1.5.0 C:\Dokumente und Einstellungen\Fu¯: (not scanned) D:\System Volume Information: (not scanned) Trojan.Vundo has not been found on your computer. |
|
12.06.2008, 16:23
| #19 |
  | setup.exe blockiert Hi, da ist ein Keylogger (bewusst?) installiert...?: C:\Programme\KGB (versteckt, system). Config hier: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MPK (auch versteckt) Ist das Absicht? Bei Combofix fehlt das gmer-Log (Rootkitscan); FixVundo fehlt komplett (eventuell anhängen oder über mehrere Posts verteilen)... Rootkitscan: Folge dem angegebenen Link, lade alle Scanner im Vorfeld runter, drucke die Anleitung aus gehe Offline und führe die Scans gemäß Anleitung durch. Poste anschließend die einzelnen Logs! Anleitung Rootkit - Scanner (Blacklight,Rootkitrevealer,Sophos Anti Rootkit,Gmer) - Sicherheits FAQ's - Computer Forum - PC Forum - Windows Forum Folgende Files sind mir noch aufgefallen, die ich nicht eindeutig zuordnen kann (versteckt, system): 2001-02-08 12:52 24,576 --sha-w C:\WINDOWS\system32\comsysh.exe 2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll 2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll Bitte die noch mal online prüfen lassen; Hast Du die folgenden Files online prüfen lassen? (Finde das Log nicht): C:\WINDOWS\system32\ntoskrnl.exe C:\WINDOWS\system32\ctfmon.exe chris
__________________  Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden  ) |
|
13.06.2008, 14:59
| #20 |
| | setup.exe blockiert den keylogger hab ich absichtlich installiert, hab mal 7 Seiten Word geschrieben und dann stürzte de PC ab, son keylogger kann auch praktisch sein. hier die virustotalscans: ntoskrnl.exe: AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 - Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 - AVG 7.5.0.516 2008.06.13 - BitDefender 7.2 2008.06.13 - CAT-QuickHeal 9.50 2008.06.12 - ClamAV 0.92.1 2008.06.13 - DrWeb 4.44.0.09170 2008.06.13 - eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5871 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.13 - Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 - Ikarus T3.1.1.26.0 2008.06.13 - Kaspersky 7.0.0.125 2008.06.13 - McAfee 5316 2008.06.12 - Microsoft 1.3604 2008.06.13 - NOD32v2 3184 2008.06.13 - Norman 5.80.02 2008.06.12 - Panda 9.0.0.4 2008.06.12 - Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 - Sophos 4.30.0 2008.06.13 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.13 - weitere Informationen File size: 2324736 bytes MD5...: ffd71a700185d87156f5585176c94673 SHA1..: ef6c4fa49ee6f466f155feebe15325f89ee2878a SHA256: 7ed8d0058886d91cf8e1daaebebecdb07d7ebc0302a93b79dd9b80383641f610 SHA512: d393caf57d9bbaec2cdaf2681dad61a34d23e4615a06cc98fa49dd377a3c4d42 b7b4ddcc4578b67fd3e1d791435b8581c36b20b33636b7f95bf73928caaef3c0 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x5d5cf6 timedatestamp.....: 0x45e55172 (Wed Feb 28 09:54:58 2007) machinetype.......: 0x14c (I386) ( 21 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x580 0x71be1 0x71c00 6.62 ea363965bb9c8b6f3c1f2f13c0379e9c POOLMI 0x72180 0x12b3 0x1300 6.32 b35f76aaa61aacdcbd79da4c5ab00aa8 MISYSPTE 0x73480 0x700 0x700 6.27 edd9962ea2e18becbf32fd9ae7c23c3e POOLCODE 0x73b80 0x15a0 0x1600 6.41 b2856070ca09ab32663da786c9bce17b .data 0x75180 0x16d00 0x16d00 0.46 4ab92b66aa9e07a87be803f71866e4a2 PAGE 0x8be80 0xf91bc 0xf9200 6.65 93088e771a476920c6dc0e5a62d3ab6d PAGELK 0x185080 0xe3d9 0xe400 6.72 734014999565eea4502c9ce324bf230c PAGEVRFY 0x193480 0xf1cd 0xf200 6.68 8c98d4384180878da0a5b44d85efd3c5 PAGEWMI 0x1a2680 0x17fd 0x1800 6.48 da9d1cedbbb924a11196cfbc039d285a PAGEKD 0x1a3e80 0x4052 0x4080 6.51 e90a2fc448f65cb35e800bcf54778b32 PAGESPEC 0x1a7f00 0xc43 0xc80 6.32 bbbb608db0966a33d2dd3c6edc5d45e8 PAGEHDLS 0x1a8b80 0x1dd8 0x1e00 6.25 79b9d594fabe67b806e74c67b250158e .edata 0x1aa980 0xb57d 0xb580 6.01 7640a411c8c7b1740f99fa17cf557566 PAGEDATA 0x1b5f00 0x1558 0x1580 2.72 c51d8ed56ecf02db41104a7abdbb8f12 PAGEKD 0x1b7480 0xc021 0xc080 0.00 1bfa57725018607d4ccc71b6fcab69e5 PAGECONS 0x1c3500 0x18c 0x200 2.14 6743bab2b1df17c0621465e2a45e3c48 PAGEVRFC 0x1c3700 0x3449 0x3480 5.25 beeff017be4d8ca038c11c35bbb12e2e PAGEVRFD 0x1c6b80 0x648 0x680 2.75 4919acc68846e7f58236dd894856ddfd INIT 0x1c7200 0x2d838 0x2d880 6.52 a515ef3ec5131750300af906c6bfdd90 .rsrc 0x1f4a80 0x33404 0x33480 3.13 edac15bea0c45a14e1cbdee04c85e11b .reloc 0x227f00 0xf9c0 0xfa00 6.78 a170c20ccdecf1a56ab53b85f9243344 ( 3 imports ) > BOOTVID.dll: VidInitialize, VidDisplayString, VidSetTextColor, VidSolidColorFill, VidBitBlt, VidBufferToScreenBlt, VidScreenToBufferBlt, VidResetDisplay, VidCleanUp, VidSetScrollRegion > HAL.dll: HalReportResourceUsage, HalAllProcessorsStarted, HalQueryRealTimeClock, HalAllocateAdapterChannel, KeStallExecutionProcessor, HalTranslateBusAddress, KfReleaseSpinLock, KfAcquireSpinLock, HalGetBusDataByOffset, HalSetBusDataByOffset, KeQueryPerformanceCounter, HalReturnToFirmware, READ_PORT_UCHAR, READ_PORT_USHORT, READ_PORT_ULONG, WRITE_PORT_UCHAR, WRITE_PORT_USHORT, WRITE_PORT_ULONG, HalInitializeProcessor, HalCalibratePerformanceCounter, HalSetRealTimeClock, HalHandleNMI, HalBeginSystemInterrupt, HalEndSystemInterrupt, KeRaiseIrqlToSynchLevel, KeAcquireInStackQueuedSpinLockRaiseToSynch, HalInitSystem, HalDisableSystemInterrupt, HalEnableSystemInterrupt, KeRaiseIrql, KeLowerIrql, HalClearSoftwareInterrupt, KeReleaseSpinLock, KeAcquireSpinLock, ExTryToAcquireFastMutex, KeAcquireSpinLockRaiseToSynch, KeFlushWriteBuffer, HalProcessorIdle, HalReadDmaCounter, IoMapTransfer, IoFreeMapRegisters, IoFreeAdapterChannel, IoFlushAdapterBuffers, HalFreeCommonBuffer, HalAllocateCommonBuffer, HalAllocateCrashDumpRegisters, HalGetAdapter, HalSetTimeIncrement, HalGetEnvironmentVariable, HalSetEnvironmentVariable, KfRaiseIrql, HalGetInterruptVector, KeGetCurrentIrql, HalRequestSoftwareInterrupt, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, ExAcquireFastMutex, ExReleaseFastMutex, KeRaiseIrqlToDpcLevel, HalSystemVectorDispatchEntry, KfLowerIrql, HalStartProfileInterrupt, HalSetProfileInterval, HalStopProfileInterrupt > KDCOM.dll: KdD0Transition, KdD3Transition, KdRestore, KdReceivePacket, KdDebuggerInitialize0, KdSave, KdDebuggerInitialize1, KdSendPacket ( 1486 exports ) CcCanIWrite, CcCopyRead, CcCopyWrite, CcDeferWrite, CcFastCopyRead, CcFastCopyWrite, CcFastMdlReadWait, CcFastReadNotPossible, CcFastReadWait, CcFlushCache, CcGetDirtyPages, CcGetFileObjectFromBcb, CcGetFileObjectFromSectionPtrs, CcGetFlushedValidData, CcGetLsnForFileObject, CcInitializeCacheMap, CcIsThereDirtyData, CcMapData, CcMdlRead, CcMdlReadComplete, CcMdlWriteAbort, CcMdlWriteComplete, CcPinMappedData, CcPinRead, CcPrepareMdlWrite, CcPreparePinWrite, CcPurgeCacheSection, CcRemapBcb, CcRepinBcb, CcScheduleReadAhead, CcSetAdditionalCacheAttributes, CcSetBcbOwnerPointer, CcSetDirtyPageThreshold, CcSetDirtyPinnedData, CcSetFileSizes, CcSetLogHandleForFile, CcSetReadAheadGranularity, CcUninitializeCacheMap, CcUnpinData, CcUnpinDataForThread, CcUnpinRepinnedBcb, CcWaitForCurrentLazyWriterActivity, CcZeroData, CmRegisterCallback, CmUnRegisterCallback, DbgBreakPoint, DbgBreakPointWithStatus, DbgLoadImageSymbols, DbgPrint, DbgPrintEx, DbgPrintReturnControlC, DbgPrompt, DbgQueryDebugFilterState, DbgSetDebugFilterState, ExAcquireFastMutexUnsafe, ExAcquireResourceExclusiveLite, ExAcquireResourceSharedLite, ExAcquireRundownProtection, ExAcquireRundownProtectionEx, ExAcquireSharedStarveExclusive, ExAcquireSharedWaitForExclusive, ExAllocateFromPagedLookasideList, ExAllocatePool, ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag, ExAllocatePoolWithTagPriority, ExConvertExclusiveToSharedLite, ExCreateCallback, ExDeleteNPagedLookasideList, ExDeletePagedLookasideList, ExDeleteResourceLite, ExDesktopObjectType, ExDisableResourceBoostLite, ExEnumHandleTable, ExEventObjectType, ExExtendZone, ExFreePool, ExFreePoolWithTag, ExFreeToPagedLookasideList, ExGetCurrentProcessorCounts, ExGetCurrentProcessorCpuUsage, ExGetExclusiveWaiterCount, ExGetPreviousMode, ExGetSharedWaiterCount, ExInitializeNPagedLookasideList, ExInitializePagedLookasideList, ExInitializeResourceLite, ExInitializeRundownProtection, ExInitializeZone, ExInterlockedAddLargeInteger, ExInterlockedAddLargeStatistic, ExInterlockedAddUlong, ExInterlockedCompareExchange64, ExInterlockedDecrementLong, ExInterlockedExchangeUlong, ExInterlockedExtendZone, ExInterlockedFlushSList, ExInterlockedIncrementLong, ExInterlockedInsertHeadList, ExInterlockedInsertTailList, ExInterlockedPopEntryList, ExInterlockedPopEntrySList, ExInterlockedPushEntryList, ExInterlockedPushEntrySList, ExInterlockedRemoveHeadList, ExIsProcessorFeaturePresent, ExIsResourceAcquiredExclusiveLite, ExIsResourceAcquiredSharedLite, ExLocalTimeToSystemTime, ExNotifyCallback, ExQueryPoolBlockSize, ExQueueWorkItem, ExRaiseAccessViolation, ExRaiseDatatypeMisalignment, ExRaiseException, ExRaiseHardError, ExRaiseStatus, ExReInitializeRundownProtection, ExRegisterCallback, ExReinitializeResourceLite, ExReleaseFastMutexUnsafe, ExReleaseResourceForThreadLite, ExReleaseResourceLite, ExReleaseRundownProtection, ExReleaseRundownProtectionEx, ExRundownCompleted, ExSemaphoreObjectType, ExSetResourceOwnerPointer, ExSetTimerResolution, ExSystemExceptionFilter, ExSystemTimeToLocalTime, ExUnregisterCallback, ExUuidCreate, ExVerifySuite, ExWaitForRundownProtectionRelease, ExWindowStationObjectType, ExfAcquirePushLockExclusive, ExfAcquirePushLockShared, ExfInterlockedAddUlong, ExfInterlockedCompareExchange64, ExfInterlockedInsertHeadList, ExfInterlockedInsertTailList, ExfInterlockedPopEntryList, ExfInterlockedPushEntryList, ExfInterlockedRemoveHeadList, ExfReleasePushLock, Exfi386InterlockedDecrementLong, Exfi386InterlockedExchangeUlong, Exfi386InterlockedIncrementLong, Exi386InterlockedDecrementLong, Exi386InterlockedExchangeUlong, Exi386InterlockedIncrementLong, FsRtlAcquireFileExclusive, FsRtlAddLargeMcbEntry, FsRtlAddMcbEntry, FsRtlAddToTunnelCache, FsRtlAllocateFileLock, FsRtlAllocatePool, FsRtlAllocatePoolWithQuota, FsRtlAllocatePoolWithQuotaTag, FsRtlAllocatePoolWithTag, FsRtlAllocateResource, FsRtlAreNamesEqual, FsRtlBalanceReads, FsRtlCheckLockForReadAccess, FsRtlCheckLockForWriteAccess, FsRtlCheckOplock, FsRtlCopyRead, FsRtlCopyWrite, FsRtlCreateSectionForDataScan, FsRtlCurrentBatchOplock, FsRtlDeleteKeyFromTunnelCache, FsRtlDeleteTunnelCache, FsRtlDeregisterUncProvider, FsRtlDissectDbcs, FsRtlDissectName, FsRtlDoesDbcsContainWildCards, FsRtlDoesNameContainWildCards, FsRtlFastCheckLockForRead, FsRtlFastCheckLockForWrite, FsRtlFastUnlockAll, FsRtlFastUnlockAllByKey, FsRtlFastUnlockSingle, FsRtlFindInTunnelCache, FsRtlFreeFileLock, FsRtlGetFileSize, FsRtlGetNextFileLock, FsRtlGetNextLargeMcbEntry, FsRtlGetNextMcbEntry, FsRtlIncrementCcFastReadNoWait, FsRtlIncrementCcFastReadNotPossible, FsRtlIncrementCcFastReadResourceMiss, FsRtlIncrementCcFastReadWait, FsRtlInitializeFileLock, FsRtlInitializeLargeMcb, FsRtlInitializeMcb, FsRtlInitializeOplock, FsRtlInitializeTunnelCache, FsRtlInsertPerFileObjectContext, FsRtlInsertPerStreamContext, FsRtlIsDbcsInExpression, FsRtlIsFatDbcsLegal, FsRtlIsHpfsDbcsLegal, FsRtlIsNameInExpression, FsRtlIsNtstatusExpected, FsRtlIsPagingFile, FsRtlIsTotalDeviceFailure, FsRtlLegalAnsiCharacterArray, FsRtlLookupLargeMcbEntry, FsRtlLookupLastLargeMcbEntry, FsRtlLookupLastLargeMcbEntryAndIndex, FsRtlLookupLastMcbEntry, FsRtlLookupMcbEntry, FsRtlLookupPerFileObjectContext, FsRtlLookupPerStreamContextInternal, FsRtlMdlRead, FsRtlMdlReadComplete, FsRtlMdlReadCompleteDev, FsRtlMdlReadDev, FsRtlMdlWriteComplete, FsRtlMdlWriteCompleteDev, FsRtlNormalizeNtstatus, FsRtlNotifyChangeDirectory, FsRtlNotifyCleanup, FsRtlNotifyFilterChangeDirectory, FsRtlNotifyFilterReportChange, FsRtlNotifyFullChangeDirectory, FsRtlNotifyFullReportChange, FsRtlNotifyInitializeSync, FsRtlNotifyReportChange, FsRtlNotifyUninitializeSync, FsRtlNotifyVolumeEvent, FsRtlNumberOfRunsInLargeMcb, FsRtlNumberOfRunsInMcb, FsRtlOplockFsctrl, FsRtlOplockIsFastIoPossible, FsRtlPostPagingFileStackOverflow, FsRtlPostStackOverflow, FsRtlPrepareMdlWrite, FsRtlPrepareMdlWriteDev, FsRtlPrivateLock, FsRtlProcessFileLock, FsRtlRegisterFileSystemFilterCallbacks, FsRtlRegisterUncProvider, FsRtlReleaseFile, FsRtlRemoveLargeMcbEntry, FsRtlRemoveMcbEntry, FsRtlRemovePerFileObjectContext, FsRtlRemovePerStreamContext, FsRtlResetLargeMcb, FsRtlSplitLargeMcb, FsRtlSyncVolumes, FsRtlTeardownPerStreamContexts, FsRtlTruncateLargeMcb, FsRtlTruncateMcb, FsRtlUninitializeFileLock, FsRtlUninitializeLargeMcb, FsRtlUninitializeMcb, FsRtlUninitializeOplock, HalDispatchTable, HalExamineMBR, HalPrivateDispatchTable, HeadlessDispatch, InbvAcquireDisplayOwnership, InbvCheckDisplayOwnership, InbvDisplayString, InbvEnableBootDriver, InbvEnableDisplayString, InbvInstallDisplayStringFilter, InbvIsBootDriverInstalled, InbvNotifyDisplayOwnershipLost, InbvResetDisplay, InbvSetScrollRegion, InbvSetTextColor, InbvSolidColorFill, InitSafeBootMode, InterlockedCompareExchange, InterlockedDecrement, InterlockedExchange, InterlockedExchangeAdd, InterlockedIncrement, InterlockedPopEntrySList, InterlockedPushEntrySList, IoAcquireCancelSpinLock, IoAcquireRemoveLockEx, IoAcquireVpbSpinLock, IoAdapterObjectType, IoAllocateAdapterChannel, IoAllocateController, IoAllocateDriverObjectExtension, IoAllocateErrorLogEntry, IoAllocateIrp, IoAllocateMdl, IoAllocateWorkItem, IoAssignDriveLetters, IoAssignResources, IoAttachDevice, IoAttachDeviceByPointer, IoAttachDeviceToDeviceStack, IoAttachDeviceToDeviceStackSafe, IoBuildAsynchronousFsdRequest, IoBuildDeviceIoControlRequest, IoBuildPartialMdl, IoBuildSynchronousFsdRequest, IoCallDriver, IoCancelFileOpen, IoCancelIrp, IoCheckDesiredAccess, IoCheckEaBufferValidity, IoCheckFunctionAccess, IoCheckQuerySetFileInformation, IoCheckQuerySetVolumeInformation, IoCheckQuotaBufferValidity, IoCheckShareAccess, IoCompleteRequest, IoConnectInterrupt, IoCreateController, IoCreateDevice, IoCreateDisk, IoCreateDriver, IoCreateFile, IoCreateFileSpecifyDeviceObjectHint, IoCreateNotificationEvent, IoCreateStreamFileObject, IoCreateStreamFileObjectEx, IoCreateStreamFileObjectLite, IoCreateSymbolicLink, IoCreateSynchronizationEvent, IoCreateUnprotectedSymbolicLink, IoCsqInitialize, IoCsqInsertIrp, IoCsqRemoveIrp, IoCsqRemoveNextIrp, IoDeleteController, IoDeleteDevice, IoDeleteDriver, IoDeleteSymbolicLink, IoDetachDevice, IoDeviceHandlerObjectSize, IoDeviceHandlerObjectType, IoDeviceObjectType, IoDisconnectInterrupt, IoDriverObjectType, IoEnqueueIrp, IoEnumerateDeviceObjectList, IoEnumerateRegisteredFiltersList, IoFastQueryNetworkAttributes, IoFileObjectType, IoForwardAndCatchIrp, IoForwardIrpSynchronously, IoFreeController, IoFreeErrorLogEntry, IoFreeIrp, IoFreeMdl, IoFreeWorkItem, IoGetAttachedDevice, IoGetAttachedDeviceReference, IoGetBaseFileSystemDeviceObject, IoGetBootDiskInformation, IoGetConfigurationInformation, IoGetCurrentProcess, IoGetDeviceAttachmentBaseRef, IoGetDeviceInterfaceAlias, IoGetDeviceInterfaces, IoGetDeviceObjectPointer, IoGetDeviceProperty, IoGetDeviceToVerify, IoGetDiskDeviceObject, IoGetDmaAdapter, IoGetDriverObjectExtension, IoGetFileObjectGenericMapping, IoGetInitialStack, IoGetLowerDeviceObject, |
|
13.06.2008, 15:00
| #21 |
| | setup.exe blockiert und der rest der ntoskrnl.exe: IoGetRelatedDeviceObject, IoGetRequestorProcess, IoGetRequestorProcessId, IoGetRequestorSessionId, IoGetStackLimits, IoGetTopLevelIrp, IoInitializeCrashDump, IoInitializeIrp, IoInitializeRemoveLockEx, IoInitializeTimer, IoInvalidateDeviceRelations, IoInvalidateDeviceState, IoIsFileOriginRemote, IoIsOperationSynchronous, IoIsSystemThread, IoIsValidNameGraftingBuffer, IoIsWdmVersionAvailable, IoMakeAssociatedIrp, IoOpenDeviceInterfaceRegistryKey, IoOpenDeviceRegistryKey, IoPageRead, IoPnPDeliverServicePowerNotification, IoQueryDeviceDescription, IoQueryFileDosDeviceName, IoQueryFileInformation, IoQueryVolumeInformation, IoQueueThreadIrp, IoQueueWorkItem, IoRaiseHardError, IoRaiseInformationalHardError, IoReadDiskSignature, IoReadOperationCount, IoReadPartitionTable, IoReadPartitionTableEx, IoReadTransferCount, IoRegisterBootDriverReinitialization, IoRegisterDeviceInterface, IoRegisterDriverReinitialization, IoRegisterFileSystem, IoRegisterFsRegistrationChange, IoRegisterLastChanceShutdownNotification, IoRegisterPlugPlayNotification, IoRegisterShutdownNotification, IoReleaseCancelSpinLock, IoReleaseRemoveLockAndWaitEx, IoReleaseRemoveLockEx, IoReleaseVpbSpinLock, IoRemoveShareAccess, IoReportDetectedDevice, IoReportHalResourceUsage, IoReportResourceForDetection, IoReportResourceUsage, IoReportTargetDeviceChange, IoReportTargetDeviceChangeAsynchronous, IoRequestDeviceEject, IoReuseIrp, IoSetCompletionRoutineEx, IoSetDeviceInterfaceState, IoSetDeviceToVerify, IoSetFileOrigin, IoSetHardErrorOrVerifyDevice, IoSetInformation, IoSetIoCompletion, IoSetPartitionInformation, IoSetPartitionInformationEx, IoSetShareAccess, IoSetStartIoAttributes, IoSetSystemPartition, IoSetThreadHardErrorMode, IoSetTopLevelIrp, IoStartNextPacket, IoStartNextPacketByKey, IoStartPacket, IoStartTimer, IoStatisticsLock, IoStopTimer, IoSynchronousInvalidateDeviceRelations, IoSynchronousPageWrite, IoThreadToProcess, IoUnregisterFileSystem, IoUnregisterFsRegistrationChange, IoUnregisterPlugPlayNotification, IoUnregisterShutdownNotification, IoUpdateShareAccess, IoValidateDeviceIoControlAccess, IoVerifyPartitionTable, IoVerifyVolume, IoVolumeDeviceToDosName, IoWMIAllocateInstanceIds, IoWMIDeviceObjectToInstanceName, IoWMIExecuteMethod, IoWMIHandleToInstanceName, IoWMIOpenBlock, IoWMIQueryAllData, IoWMIQueryAllDataMultiple, IoWMIQuerySingleInstance, IoWMIQuerySingleInstanceMultiple, IoWMIRegistrationControl, IoWMISetNotificationCallback, IoWMISetSingleInstance, IoWMISetSingleItem, IoWMISuggestInstanceName, IoWMIWriteEvent, IoWriteErrorLogEntry, IoWriteOperationCount, IoWritePartitionTable, IoWritePartitionTableEx, IoWriteTransferCount, IofCallDriver, IofCompleteRequest, KdDebuggerEnabled, KdDebuggerNotPresent, KdDisableDebugger, KdEnableDebugger, KdEnteredDebugger, KdPollBreakIn, KdPowerTransition, Ke386CallBios, Ke386IoSetAccessProcess, Ke386QueryIoAccessMap, Ke386SetIoAccessMap, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeAcquireInterruptSpinLock, KeAcquireSpinLockAtDpcLevel, KeAddSystemServiceTable, KeAreApcsDisabled, KeAttachProcess, KeBugCheck, KeBugCheckEx, KeCancelTimer, KeCapturePersistentThreadState, KeClearEvent, KeConnectInterrupt, KeDcacheFlushCount, KeDelayExecutionThread, KeDeregisterBugCheckCallback, KeDeregisterBugCheckReasonCallback, KeDetachProcess, KeDisconnectInterrupt, KeEnterCriticalRegion, KeEnterKernelDebugger, KeFindConfigurationEntry, KeFindConfigurationNextEntry, KeFlushEntireTb, KeFlushQueuedDpcs, KeGetCurrentThread, KeGetPreviousMode, KeGetRecommendedSharedDataAlignment, KeI386AbiosCall, KeI386AllocateGdtSelectors, KeI386Call16BitCStyleFunction, KeI386Call16BitFunction, KeI386FlatToGdtSelector, KeI386GetLid, KeI386MachineType, KeI386ReleaseGdtSelectors, KeI386ReleaseLid, KeI386SetGdtSelector, KeIcacheFlushCount, KeInitializeApc, KeInitializeDeviceQueue, KeInitializeDpc, KeInitializeEvent, KeInitializeInterrupt, KeInitializeMutant, KeInitializeMutex, KeInitializeQueue, KeInitializeSemaphore, KeInitializeSpinLock, KeInitializeTimer, KeInitializeTimerEx, KeInsertByKeyDeviceQueue, KeInsertDeviceQueue, KeInsertHeadQueue, KeInsertQueue, KeInsertQueueApc, KeInsertQueueDpc, KeIsAttachedProcess, KeIsExecutingDpc, KeLeaveCriticalRegion, KeLoaderBlock, KeNumberProcessors, KeProfileInterrupt, KeProfileInterruptWithSource, KePulseEvent, KeQueryActiveProcessors, KeQueryInterruptTime, KeQueryPriorityThread, KeQueryRuntimeThread, KeQuerySystemTime, KeQueryTickCount, KeQueryTimeIncrement, KeRaiseUserException, KeReadStateEvent, KeReadStateMutant, KeReadStateMutex, KeReadStateQueue, KeReadStateSemaphore, KeReadStateTimer, KeRegisterBugCheckCallback, KeRegisterBugCheckReasonCallback, KeReleaseInStackQueuedSpinLockFromDpcLevel, KeReleaseInterruptSpinLock, KeReleaseMutant, KeReleaseMutex, KeReleaseSemaphore, KeReleaseSpinLockFromDpcLevel, KeRemoveByKeyDeviceQueue, KeRemoveByKeyDeviceQueueIfBusy, KeRemoveDeviceQueue, KeRemoveEntryDeviceQueue, KeRemoveQueue, KeRemoveQueueDpc, KeRemoveSystemServiceTable, KeResetEvent, KeRestoreFloatingPointState, KeRevertToUserAffinityThread, KeRundownQueue, KeSaveFloatingPointState, KeSaveStateForHibernate, KeServiceDescriptorTable, KeSetAffinityThread, KeSetBasePriorityThread, KeSetDmaIoCoherency, KeSetEvent, KeSetEventBoostPriority, KeSetIdealProcessorThread, KeSetImportanceDpc, KeSetKernelStackSwapEnable, KeSetPriorityThread, KeSetProfileIrql, KeSetSystemAffinityThread, KeSetTargetProcessorDpc, KeSetTimeIncrement, KeSetTimeUpdateNotifyRoutine, KeSetTimer, KeSetTimerEx, KeStackAttachProcess, KeSynchronizeExecution, KeTerminateThread, KeTickCount, KeUnstackDetachProcess, KeUpdateRunTime, KeUpdateSystemTime, KeUserModeCallback, KeWaitForMultipleObjects, KeWaitForMutexObject, KeWaitForSingleObject, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, Kei386EoiHelper, KiAcquireSpinLock, KiBugCheckData, KiCoprocessorError, KiDeliverApc, KiDispatchInterrupt, KiEnableTimerWatchdog, KiIpiServiceRoutine, KiReleaseSpinLock, KiUnexpectedInterrupt, Kii386SpinOnSpinLock, LdrAccessResource, LdrEnumResources, LdrFindResourceDirectory_U, LdrFindResource_U, LpcPortObjectType, LpcRequestPort, LpcRequestWaitReplyPort, LsaCallAuthenticationPackage, LsaDeregisterLogonProcess, LsaFreeReturnBuffer, LsaLogonUser, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, Mm64BitPhysicalAddress, MmAddPhysicalMemory, MmAddVerifierThunks, MmAdjustWorkingSetSize, MmAdvanceMdl, MmAllocateContiguousMemory, MmAllocateContiguousMemorySpecifyCache, MmAllocateMappingAddress, MmAllocateNonCachedMemory, MmAllocatePagesForMdl, MmBuildMdlForNonPagedPool, MmCanFileBeTruncated, MmCommitSessionMappedView, MmCreateMdl, MmCreateSection, MmDisableModifiedWriteOfSection, MmFlushImageSection, MmForceSectionClosed, MmFreeContiguousMemory, MmFreeContiguousMemorySpecifyCache, MmFreeMappingAddress, MmFreeNonCachedMemory, MmFreePagesFromMdl, MmGetPhysicalAddress, MmGetPhysicalMemoryRanges, MmGetSystemRoutineAddress, MmGetVirtualForPhysical, MmGrowKernelStack, MmHighestUserAddress, MmIsAddressValid, MmIsDriverVerifying, MmIsNonPagedSystemAddressValid, MmIsRecursiveIoFault, MmIsThisAnNtAsSystem, MmIsVerifierEnabled, MmLockPagableDataSection, MmLockPagableImageSection, MmLockPagableSectionByHandle, MmMapIoSpace, MmMapLockedPages, MmMapLockedPagesSpecifyCache, MmMapLockedPagesWithReservedMapping, MmMapMemoryDumpMdl, MmMapUserAddressesToPage, MmMapVideoDisplay, MmMapViewInSessionSpace, MmMapViewInSystemSpace, MmMapViewOfSection, MmMarkPhysicalMemoryAsBad, MmMarkPhysicalMemoryAsGood, MmPageEntireDriver, MmPrefetchPages, MmProbeAndLockPages, MmProbeAndLockProcessPages, MmProbeAndLockSelectedPages, MmProtectMdlSystemAddress, MmQuerySystemSize, MmRemovePhysicalMemory, MmResetDriverPaging, MmSectionObjectType, MmSecureVirtualMemory, MmSetAddressRangeModified, MmSetBankedSection, MmSizeOfMdl, MmSystemRangeStart, MmTrimAllSystemPagableMemory, MmUnlockPagableImageSection, MmUnlockPages, MmUnmapIoSpace, MmUnmapLockedPages, MmUnmapReservedMapping, MmUnmapVideoDisplay, MmUnmapViewInSessionSpace, MmUnmapViewInSystemSpace, MmUnmapViewOfSection, MmUnsecureVirtualMemory, MmUserProbeAddress, NlsAnsiCodePage, NlsLeadByteInfo, NlsMbCodePageTag, NlsMbOemCodePageTag, NlsOemCodePage, NlsOemLeadByteInfo, NtAddAtom, NtAdjustPrivilegesToken, NtAllocateLocallyUniqueId, NtAllocateUuids, NtAllocateVirtualMemory, NtBuildNumber, NtClose, NtConnectPort, NtCreateEvent, NtCreateFile, NtCreateSection, NtDeleteAtom, NtDeleteFile, NtDeviceIoControlFile, NtDuplicateObject, NtDuplicateToken, NtFindAtom, NtFreeVirtualMemory, NtFsControlFile, NtGlobalFlag, NtLockFile, NtMakePermanentObject, NtMapViewOfSection, NtNotifyChangeDirectoryFile, NtOpenFile, NtOpenProcess, NtOpenProcessToken, NtOpenProcessTokenEx, NtOpenThread, NtOpenThreadToken, NtOpenThreadTokenEx, NtQueryDirectoryFile, NtQueryEaFile, NtQueryInformationAtom, NtQueryInformationFile, NtQueryInformationProcess, NtQueryInformationThread, NtQueryInformationToken, NtQueryQuotaInformationFile, NtQuerySecurityObject, NtQuerySystemInformation, NtQueryVolumeInformationFile, NtReadFile, NtRequestPort, NtRequestWaitReplyPort, NtSetEaFile, NtSetEvent, NtSetInformationFile, NtSetInformationProcess, NtSetInformationThread, NtSetQuotaInformationFile, NtSetSecurityObject, NtSetVolumeInformationFile, NtShutdownSystem, NtTraceEvent, NtUnlockFile, NtVdmControl, NtWaitForSingleObject, NtWriteFile, ObAssignSecurity, ObCheckCreateObjectAccess, ObCheckObjectAccess, ObCloseHandle, ObCreateObject, ObCreateObjectType, ObDereferenceObject, ObDereferenceSecurityDescriptor, ObFindHandleForObject, ObGetObjectSecurity, ObInsertObject, ObLogSecurityDescriptor, ObMakeTemporaryObject, ObOpenObjectByName, ObOpenObjectByPointer, ObQueryNameString, ObQueryObjectAuditingByHandle, ObReferenceObjectByHandle, ObReferenceObjectByName, ObReferenceObjectByPointer, ObReferenceSecurityDescriptor, ObReleaseObjectSecurity, ObSetHandleAttributes, ObSetSecurityDescriptorInfo, ObSetSecurityObjectByPointer, ObfDereferenceObject, ObfReferenceObject, PfxFindPrefix, PfxInitialize, PfxInsertPrefix, PfxRemovePrefix, PoCallDriver, PoCancelDeviceNotify, PoQueueShutdownWorkItem, PoRegisterDeviceForIdleDetection, PoRegisterDeviceNotify, PoRegisterSystemState, PoRequestPowerIrp, PoRequestShutdownEvent, PoSetHiberRange, PoSetPowerState, PoSetSystemState, PoShutdownBugCheck, PoStartNextPowerIrp, PoUnregisterSystemState, ProbeForRead, ProbeForWrite, PsAssignImpersonationToken, PsChargePoolQuota, PsChargeProcessNonPagedPoolQuota, PsChargeProcessPagedPoolQuota, PsChargeProcessPoolQuota, PsCreateSystemProcess, PsCreateSystemThread, PsDereferenceImpersonationToken, PsDereferencePrimaryToken, PsDisableImpersonation, PsEstablishWin32Callouts, PsGetContextThread, PsGetCurrentProcess, PsGetCurrentProcessId, PsGetCurrentProcessSessionId, PsGetCurrentThread, PsGetCurrentThreadId, PsGetCurrentThreadPreviousMode, PsGetCurrentThreadStackBase, PsGetCurrentThreadStackLimit, PsGetJobLock, PsGetJobSessionId, PsGetJobUIRestrictionsClass, PsGetProcessCreateTimeQuadPart, PsGetProcessDebugPort, PsGetProcessExitProcessCalled, PsGetProcessExitStatus, PsGetProcessExitTime, PsGetProcessId, PsGetProcessImageFileName, PsGetProcessInheritedFromUniqueProcessId, PsGetProcessJob, PsGetProcessPeb, PsGetProcessPriorityClass, PsGetProcessSectionBaseAddress, PsGetProcessSecurityPort, PsGetProcessSessionId, PsGetProcessWin32Process, PsGetProcessWin32WindowStation, PsGetThreadFreezeCount, PsGetThreadHardErrorsAreDisabled, PsGetThreadId, PsGetThreadProcess, PsGetThreadProcessId, PsGetThreadSessionId, PsGetThreadTeb, PsGetThreadWin32Thread, PsGetVersion, PsImpersonateClient, PsInitialSystemProcess, PsIsProcessBeingDebugged, PsIsSystemThread, PsIsThreadImpersonating, PsIsThreadTerminating, PsJobType, PsLookupProcessByProcessId, PsLookupProcessThreadByCid, PsLookupThreadByThreadId, PsProcessType, PsReferenceImpersonationToken, PsReferencePrimaryToken, PsRemoveCreateThreadNotifyRoutine, PsRemoveLoadImageNotifyRoutine, PsRestoreImpersonation, PsReturnPoolQuota, PsReturnProcessNonPagedPoolQuota, PsReturnProcessPagedPoolQuota, PsRevertThreadToSelf, PsRevertToSelf, PsSetContextThread, PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine, PsSetJobUIRestrictionsClass, PsSetLegoNotifyRoutine, PsSetLoadImageNotifyRoutine, PsSetProcessPriorityByClass, PsSetProcessPriorityClass, PsSetProcessSecurityPort, PsSetProcessWin32Process, PsSetProcessWindowStation, PsSetThreadHardErrorsAreDisabled, PsSetThreadWin32Thread, PsTerminateSystemThread, PsThreadType, READ_REGISTER_BUFFER_UCHAR, READ_REGISTER_BUFFER_ULONG, READ_REGISTER_BUFFER_USHORT, READ_REGISTER_UCHAR, READ_REGISTER_ULONG, READ_REGISTER_USHORT, RtlAbsoluteToSelfRelativeSD, RtlAddAccessAllowedAce, RtlAddAccessAllowedAceEx, RtlAddAce, RtlAddAtomToAtomTable, RtlAddRange, RtlAllocateHeap, RtlAnsiCharToUnicodeChar, RtlAnsiStringToUnicodeSize, RtlAnsiStringToUnicodeString, RtlAppendAsciizToString, RtlAppendStringToString, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, RtlAreAllAccessesGranted, RtlAreAnyAccessesGranted, RtlAreBitsClear, RtlAreBitsSet, RtlAssert, RtlCaptureContext, RtlCaptureStackBackTrace, RtlCharToInteger, RtlCheckRegistryKey, RtlClearAllBits, RtlClearBit, RtlClearBits, RtlCompareMemory, RtlCompareMemoryUlong, RtlCompareString, RtlCompareUnicodeString, RtlCompressBuffer, RtlCompressChunks, RtlConvertLongToLargeInteger, RtlConvertSidToUnicodeString, RtlConvertUlongToLargeInteger, RtlCopyLuid, RtlCopyRangeList, RtlCopySid, RtlCopyString, RtlCopyUnicodeString, RtlCreateAcl, RtlCreateAtomTable, RtlCreateHeap, RtlCreateRegistryKey, RtlCreateSecurityDescriptor, RtlCreateSystemVolumeInformationFolder, RtlCreateUnicodeString, RtlCustomCPToUnicodeN, RtlDecompressBuffer, RtlDecompressChunks, RtlDecompressFragment, RtlDelete, RtlDeleteAce, RtlDeleteAtomFromAtomTable, RtlDeleteElementGenericTable, RtlDeleteElementGenericTableAvl, RtlDeleteNoSplay, RtlDeleteOwnersRanges, RtlDeleteRange, RtlDeleteRegistryValue, RtlDescribeChunk, RtlDestroyAtomTable, RtlDestroyHeap, RtlDowncaseUnicodeString, RtlEmptyAtomTable, RtlEnlargedIntegerMultiply, RtlEnlargedUnsignedDivide, RtlEnlargedUnsignedMultiply, RtlEnumerateGenericTable, RtlEnumerateGenericTableAvl, RtlEnumerateGenericTableLikeADirectory, RtlEnumerateGenericTableWithoutSplaying, RtlEnumerateGenericTableWithoutSplayingAvl, RtlEqualLuid, RtlEqualSid, RtlEqualString, RtlEqualUnicodeString, RtlExtendedIntegerMultiply, RtlExtendedLargeIntegerDivide, RtlExtendedMagicDivide, RtlFillMemory, RtlFillMemoryUlong, RtlFindClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, RtlFindFirstRunClear, RtlFindLastBackwardRunClear, RtlFindLeastSignificantBit, RtlFindLongestRunClear, RtlFindMessage, RtlFindMostSignificantBit, RtlFindNextForwardRunClear, RtlFindRange, RtlFindSetBits, RtlFindSetBitsAndClear, RtlFindUnicodePrefix, RtlFormatCurrentUserKeyPath, RtlFreeAnsiString, RtlFreeHeap, RtlFreeOemString, RtlFreeRangeList, RtlFreeUnicodeString, RtlGUIDFromString, RtlGenerate8dot3Name, RtlGetAce, RtlGetCallersAddress, RtlGetCompressionWorkSpaceSize, RtlGetDaclSecurityDescriptor, RtlGetDefaultCodePage, RtlGetElementGenericTable, RtlGetElementGenericTableAvl, RtlGetFirstRange, RtlGetGroupSecurityDescriptor, RtlGetNextRange, RtlGetNtGlobalFlags, RtlGetOwnerSecurityDescriptor, RtlGetSaclSecurityDescriptor, RtlGetSetBootStatusData, RtlGetVersion, RtlHashUnicodeString, RtlImageDirectoryEntryToData, RtlImageNtHeader, RtlInitAnsiString, RtlInitCodePageTable, RtlInitString, RtlInitUnicodeString, RtlInitializeBitMap, RtlInitializeGenericTable, RtlInitializeGenericTableAvl, RtlInitializeRangeList, RtlInitializeSid, RtlInitializeUnicodePrefix, RtlInsertElementGenericTable, RtlInsertElementGenericTableAvl, RtlInsertElementGenericTableFull, RtlInsertElementGenericTableFullAvl, RtlInsertUnicodePrefix, RtlInt64ToUnicodeString, RtlIntegerToChar, RtlIntegerToUnicode, RtlIntegerToUnicodeString, RtlInvertRangeList, RtlIpv4AddressToStringA, RtlIpv4AddressToStringExA, RtlIpv4AddressToStringExW, RtlIpv4AddressToStringW, RtlIpv4StringToAddressA, RtlIpv4StringToAddressExA, RtlIpv4StringToAddressExW, RtlIpv4StringToAddressW, RtlIpv6AddressToStringA, RtlIpv6AddressToStringExA, RtlIpv6AddressToStringExW, RtlIpv6AddressToStringW, RtlIpv6StringToAddressA, RtlIpv6StringToAddressExA, RtlIpv6StringToAddressExW, RtlIpv6StringToAddressW, RtlIsGenericTableEmpty, RtlIsGenericTableEmptyAvl, RtlIsNameLegalDOS8Dot3, RtlIsRangeAvailable, RtlIsValidOemCharacter, RtlLargeIntegerAdd, RtlLargeIntegerArithmeticShift, RtlLargeIntegerDivide, RtlLargeIntegerNegate, RtlLargeIntegerShiftLeft, RtlLargeIntegerShiftRight, RtlLargeIntegerSubtract, RtlLengthRequiredSid, RtlLengthSecurityDescriptor, RtlLengthSid, RtlLockBootStatusData, RtlLookupAtomInAtomTable, RtlLookupElementGenericTable, RtlLookupElementGenericTableAvl, RtlLookupElementGenericTableFull, RtlLookupElementGenericTableFullAvl, RtlMapGenericMask, RtlMapSecurityErrorToNtStatus, RtlMergeRangeLists, RtlMoveMemory, RtlMultiByteToUnicodeN, RtlMultiByteToUnicodeSize, RtlNextUnicodePrefix, RtlNtStatusToDosError, RtlNtStatusToDosErrorNoTeb, RtlNumberGenericTableElements, RtlNumberGenericTableElementsAvl, RtlNumberOfClearBits, RtlNumberOfSetBits, RtlOemStringToCountedUnicodeString, RtlOemStringToUnicodeSize, RtlOemStringToUnicodeString, RtlOemToUnicodeN, RtlPinAtomInAtomTable, RtlPrefetchMemoryNonTemporal, RtlPrefixString, RtlPrefixUnicodeString, RtlQueryAtomInAtomTable, RtlQueryRegistryValues, RtlQueryTimeZoneInformation, RtlRaiseException, RtlRandom, RtlRandomEx, RtlRealPredecessor, RtlRealSuccessor, RtlRemoveUnicodePrefix, RtlReserveChunk, RtlSecondsSince1970ToTime, RtlSecondsSince1980ToTime, RtlSelfRelativeToAbsoluteSD, RtlSelfRelativeToAbsoluteSD2, RtlSetAllBits, RtlSetBit, RtlSetBits, RtlSetDaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSetTimeZoneInformation, RtlSizeHeap, RtlSplay, RtlStringFromGUID, RtlSubAuthorityCountSid, RtlSubAuthoritySid, RtlSubtreePredecessor, RtlSubtreeSuccessor, RtlTestBit, RtlTimeFieldsToTime, RtlTimeToElapsedTimeFields, RtlTimeToSecondsSince1970, RtlTimeToSecondsSince1980, RtlTimeToTimeFields, RtlTraceDatabaseAdd, RtlTraceDatabaseCreate, RtlTraceDatabaseDestroy, RtlTraceDatabaseEnumerate, RtlTraceDatabaseFind, RtlTraceDatabaseLock, RtlTraceDatabaseUnlock, RtlTraceDatabaseValidate, RtlUlongByteSwap, RtlUlonglongByteSwap, RtlUnicodeStringToAnsiSize, RtlUnicodeStringToAnsiString, RtlUnicodeStringToCountedOemString, RtlUnicodeStringToInteger, RtlUnicodeStringToOemSize, RtlUnicodeStringToOemString, RtlUnicodeToCustomCPN, RtlUnicodeToMultiByteN, RtlUnicodeToMultiByteSize, RtlUnicodeToOemN, RtlUnlockBootStatusData, RtlUnwind, RtlUpcaseUnicodeChar, RtlUpcaseUnicodeString, RtlUpcaseUnicodeStringToAnsiString, RtlUpcaseUnicodeStringToCountedOemString, RtlUpcaseUnicodeStringToOemString, RtlUpcaseUnicodeToCustomCPN, RtlUpcaseUnicodeToMultiByteN, RtlUpcaseUnicodeToOemN, RtlUpperChar, RtlUpperString, RtlUshortByteSwap, RtlValidRelativeSecurityDescriptor, RtlValidSecurityDescriptor, RtlValidSid, RtlVerifyVersionInfo, RtlVolumeDeviceToDosName, RtlWalkFrameChain, RtlWriteRegistryValue, RtlZeroHeap, RtlZeroMemory, RtlxAnsiStringToUnicodeSize, RtlxOemStringToUnicodeSize, RtlxUnicodeStringToAnsiSize, RtlxUnicodeStringToOemSize, SeAccessCheck, SeAppendPrivileges, SeAssignSecurity, SeAssignSecurityEx, SeAuditHardLinkCreation, SeAuditingFileEvents, SeAuditingFileEventsWithContext, SeAuditingFileOrGlobalEvents, SeAuditingHardLinkEvents, SeAuditingHardLinkEventsWithContext, SeCaptureSecurityDescriptor, SeCaptureSubjectContext, SeCloseObjectAuditAlarm, SeCreateAccessState, SeCreateClientSecurity, SeCreateClientSecurityFromSubjectContext, SeDeassignSecurity, SeDeleteAccessState, SeDeleteObjectAuditAlarm, SeExports, SeFilterToken, SeFreePrivileges, SeImpersonateClient, SeImpersonateClientEx, SeLockSubjectContext, SeMarkLogonSessionForTerminationNotification, SeOpenObjectAuditAlarm, SeOpenObjectForDeleteAuditAlarm, SePrivilegeCheck, SePrivilegeObjectAuditAlarm, SePublicDefaultDacl, SeQueryAuthenticationIdToken, SeQueryInformationToken, SeQuerySecurityDescriptorInfo, SeQuerySessionIdToken, SeRegisterLogonSessionTerminatedRoutine, SeReleaseSecurityDescriptor, SeReleaseSubjectContext, SeSetAccessStateGenericMapping, SeSetSecurityDescriptorInfo, SeSetSecurityDescriptorInfoEx, SeSinglePrivilegeCheck, SeSystemDefaultDacl, SeTokenImpersonationLevel, SeTokenIsAdmin, SeTokenIsRestricted, SeTokenIsWriteRestricted, SeTokenObjectType, SeTokenType, SeUnlockSubjectContext, SeUnregisterLogonSessionTerminatedRoutine, SeValidSecurityDescriptor, VerSetConditionMask, VfFailDeviceNode, VfFailDriver, VfFailSystemBIOS, VfIsVerificationEnabled, WRITE_REGISTER_BUFFER_UCHAR, WRITE_REGISTER_BUFFER_ULONG, WRITE_REGISTER_BUFFER_USHORT, WRITE_REGISTER_UCHAR, WRITE_REGISTER_ULONG, WRITE_REGISTER_USHORT, WmiFlushTrace, WmiGetClock, WmiQueryTrace, WmiQueryTraceInformation, WmiStartTrace, WmiStopTrace, WmiTraceMessage, WmiTraceMessageVa, WmiUpdateTrace, XIPDispatch, ZwAccessCheckAndAuditAlarm, ZwAddBootEntry, ZwAdjustPrivilegesToken, ZwAlertThread, ZwAllocateVirtualMemory, ZwAssignProcessToJobObject, ZwCancelIoFile, ZwCancelTimer, ZwClearEvent, ZwClose, ZwCloseObjectAuditAlarm, ZwConnectPort, ZwCreateDirectoryObject, ZwCreateEvent, ZwCreateFile, ZwCreateJobObject, ZwCreateKey, ZwCreateSection, ZwCreateSymbolicLinkObject, ZwCreateTimer, ZwDeleteBootEntry, ZwDeleteFile, ZwDeleteKey, ZwDeleteValueKey, ZwDeviceIoControlFile, ZwDisplayString, ZwDuplicateObject, ZwDuplicateToken, ZwEnumerateBootEntries, ZwEnumerateKey, ZwEnumerateValueKey, ZwFlushInstructionCache, ZwFlushKey, ZwFlushVirtualMemory, ZwFreeVirtualMemory, ZwFsControlFile, ZwInitiatePowerAction, ZwIsProcessInJob, ZwLoadDriver, ZwLoadKey, ZwMakeTemporaryObject, ZwMapViewOfSection, ZwNotifyChangeKey, ZwOpenDirectoryObject, ZwOpenEvent, ZwOpenFile, ZwOpenJobObject, ZwOpenKey, ZwOpenProcess, ZwOpenProcessToken, ZwOpenProcessTokenEx, ZwOpenSection, ZwOpenSymbolicLinkObject, ZwOpenThread, ZwOpenThreadToken, ZwOpenThreadTokenEx, ZwOpenTimer, ZwPowerInformation, ZwPulseEvent, ZwQueryBootEntryOrder, ZwQueryBootOptions, ZwQueryDefaultLocale, ZwQueryDefaultUILanguage, ZwQueryDirectoryFile, ZwQueryDirectoryObject, ZwQueryEaFile, ZwQueryFullAttributesFile, ZwQueryInformationFile, ZwQueryInformationJobObject, ZwQueryInformationProcess, ZwQueryInformationThread, ZwQueryInformationToken, ZwQueryInstallUILanguage, ZwQueryKey, ZwQueryObject, ZwQuerySection, ZwQuerySecurityObject, ZwQuerySymbolicLinkObject, ZwQuerySystemInformation, ZwQueryValueKey, ZwQueryVolumeInformationFile, ZwReadFile, ZwReplaceKey, ZwRequestWaitReplyPort, ZwResetEvent, ZwRestoreKey, ZwSaveKey, ZwSaveKeyEx, ZwSetBootEntryOrder, ZwSetBootOptions, ZwSetDefaultLocale, ZwSetDefaultUILanguage, ZwSetEaFile, ZwSetEvent, ZwSetInformationFile, ZwSetInformationJobObject, ZwSetInformationObject, ZwSetInformationProcess, ZwSetInformationThread, ZwSetSecurityObject, ZwSetSystemInformation, ZwSetSystemTime, ZwSetTimer, ZwSetValueKey, ZwSetVolumeInformationFile, ZwTerminateJobObject, ZwTerminateProcess, ZwTranslateFilePath, ZwUnloadDriver, ZwUnloadKey, ZwUnmapViewOfSection, ZwWaitForMultipleObjects, ZwWaitForSingleObject, ZwWriteFile, ZwYieldExecution, _CIcos, _CIsin, _CIsqrt, _abnormal_termination, _alldiv, _alldvrm, _allmul, _alloca_probe, _allrem, _allshl, _allshr, _aulldiv, _aulldvrm, _aullrem, _aullshr, _except_handler2, _except_handler3, _global_unwind2, _itoa, _itow, _local_unwind2, _purecall, _snprintf, _snwprintf, _stricmp, _strlwr, _strnicmp, _strnset, _strrev, _strset, _strupr, _vsnprintf, _vsnwprintf, _wcsicmp, _wcslwr, _wcsnicmp, _wcsnset, _wcsrev, _wcsupr, atoi, atol, isdigit, islower, isprint, isspace, isupper, isxdigit, mbstowcs, mbtowc, memchr, memcpy, memmove, memset, qsort, rand, sprintf, srand, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strspn, strstr, swprintf, tolower, toupper, towlower, towupper, vDbgPrintEx, vDbgPrintExWithPrefix, vsprintf, wcscat, wcschr, wcscmp, wcscpy, wcscspn, wcslen, wcsncat, wcsncmp, wcsncpy, wcsrchr, wcsspn, wcsstr, wcstombs, wctomb |
|
13.06.2008, 15:01
| #22 |
| | setup.exe blockiert und hier die ctfmon.exe: hnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 - Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 - AVG 7.5.0.516 2008.06.13 - BitDefender 7.2 2008.06.13 - CAT-QuickHeal 9.50 2008.06.12 - ClamAV 0.92.1 2008.06.13 - DrWeb 4.44.0.09170 2008.06.13 - eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5870 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.13 - Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 - Ikarus T3.1.1.26.0 2008.06.13 - Kaspersky 7.0.0.125 2008.06.13 - McAfee 5316 2008.06.12 - Microsoft 1.3604 2008.06.13 - NOD32v2 3184 2008.06.13 - Norman 5.80.02 2008.06.12 - Panda 9.0.0.4 2008.06.12 - Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 - Sophos 4.30.0 2008.06.13 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.13 - weitere Informationen File size: 23552 bytes MD5...: 1ea6f0ab57ce0e11a8721073491f575f SHA1..: 8cd1cd49623c1f233c76476497a1aecf476b7d2b SHA256: 28419689cc349b642f52bd43aaa8bd13e66b34536c760450e77963d4aece7d89 SHA512: 625875141663fd3561f456492b18dffe16b6a171255c5d0d975eb2be5b266f9c 4876b33b5dfb375fb0d5ee9bd1ca6e8376d1f7e51c2a1afac4f1dcfa62cc7a0e PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401028 timedatestamp.....: 0x408c158a (Sun Apr 25 19:46:18 2004) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x3b48 0x3c00 6.55 2f8baa0026a0ddb746c03f40aeafe9f4 .rdata 0x5000 0x11ea 0x1200 4.77 7fc335f02b6202b9a37b01f15c27c6b6 .data 0x7000 0x858 0x400 2.12 236b93af4d767a836b0fd9729355252b .rsrc 0x8000 0x418 0x600 2.47 16d655565abc12030528e6e31b4ca335 ( 1 imports ) > KERNEL32.dll: GetModuleHandleA, GetCommandLineA, GetVersionExA, ExitProcess, GetProcAddress, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, LoadLibraryA, HeapAlloc, GetACP, GetOEMCP, GetCPInfo, VirtualAlloc, HeapReAlloc, RtlUnwind, InterlockedExchange, VirtualQuery, HeapSize, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, VirtualProtect, GetSystemInfo ( 0 exports ) |
|
13.06.2008, 15:04
| #23 |
| | setup.exe blockiert im Combofix logfile stand nicht mehr drin das FixVundo log hab ich ja schon im letzten post angegeben, da stand nicht mehr wie: ymantec Trojan.Vundo Removal Tool 1.5.0 C:\Dokumente und Einstellungen\Fu¯: (not scanned) D:\System Volume Information: (not scanned) Trojan.Vundo has not been found on your computer. virustotalscan comsysh.exe: AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 - Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 - AVG 7.5.0.516 2008.06.13 - BitDefender 7.2 2008.06.13 - CAT-QuickHeal 9.50 2008.06.12 - ClamAV 0.92.1 2008.06.13 - DrWeb 4.44.0.09170 2008.06.13 - eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5871 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.13 - Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 - Ikarus T3.1.1.26.0 2008.06.13 - Kaspersky 7.0.0.125 2008.06.13 - McAfee 5316 2008.06.12 - Microsoft 1.3604 2008.06.13 - NOD32v2 3184 2008.06.13 - Norman 5.80.02 2008.06.12 - Panda 9.0.0.4 2008.06.12 - Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 - Sophos 4.30.0 2008.06.13 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.13 - weitere Informationen File size: 24576 bytes MD5...: d44f0697e10c4145e8eba37258af29f6 SHA1..: 625070643c6a268b84a2283735ea6c494ecb59c2 SHA256: be9872c877774baec59f8c09cf1841673cac441e3504b1885c901b76ab00d4fc SHA512: 1af84df310ef87fd01dec67c4c5ea316dcd780f4a99d129bb822c95d4d930a85 ab88eeb65e556406bfda05d70b6a54e9eefec39ea0dc4e5600f4449e0845a3ca PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401320 timedatestamp.....: 0x3a82a484 (Thu Feb 08 13:52:04 2001) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x2190 0x3000 4.04 50db773c3e9f028e58772585ef5a62ef .data 0x4000 0xb80 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110 .rsrc 0x5000 0x8dc 0x1000 1.92 dac60f25e029229fc067e6b7918bf65e ( 1 imports ) > MSVBVM60.DLL: _CIcos, _adj_fptan, __vbaStrI4, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, _adj_fdiv_m64, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaExitProc, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaFpR4, _CIsin, -, -, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, -, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaStrToAnsi, __vbaRecDestructAnsi, -, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj ( 0 exports ) flvDX.dll: hnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 - Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 - AVG 7.5.0.516 2008.06.13 - BitDefender 7.2 2008.06.13 - CAT-QuickHeal 9.50 2008.06.12 - ClamAV 0.92.1 2008.06.13 - DrWeb 4.44.0.09170 2008.06.13 - eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5871 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.13 - Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 - Ikarus T3.1.1.26.0 2008.06.13 - Kaspersky 7.0.0.125 2008.06.13 - McAfee 5316 2008.06.12 - Microsoft 1.3604 2008.06.13 - NOD32v2 3184 2008.06.13 - Norman 5.80.02 2008.06.12 - Panda 9.0.0.4 2008.06.12 - Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 - Sophos 4.30.0 2008.06.13 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.13 - weitere Informationen File size: 163328 bytes MD5...: 8453687a045c926f0291301ebaf50370 SHA1..: 8d756345c945b75ef63314fa8992f1b582067ff3 SHA256: 151afe783864d2fcbe6f954d1aef0cb1a157ae41848e2f0478217cddaad61967 SHA512: 4500220ad0ec796d5c14140788a68397508b5606e019b5849d7bb6a5cb76c358 c15193748f52cc70528567541bf0e7dfd249b778af15396a199ae420e341efaf PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1006bf60 timedatestamp.....: 0x445872ae (Wed May 03 09:06:54 2006) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x44000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x45000 0x28000 0x27200 7.92 8c71ecde07c563755798b56de82cfa8b .rsrc 0x6d000 0x1000 0x800 3.27 ea079b662ca468ac3b84ac5ae3533871 ( 9 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect > ADVAPI32.dll: RegEnumKeyW > comdlg32.dll: GetFileTitleW > GDI32.dll: SaveDC > ole32.dll: CoInitialize > OLEAUT32.dll: - > SHLWAPI.dll: PathIsUNCW > USER32.dll: GetDC > WINSPOOL.DRV: ClosePrinter ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer msfDX.dll: AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 - Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 - AVG 7.5.0.516 2008.06.13 - BitDefender 7.2 2008.06.13 - CAT-QuickHeal 9.50 2008.06.12 - ClamAV 0.92.1 2008.06.13 - DrWeb 4.44.0.09170 2008.06.13 - eSafe 7.0.15.0 2008.06.12 Suspicious File eTrust-Vet 31.6.5871 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.13 - Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 - Ikarus T3.1.1.26.0 2008.06.13 - Kaspersky 7.0.0.125 2008.06.13 - McAfee 5316 2008.06.12 - Microsoft None 2008.06.13 - NOD32v2 3184 2008.06.13 - Norman 5.80.02 2008.06.12 - Panda 9.0.0.4 2008.06.12 - Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 - Sophos 4.30.0 2008.06.13 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.13 - weitere Informationen File size: 31232 bytes MD5...: 21d8f42d54598b73c2e1a9571399113b SHA1..: ed711faa61fdd6d53eacc7a99d60d95dd9137a7d SHA256: 992e23bddfa1eaaf66cc7ccbef23596be5d2b47aa6a8272028092b4829bde784 SHA512: a7e698a66e2dce5f0f7797a8dc2f992123a7bb7f8a0dc6214738a1ec5fcf9ed9 a919e4e9f86522e5355deff30843238e3da7e008d13dc5cc8ad2552e28a32599 PEiD..: PECompact 2.xx --> BitSum Technologies PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x100047c0 timedatestamp.....: 0x3f8e4348 (Thu Oct 16 07:05:44 2003) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x14000 0x5e00 7.96 2c3b58f66566a8e664c8ea4a5a891296 .rsrc 0x15000 0x2000 0x1600 6.84 345310e90c13175c817748d5d69715bf .reloc 0x17000 0x1000 0x200 0.22 3bea04e909f4f9d16cc848d4a6c601f5 ( 6 imports ) > kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree > MSVCRT.dll: _CxxThrowException > ADVAPI32.dll: RegCreateKeyExA > USER32.dll: SetRectEmpty > GDI32.dll: CreateDCA > ole32.dll: CoInitialize ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact packers (F-Prot): PecBundle, PECompact smab0.dll: AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.13 - Authentium 5.1.0.4 2008.06.12 - Avast 4.8.1195.0 2008.06.13 - AVG 7.5.0.516 2008.06.13 - BitDefender 7.2 2008.06.13 - CAT-QuickHeal 9.50 2008.06.12 - ClamAV 0.92.1 2008.06.13 - DrWeb 4.44.0.09170 2008.06.13 - eSafe 7.0.15.0 2008.06.12 Suspicious File eTrust-Vet 31.6.5871 2008.06.13 - Ewido 4.0 2008.06.13 - F-Prot 4.4.4.56 2008.06.12 - Fortinet 3.14.0.0 2008.06.13 - GData 2.0.7306.1023 2008.06.13 - Ikarus T3.1.1.26.0 2008.06.13 - Kaspersky 7.0.0.125 2008.06.13 - McAfee 5316 2008.06.12 - Microsoft None 2008.06.13 - NOD32v2 3184 2008.06.13 - Norman 5.80.02 2008.06.12 - Panda 9.0.0.4 2008.06.12 - Prevx1 V2 2008.06.13 - Rising 20.48.42.00 2008.06.13 - Sophos 4.30.0 2008.06.13 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.13 - TheHacker 6.2.92.346 2008.06.12 - VBA32 3.12.6.7 2008.06.12 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.13 Win32.Malware.gen!88 (suspicious) weitere Informationen File size: 27648 bytes MD5...: 2cdfdd3019e885d32c0d7c47ec33f8b3 SHA1..: fa2c7ec1478056ba921c10b433359ef302b3eddd SHA256: d4ceed9eeecab9ec14b0bbe3bff53285719295d2c6ba235496c7526890b0a6d2 SHA512: 5f4c9b451d8f2329465e61bbdb9b51fa7ac7207174595cbd16af6709cd36ea92 65270b58249b1cf1060c70c04ac8fb534580fbb28e5a38a61d0e3402e73dce5a PEiD..: PECompact 2.xx --> BitSum Technologies PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10001000 timedatestamp.....: 0x46495058 (Tue May 15 06:16:56 2007) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x14000 0x4800 7.98 1ff33590ef20d67a1b10a5ce2fc53d96 .rsrc 0x15000 0x2000 0x2000 6.70 341f7944f03a8a170e0549e0cf9e9f9e .reloc 0x17000 0x200 0x200 0.21 8f5b39eaff78f4364554d021fa93976c ( 3 imports ) > kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree > msvcrt.dll: __dllonexit > WSOCK32.DLL: WSAGetLastError ( 115 exports ) pthreadCancelableTimedWait, pthreadCancelableWait, pthread_attr_destroy, pthread_attr_getdetachstate, pthread_attr_getinheritsched, pthread_attr_getschedparam, pthread_attr_getschedpolicy, pthread_attr_getscope, pthread_attr_getstackaddr, pthread_attr_getstacksize, pthread_attr_init, pthread_attr_setdetachstate, pthread_attr_setinheritsched, pthread_attr_setschedparam, pthread_attr_setschedpolicy, pthread_attr_setscope, pthread_attr_setstackaddr, pthread_attr_setstacksize, pthread_barrier_destroy, pthread_barrier_init, pthread_barrier_wait, pthread_barrierattr_destroy, pthread_barrierattr_getpshared, pthread_barrierattr_init, pthread_barrierattr_setpshared, pthread_cancel, pthread_cond_broadcast, pthread_cond_destroy, pthread_cond_init, pthread_cond_signal, pthread_cond_timedwait, pthread_cond_wait, pthread_condattr_destroy, pthread_condattr_getpshared, pthread_condattr_init, pthread_condattr_setpshared, pthread_create, pthread_delay_np, pthread_detach, pthread_equal, pthread_exit, pthread_getconcurrency, pthread_getschedparam, pthread_getspecific, pthread_getw32threadhandle_np, pthread_join, pthread_key_create, pthread_key_delete, pthread_kill, pthread_mutex_destroy, pthread_mutex_init, pthread_mutex_lock, pthread_mutex_timedlock, pthread_mutex_trylock, pthread_mutex_unlock, pthread_mutexattr_destroy, pthread_mutexattr_getkind_np, pthread_mutexattr_getpshared, pthread_mutexattr_gettype, pthread_mutexattr_init, pthread_mutexattr_setkind_np, pthread_mutexattr_setpshared, pthread_mutexattr_settype, pthread_num_processors_np, pthread_once, pthread_rwlock_destroy, pthread_rwlock_init, pthread_rwlock_rdlock, pthread_rwlock_timedrdlock, pthread_rwlock_timedwrlock, pthread_rwlock_tryrdlock, pthread_rwlock_trywrlock, pthread_rwlock_unlock, pthread_rwlock_wrlock, pthread_rwlockattr_destroy, pthread_rwlockattr_getpshared, pthread_rwlockattr_init, pthread_rwlockattr_setpshared, pthread_self, pthread_setcancelstate, pthread_setcanceltype, pthread_setconcurrency, pthread_setschedparam, pthread_setspecific, pthread_spin_destroy, pthread_spin_init, pthread_spin_lock, pthread_spin_trylock, pthread_spin_unlock, pthread_testcancel, pthread_timechange_handler_np, pthread_win32_process_attach_np, pthread_win32_process_detach_np, pthread_win32_test_features_np, pthread_win32_thread_attach_np, pthread_win32_thread_detach_np, ptw32_get_exception_services_code, ptw32_pop_cleanup, ptw32_push_cleanup, sched_get_priority_max, sched_get_priority_min, sched_getscheduler, sched_setscheduler, sched_yield, sem_close, sem_destroy, sem_getvalue, sem_init, sem_open, sem_post, sem_post_multiple, sem_timedwait, sem_trywait, sem_unlink, sem_wait packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact packers (F-Prot): PecBundle, PECompact Geändert von matthias_90 (13.06.2008 um 15:22 Uhr) |
|
17.06.2008, 17:29
| #24 |
| | setup.exe blockiert HILFE!!! nachdem ich heute meinen PC starten wollte, war das Passwoerter meines Adminkontos gesperrt. ich kann nur ueber den account meines Vater in den Computer rein und das ist jetzt kein Adminstratorkonto mehr. Ich kann die Internetverbindung auch nicht mit dem Computer trennen, ich kann nur den internetstecker rausziehen. Die Tastaturschreibweise wurde in die amerikanische umgaendert. Ich kann den PC nicht einmal im Abgesicherten Modus starten. Kann es sein das ich einen Downloader auf dem PC habe, der meine System nur noch mehr verseucht? langsam fang ich an an eine neue Formatierung zu denken, oder gibt es eine andere Loesung, oder ein Programm mit dem ich das Passwort rausfinden kann? |
|
18.06.2008, 06:33
| #25 |
| | setup.exe blockiert Hi, das ist so (der Downloader), da bei jedem neuen Suchvorgang neue Trojaner/Viren gefunden werden, und das Teil ist gut versteckt. Wenn Du neu aufsetzten kannst, tue das; Achtung: Formatiere dabei die Platte physikalisch komplett, inkl. des MBR! Es gibt z. Z. einige Trojaner die sich dort verankern und denen fast nicht beizukommen ist... Es gibt Möglichkeiten das Admin-Passwort zurückzusetzten, aber das löst das Problem nicht... . Tut mir leid, aber so dürfte es das Beste sein: http://www.trojaner-board.de/12154-a...sicherung.html chris
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
18.06.2008, 13:30
| #26 |
| | setup.exe blockiert ok werd mir das mal durch lesen. gibts eig. irgend ein prog, das wo ich nur starten muss und dann die ganzen treiber, systemeinstellungen usw. automatisch auf eine externe Festplatte oder einen usb stick speichert und wenn mein system dann infiziert ist ich nur formatieren muss und dann dieses Programm starte. und schwupsdiwups sind die ganzen daten wieder auf meinem System gibts sowas??? |
|
18.06.2008, 15:09
| #27 |
| | setup.exe blockiert Hi, es gibt verschieden Backup-Programme (Paragon, Acronis etc.) mit der man sowas machen kann. Ich persönlich habe die Acronis am Laufen (True Image Home Acronis - Festplatten-Backup-Software, Datei-Backup und Disk Imaging, Wiederherstellung von Anwendungseinstellungen, Backup von Musik, Videos, Fotos und Outlook-Mails), dort gibt es auch einen Modus wo alle Änderungen am System nur temporär gemacht werden können (Try&Decide). Das Backups gemacht werden, hängt allerdings am User! Bitte so vorgehen: Systemneu aufsetzten, updaten und absichern (gemäß Beschreibung) und anschließend ein initiales Backup machen (auf DVD oder USB-Festplatte)... chris Ps.: Und nein, ich mache keine Werbung für irgendetwas ....
__________________ Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
|
28.06.2008, 16:16
| #28 |
| | setup.exe blockiert hab jetzt alles gesichert und mit laaaaaaanger mühsamer arbeit alle meine Treiber zusammengesucht, werd morgen neuaufsetzen. hab mir diese datei mit dem virus mal nochmal runtergeladen (wird ja egal seine wenn ich morgen neu aufsetzte), datei gescannt und hab dann zu dem Virus diese Beschreibung gefunden: This Trojan may be dropped by other malware. Upon execution, this Trojan creates the following folder: * %Windows%\Fonts\' (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. ) It drops the following copies of itself: * %Windows%\Fonts\a.zip * %Windows%\Fonts\Setup.exe * %Windows%\Fonts\svchost.exe It also drops the following non-malicious file: * %System%\vbzip10.dll (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. ) This Trojan creates the following registry entry to enable its automatic execution at every system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run Host Process = "%Windows%\Fonts\svchost.exe" This Trojan accesses URLs to download files: * http://{BLOCKED}ay-warez.com/ddl-{number}.html * http://{BLOCKED}reznova.com/index{number}.htm * http://{BLOCKED}lspot.com/index-{number}.html * http://{BLOCKED}l2.com/index_page-{number}.html * http://{BLOCKED}tz.cd/pg/{number} und nochmal ne frage zu backup-programm: kann ich die backups auf D: Speichern ohne Angst zu haben, dass D: infiziert wird? Meine Systempartiton ist ja C:, also dürfte es doch gehen, oder? |
|
| Themen zu setup.exe blockiert |
| antivirus, blockiert, browser, central, compare, desktop, drivers, firefox, google, hijack, hijackthis, home, internet, internet explorer, internet security, ip-adresse, limewire, locker, manuel, mozilla, mozilla firefox, rundll, scan, security, server, software, system, updates, usb, virus, windows, windows xp |
Linear-Darstellung
