Virus Fehler beim Öffnen eines Ordners !!!

Rattlesnake8 · 21.08.2008, 13:34

Hier in diesem Thread hatte schonmal jemand das Problem.

http://www.trojaner-board.de/55120-v...-help-pls.html

Hoffe mir kann einer dabei helfen, wollte schon formatieren aber mein Laufwerk bootet die Windows CD nicht.

Und hier ist mein Log File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07:03, on 21.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\tray\wintmr.exe
C:\WINDOWS\system32\cc32\webtmr.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\Prismsta.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Fabian\Desktop\Neuer Ordner\This.com.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Programme\Gemeinsame Dateien\Tray\ccexec.exe
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IE Shop - {F73DBD9E-5F1B-4BCA-8604-A911DCE08B37} - C:\WINDOWS\system32\hayt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ChicoSys] C:\WINDOWS\system32\cc32\webtmr.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Prism_Utility] Prismsta.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CCWinTray] C:\WINDOWS\Tray\wintmr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TVgenial] C:\Programme\TVgenial\TVgenial.exe -d
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {82DEF876-14E4-4CE5-9CA4-DE79A2EE46D2} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8103 bytes

cosinus · 21.08.2008, 14:34

Hallo Rattlesnake8 und

Code:

ATTFilter

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Auf Deinem System fehlen min. das SP3 und der IE7!
Du solltest nach erfolgter Bereinigung (sofern sinnvoll/möglich) schnellstens die Windowsupdateseite besuchen!
Ebenso sind der AdobeReader und Java bei Dir veraltet - deinstalliere beide versionen voher und installiere dann die aktuellen Versionen.

Acker diese Punkte für weitere Analysen ab:

A.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

B.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:

Code:

ATTFilter

C:\WINDOWS\tray\wintmr.exe
C:\WINDOWS\system32\Prismsta.exe
C:\Programme\Gemeinsame Dateien\Tray\ccexec.exe
C:\WINDOWS\system32\hayt.dll

C.) Führe dieses MBR-Tool aus und poste die Ausgabe

D.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten

E.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste die Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:

[code] Hier das Logfile rein! [/code]

F.) Mach ein Filelisting mit diesem script:

Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
Doppelklick auf listing8.cmd auf dem Desktop
nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

Rattlesnake8 · 22.08.2008, 07:01

Punkt A-D habe ich soweit abgearbeitet.
Punkt E funktioniert bei mir irgendwie nicht.
Wenn ich die Combo Fix Exe anklicke kommt nur das blaue Fenster kurz und verschwindet dann wieder.
Er schreibt zwar das Combo Fix sich vorbereitet um ausgeführt zu werden aber dann geht das Fenster weg und es kommt nichts mehr.
Hab auch extra 2-3 Minuten gewartet.
Punkt F verstehe ich irgendwie nicht ganz, wie mach ich denn nen Filelisting?
Danke aber schonmal dafür das du dir soviel Mühe machst, echt respekt !!!
Hier die Auswertungen:

C:\WINDOWS\tray\wintmr.exe

Code:

ATTFilter

Antivirus  	Version  	letzte aktualisierung  	Ergebnis
AhnLab-V3	2008.8.21.0	2008.08.21	-
AntiVir	7.8.1.23	2008.08.21	-
Authentium	5.1.0.4	2008.08.22	-
Avast	4.8.1195.0	2008.08.21	-
AVG	8.0.0.161	2008.08.21	-
BitDefender	7.2	2008.08.22	-
CAT-QuickHeal	9.50	2008.08.21	-
ClamAV	0.93.1	2008.08.21	-
DrWeb	4.44.0.09170	2008.08.21	-
eSafe	7.0.17.0	2008.08.21	-
eTrust-Vet	31.6.6039	2008.08.21	-
Ewido	4.0	2008.08.21	-
F-Prot	4.4.4.56	2008.08.21	-
F-Secure	7.60.13501.0	2008.08.22	Suspicious:W32/Kolweb.d!Gemini
Fortinet	3.14.0.0	2008.08.21	-
GData	2.0.7306.1023	2008.08.20	-
Ikarus	T3.1.1.34.0	2008.08.22	-
K7AntiVirus	7.10.423	2008.08.21	-
Kaspersky	7.0.0.125	2008.08.22	-
McAfee	5367	2008.08.21	-
Microsoft	1.3807	2008.08.22	-
NOD32v2	3377	2008.08.22	-
Norman	5.80.02	2008.08.21	-
Panda	9.0.0.4	2008.08.21	-
PCTools	4.4.2.0	2008.08.21	-
Prevx1	V2	2008.08.22	-
Rising	20.58.32.00	2008.08.21	-
Sophos	4.32.0	2008.08.22	-
Sunbelt	3.1.1571.1	2008.08.22	-
Symantec	10	2008.08.22	-
TheHacker	6.3.0.6.058	2008.08.22	-
TrendMicro	8.700.0.1004	2008.08.21	-
VBA32	3.12.8.4	2008.08.21	Signed-Trojan.Win32.Delf.bet
ViRobot	2008.8.21.1344	2008.08.21	-
VirusBuster	4.5.11.0	2008.08.21	-
Webwasher-Gateway	6.6.2	2008.08.22	-
weitere Informationen
File size: 4355072 bytes
MD5...: 25b927ee20546b9b3b53666f715bc231
SHA1..: c4ae9cb17a4c1f2b70fbbc997225e2c0d907d9e9
SHA256: 3cd922b4a4febf45e142fd6d8d15e56bec60614d6f242bb25d323dbadf6410ba
SHA512: 9a2e0b1e472a9eaeba43fefe70200a8ff5b2dc4ecd456ed44552f41a0edb7284
05d6f6320211128a8c4a227050bb0167284d2b9f6e715895398966fb13a81ee2
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x672f80
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x2721e4 0x272200 6.56 89ff59d2a076695728c5beb3be2d4647
DATA 0x274000 0x13fac 0x14000 6.86 8399873a943ed973f780db45e3963f8d
BSS 0x288000 0x4815 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x28d000 0x35ce 0x3600 5.10 16b2d2bd041009bf9df3450b5fff9df7
.tls 0x291000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x292000 0x18 0x200 0.20 a9f14877dcecf215ce60c243b534c11f
.reloc 0x293000 0x2b44c 0x2b600 6.62 373c96b12390055a76e906c0cfdc2ede
.rsrc 0x2bf000 0x30600 0x30600 6.36 5b522d3d702c0d6c1f483931a362f895

( 24 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: SetSecurityDescriptorDacl, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, InitializeSecurityDescriptor, GetUserNameA, GetTokenInformation, GetLengthSid, FreeSid, EqualSid, CopySid, AllocateAndInitializeSid, AdjustTokenPrivileges
> kernel32.dll: lstrlenW, lstrcpyA, lstrcmpA, WriteProcessMemory, WritePrivateProfileStringA, WriteFile, WaitNamedPipeA, WaitForSingleObject, WaitForMultipleObjectsEx, WaitForMultipleObjects, VirtualQueryEx, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, UnlockFile, TerminateThread, TerminateProcess, SystemTimeToFileTime, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetThreadContext, SetThreadAffinityMask, SetPriorityClass, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReleaseMutex, ReadProcessMemory, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, PulseEvent, OutputDebugStringA, OpenProcess, OpenFileMappingW, OpenFileMappingA, OpenEventW, OpenEventA, MultiByteToWideChar, MulDiv, MoveFileA, MapViewOfFile, LockResource, LockFile, LocalFree, LocalAlloc, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExW, GetVersionExA, GetVersion, GetTimeFormatA, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathA, GetTempFileNameA, GetSystemTime, GetSystemInfo, GetSystemDirectoryW, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetStartupInfoA, GetProcessVersion, GetProcessAffinityMask, GetProcAddress, GetPrivateProfileStringA, GetPriorityClass, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameW, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesW, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCommandLineA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DuplicateHandle, DeleteFileA, DeleteCriticalSection, CreateThread, CreateSemaphoreA, CreateMutexW, CreateMutexA, CreateFileMappingW, CreateFileMappingA, CreateFileW, CreateFileA, CreateEventW, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringW, CompareStringA, CloseHandle
> mpr.dll: WNetGetConnectionA, WNetCancelConnection2A, WNetAddConnection2A
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, TextOutA, StrokePath, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextJustification, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, PtInRegion, Polyline, Polygon, PlayEnhMetaFile, PatBlt, OffsetWindowOrgEx, OffsetRgn, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextExtentExPointA, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetNearestColor, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, FillPath, ExtTextOutA, ExcludeClipRect, EqualRgn, EndPath, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePatternBrush, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEllipticRgn, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt, BeginPath
> user32.dll: CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, ValidateRect, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TabbedTextOutA, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageCallbackA, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterHotKey, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostThreadMessageA, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxW, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringW, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetTabbedTextExtentA, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPointEx, CheckMenuItem, CharUpperBuffW, CharLowerBuffW, CallWindowProcA, CallNextHookEx, BeginPaint, AttachThreadInput, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
> kernel32.dll: Sleep
> ole32.dll: CreateStreamOnHGlobal, CoUninitialize, CoInitialize
> oleaut32.dll: GetErrorInfo, SysFreeString
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
> shell32.dll: Shell_NotifyIconA, ShellExecuteExA, ShellExecuteA, SHGetFileInfoA
> shell32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc
> comdlg32.dll: GetSaveFileNameA, GetOpenFileNameA
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
> wsock32.dll: WSAStartup, WSAGetLastError, gethostbyname, socket, shutdown, setsockopt, send, recv, inet_addr, htons, connect, closesocket
> advapi32.dll: GetKernelObjectSecurity
> advapi32.dll: OpenProcessToken
> ole32.dll: GetHGlobalFromStream, CreateStreamOnHGlobal
> comctl32.dll: ImageList_Write

C:\WINDOWS\system32\Prismsta.exe

Code:

ATTFilter

Antivirus  	Version  	letzte aktualisierung  	Ergebnis
AhnLab-V3	2008.8.21.0	2008.08.21	-
AntiVir	7.8.1.23	2008.08.21	-
Authentium	5.1.0.4	2008.08.22	-
Avast	4.8.1195.0	2008.08.21	-
AVG	8.0.0.161	2008.08.21	-
BitDefender	7.2	2008.08.22	-
CAT-QuickHeal	9.50	2008.08.21	-
ClamAV	0.93.1	2008.08.21	-
DrWeb	4.44.0.09170	2008.08.21	-
eSafe	7.0.17.0	2008.08.21	-
eTrust-Vet	31.6.6039	2008.08.21	-
Ewido	4.0	2008.08.21	-
F-Prot	4.4.4.56	2008.08.21	-
F-Secure	7.60.13501.0	2008.08.22	-
Fortinet	3.14.0.0	2008.08.21	-
GData	2.0.7306.1023	2008.08.20	-
Ikarus	T3.1.1.34.0	2008.08.22	-
K7AntiVirus	7.10.423	2008.08.21	-
Kaspersky	7.0.0.125	2008.08.22	-
McAfee	5367	2008.08.21	-
Microsoft	1.3807	2008.08.22	-
NOD32v2	3377	2008.08.22	-
Norman	5.80.02	2008.08.21	-
Panda	9.0.0.4	2008.08.21	-
PCTools	4.4.2.0	2008.08.21	-
Prevx1	V2	2008.08.22	-
Rising	20.58.32.00	2008.08.21	-
Sophos	4.32.0	2008.08.22	-
Sunbelt	3.1.1571.1	2008.08.22	-
Symantec	10	2008.08.22	-
TheHacker	6.3.0.6.058	2008.08.22	-
TrendMicro	8.700.0.1004	2008.08.21	-
VBA32	3.12.8.4	2008.08.21	-
ViRobot	2008.8.21.1344	2008.08.21	-
VirusBuster	4.5.11.0	2008.08.21	-
Webwasher-Gateway	6.6.2	2008.08.22	-
weitere Informationen
File size: 215552 bytes
MD5...: b380154c24746bcc362443d6bfdf8ec8
SHA1..: 43aa82270c3346383fda9e61b490b605e661b44d
SHA256: da1bed50f7b782011dd4d5b25e5a739d6a3c758926a9f2073f2a5758d1ee6ff6
SHA512: 6bb1ba86b2219ddde3b4dc03db90bbfb5b029ba6351aa5441c7233f4d6d2d3b2
57457d353fcfb9f14f2966642f751cccafc933b0eb512619e129947ff9c29c8a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x409a10
timedatestamp.....: 0x3f2ee438 (Mon Aug 04 22:54:48 2003)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1cec2 0x1d000 6.49 4c72673c2ddb4d60ea2078d5ee707abb
.rdata 0x1e000 0x6218 0x6400 4.11 6f247924f3e27e50da4e15ff93ac5a99
.data 0x25000 0x5d28 0x2a00 2.57 a501e1a85e909da11f792d6ea0ba3880
.idata 0x2b000 0x1bca 0x1c00 5.59 9f8c9f321f35d2c74ff54870cdbe01a7
.rsrc 0x2d000 0x3a30 0x3c00 4.05 96989128107a3d943b284e06f0982840
.reloc 0x31000 0x4af2 0x4c00 4.46 91d2231bfb82e204173d6bf69322764b

( 5 imports )
> PRISMIOC.dll: MacGetNamesEx, MacFreeNames, MacFindFirstMatchEx, MacOpen, MacIoctl, MacClose
> ADVAPI32.dll: RegEnumKeyExA, RegDeleteValueA, OpenSCManagerA, OpenServiceA, QueryServiceStatus, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegOpenKeyExA, RegSetValueExA, RegQueryValueExA
> KERNEL32.dll: GlobalAddAtomA, GlobalGetAtomNameA, SetErrorMode, IsBadCodePtr, IsBadWritePtr, IsBadReadPtr, LCMapStringW, GetModuleFileNameA, SetUnhandledExceptionFilter, GetStdHandle, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, HeapSize, GetOEMCP, GetACP, GetCPInfo, RaiseException, TerminateProcess, ExitProcess, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind, GetFullPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetLocaleInfoA, GetLocaleInfoW, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GetCurrentProcess, GetProcessVersion, SetLastError, WritePrivateProfileStringA, GlobalFlags, lstrcmpiA, MulDiv, lstrcpynA, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, lstrcatA, GlobalUnlock, GlobalFree, LockResource, FindResourceA, LoadResource, lstrlenA, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, GlobalLock, GlobalDeleteAtom, lstrcmpA, GetCurrentThread, GetCurrentThreadId, lstrcpyA, GetProcAddress, LoadLibraryA, CreateMutexA, ReleaseMutex, CloseHandle, FreeLibrary, WideCharToMultiByte, LocalAlloc, LocalLock, MultiByteToWideChar, GetLastError, LocalUnlock, LocalFree, GetVersion, LCMapStringA, SetStdHandle
> USER32.dll: TabbedTextOutA, DrawTextA, GrayStringA, GetSysColorBrush, SetRectEmpty, LoadAcceleratorsA, TranslateAcceleratorA, SetMenu, ReuseDDElParam, UnpackDDElParam, InvalidateRect, IsIconic, BringWindowToTop, PtInRect, GetClassNameA, ClientToScreen, WindowFromPoint, GetDesktopWindow, ReleaseCapture, LoadCursorA, LoadStringA, ShowWindow, SetWindowTextA, IsDialogMessageA, UpdateWindow, SendDlgItemMessageA, SystemParametersInfoA, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, DeferWindowPos, GetClientRect, BeginDeferWindowPos, CopyRect, EndDeferWindowPos, ScreenToClient, GetTopWindow, GetCapture, WinHelpA, GetClassInfoA, RegisterClassA, GetMenuItemCount, GetMenu, TrackPopupMenu, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, SetPropA, GetLastActivePopup, GetForegroundWindow, GetPropA, RemovePropA, CallWindowProcA, GetMessageTime, GetMessagePos, GetWindow, GetWindowRect, SetWindowLongA, SetWindowPos, DestroyMenu, UnhookWindowsHookEx, EndDialog, SetActiveWindow, IsWindow, CreateDialogIndirectParamA, DestroyWindow, GetWindowLongA, ReleaseDC, GetDC, EqualRect, GetDlgItem, IsWindowEnabled, CharUpperA, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, SetWindowsHookExA, MessageBoxA, SetCursor, ShowOwnedPopups, PostQuitMessage, GetSystemMenu, GetParent, IsCharAlphaNumericA, IsCharAlphaA, PostMessageA, SetForegroundWindow, CreatePopupMenu, GetMenuState, GetMenuStringA, GetMenuItemID, AppendMenuA, GetAsyncKeyState, GetCursorPos, KillTimer, LoadIconA, LoadMenuA, GetSubMenu, CheckMenuRadioItem, LoadImageA, GetSystemMetrics, SetTimer, MessageBeep, EnableWindow, RegisterWindowMessageA, SendMessageA, wsprintfA, UnregisterClassA
> GDI32.dll: SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, SaveDC, GetDeviceCaps, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetStockObject, SelectObject, DeleteDC, DeleteObject, GetObjectA, SetBkColor, SetTextColor, CreateBitmap, RestoreDC

C:\Programme\Gemeinsame Dateien\Tray\ccexec.exe

Code:

ATTFilter

Antivirus  	Version  	letzte aktualisierung  	Ergebnis
AhnLab-V3	2008.8.21.0	2008.08.21	-
AntiVir	7.8.1.23	2008.08.21	-
Authentium	5.1.0.4	2008.08.22	-
Avast	4.8.1195.0	2008.08.21	-
AVG	8.0.0.161	2008.08.21	-
BitDefender	7.2	2008.08.22	-
CAT-QuickHeal	9.50	2008.08.21	-
ClamAV	0.93.1	2008.08.21	-
DrWeb	4.44.0.09170	2008.08.21	-
eSafe	7.0.17.0	2008.08.21	-
eTrust-Vet	31.6.6039	2008.08.21	-
Ewido	4.0	2008.08.21	-
F-Prot	4.4.4.56	2008.08.21	-
F-Secure	7.60.13501.0	2008.08.22	-
Fortinet	3.14.0.0	2008.08.21	-
GData	2.0.7306.1023	2008.08.20	-
Ikarus	T3.1.1.34.0	2008.08.22	-
K7AntiVirus	7.10.423	2008.08.21	-
Kaspersky	7.0.0.125	2008.08.22	-
McAfee	5367	2008.08.21	-
Microsoft	1.3807	2008.08.22	-
NOD32v2	3377	2008.08.22	-
Norman	5.80.02	2008.08.21	-
Panda	9.0.0.4	2008.08.21	Suspicious file
PCTools	4.4.2.0	2008.08.21	-
Prevx1	V2	2008.08.22	-
Rising	20.58.32.00	2008.08.21	-
Sophos	4.32.0	2008.08.22	-
Sunbelt	3.1.1571.1	2008.08.22	-
Symantec	10	2008.08.22	-
TheHacker	6.3.0.6.058	2008.08.22	-
TrendMicro	8.700.0.1004	2008.08.21	-
VBA32	3.12.8.4	2008.08.21	Signed-Trojan.Win32.Delf.bet
ViRobot	2008.8.21.1344	2008.08.21	-
VirusBuster	4.5.11.0	2008.08.21	-
Webwasher-Gateway	6.6.2	2008.08.22	-
weitere Informationen
File size: 129776 bytes
MD5...: 474b4357ff6e92998842249ef1cc463c
SHA1..: fa8d8a85e11bfcecdc7a9d5bb605fafe4dc393e2
SHA256: b4eab1096d964aea6c375472024ba947ac69d367a9b684980baf8bdbb49cab18
SHA512: 5d302fda5ee6f0b1b576db969cecaa134b74566a09e02582b9cbe1d3c45a398b
27958d45eb4ec3748a56f7a916b0c79b62cce544579ff095af56e2383bf77bfc
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x418d04
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x180c0 0x18200 6.48 10509c1d97552b75ea2ec0c229ce9e7d
DATA 0x1a000 0x9f4 0xa00 4.20 89588bdfb3d8e6ce80321a42fbb3f339
BSS 0x1b000 0xe99 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x1c000 0xe70 0x1000 4.54 1fb9a74e9f95850b0cf14479e6c9908e
.tls 0x1d000 0xc 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x1e000 0x18 0x200 0.20 80c266032337ffe7890581639628f9b7
.reloc 0x1f000 0x20b8 0x2200 6.61 68cf608f4af73c6a2af30cbbcc1538bd
.rsrc 0x22000 0x2000 0x2000 3.67 4e1088b49705f4581faebba7974cc483

( 15 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> kernel32.dll: WriteFile, WaitForSingleObject, VirtualQuery, SetFilePointer, SetEvent, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryA, GetVersionExA, GetThreadLocale, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCPInfo, GetACP, FreeLibrary, FormatMessageA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, SetTextColor, SetROP2, SetBkMode, SetBkColor, SelectPalette, SelectObject, MoveToEx, GetTextMetricsA, GetSystemPaletteEntries, GetStockObject, GetDeviceCaps, GetCurrentPositionEx, DeleteObject, DeleteDC, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateBrushIndirect
> user32.dll: ReleaseDC, MessageBoxA, LoadStringA, LoadIconA, GetSystemMetrics, GetSysColor, GetDC, CharNextA, CharLowerBuffA, CharUpperBuffA, CharToOemA
> ole32.dll: CoUninitialize, CoInitialize
> oleaut32.dll: GetErrorInfo, SysFreeString
> kernel32.dll: Sleep
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
> shell32.dll: ShellExecuteA
> shell32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc

Mehr passt nicht im ersten Beitrag, weiter gehts gleich ^^

Rattlesnake8 · 22.08.2008, 07:02

C:\WINDOWS\system32\hayt.dll

Code:

ATTFilter

Antivirus  	Version  	letzte aktualisierung  	Ergebnis
AhnLab-V3	2008.8.21.0	2008.08.21	-
AntiVir	7.8.1.23	2008.08.21	-
Authentium	5.1.0.4	2008.08.22	W32/Adware-RegBHO-based.1!Maximus
Avast	4.8.1195.0	2008.08.21	-
AVG	8.0.0.161	2008.08.21	Generic11.MAA
BitDefender	7.2	2008.08.22	Trojan.BHO.OBV
CAT-QuickHeal	9.50	2008.08.21	-
ClamAV	0.93.1	2008.08.21	Trojan.BHO-3678
DrWeb	4.44.0.09170	2008.08.21	Trojan.Fakealert.1231
eSafe	7.0.17.0	2008.08.21	-
eTrust-Vet	31.6.6039	2008.08.21	-
Ewido	4.0	2008.08.21	-
F-Prot	4.4.4.56	2008.08.21	W32/Adware-RegBHO-based.1!Maximus
F-Secure	7.60.13501.0	2008.08.22	Trojan.Win32.BHO.gcr
Fortinet	3.14.0.0	2008.08.21	-
GData	2.0.7306.1023	2008.08.20	-
Ikarus	T3.1.1.34.0	2008.08.22	Virus.Trojan.Win32.BHO.gcr
K7AntiVirus	7.10.423	2008.08.21	-
Kaspersky	7.0.0.125	2008.08.22	Trojan.Win32.BHO.gcr
McAfee	5367	2008.08.21	-
Microsoft	1.3807	2008.08.22	TrojanDownloader:Win32/Renos.DG
NOD32v2	3377	2008.08.22	-
Norman	5.80.02	2008.08.21	-
Panda	9.0.0.4	2008.08.21	-
PCTools	4.4.2.0	2008.08.21	-
Prevx1	V2	2008.08.22	Fraudulent Security Program
Rising	20.58.32.00	2008.08.21	-
Sophos	4.32.0	2008.08.22	Mal/FakeVir-E
Sunbelt	3.1.1571.1	2008.08.22	-
Symantec	10	2008.08.22	Trojan.Fakeavalert
TheHacker	6.3.0.6.058	2008.08.22	-
TrendMicro	8.700.0.1004	2008.08.21	TROJ_ZLOB.EXT
VBA32	3.12.8.4	2008.08.21	-
ViRobot	2008.8.21.1344	2008.08.21	-
VirusBuster	4.5.11.0	2008.08.21	-
Webwasher-Gateway	6.6.2	2008.08.22	-
weitere Informationen
File size: 61440 bytes
MD5...: 2df5b80088ffa762d9d46c6beea3a1da
SHA1..: 80ec420498c1aa6178167a8be2441cec446fca4c
SHA256: 69f3be568ee115aea2c4b0306a62ec4b2b934d1d7cc7396ec84e456f5acdd943
SHA512: 9af6eebcd2dd149471615d1524a79fe7b69de9846b55d0b862431d9b3052b5a7
c325fa855e73b0d7404383987e218c7e0a34a9711a917ce15cb556b08b519d94
PEiD..: Armadillo v1.xx - v2.xx
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10007f6d
timedatestamp.....: 0x48ac3e6a (Wed Aug 20 15:55:22 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7010 0x8000 5.35 52690ff1b22c968ee6dcd0a3a063189d
.rdata 0x9000 0xa83 0x1000 4.20 b4ee39e9eb25ede17d4624648c379b96
.data 0xa000 0xe1488 0x1000 0.95 eb4ffff0f726cc05638d76c1028adc97
.rsrc 0xec000 0x21f0 0x3000 2.19 551f1a960de3f219f1fd477766b42fad
.reloc 0xef000 0xdcc 0x1000 2.57 71149a6161c4446c2f1bb4e40e3c4281

( 7 imports )
> KERNEL32.dll: lstrlenW, WideCharToMultiByte, GetModuleFileNameA, DisableThreadLibraryCalls, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, lstrcpyA, InterlockedDecrement, HeapDestroy, lstrlenA, GetShortPathNameA, FreeLibrary, GetProcAddress, LoadLibraryA, lstrcatA, MultiByteToWideChar, CloseHandle, InterlockedIncrement, GetStdHandle
> USER32.dll: CharNextA, MessageBoxA
> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> SHELL32.dll: ShellExecuteA
> ole32.dll: CoCreateInstance
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _adjust_fdiv, _initterm, _stricmp, free, memcmp, _purecall, memcpy, malloc, strcat, rand, strstr, __2@YAPAXI@Z, __3@YAXPAX@Z, strcpy, strlen

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=79C67EC2004B4BE8F07F001C5AADB200ED5C1CBB

MBR Tool Auswertung:

Code:

ATTFilter

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Blacklight Logfile:

Code:

ATTFilter

08/22/08 04:52:38 [Info]: BlackLight Engine 1.0.70 initialized
08/22/08 04:52:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/22/08 04:52:38 [Note]: 7019 4
08/22/08 04:52:38 [Note]: 7005 0
08/22/08 04:52:41 [Note]: 7006 0
08/22/08 04:52:41 [Note]: 7011 1912
08/22/08 04:52:41 [Note]: 7035 0
08/22/08 04:52:41 [Note]: 7026 0
08/22/08 04:52:41 [Note]: 7026 0
08/22/08 04:52:46 [Note]: FSRAW library version 1.7.1024
08/22/08 05:04:49 [Note]: 7007 0

Malewarebytes Antimaleware Auswertung:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1076
Windows 5.1.2600 Service Pack 2

07:23:57 22.08.2008
mbam-log-08-22-2008 (07-23-43).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|)
Durchsuchte Objekte: 226152
Laufzeit: 2 hour(s), 12 minute(s), 15 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 7
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
C:\WINDOWS\system32\hayt.dll (Trojan.FakeAlert) -> No action taken.

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\ains (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{049652c3-55ae-4a6e-84ce-0c5b733e8f82} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{c1d4354e-c81a-4c16-9c41-d6fb49aa31a8} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f73dbd9e-5f1b-4bca-8604-a911dce08b37} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f73dbd9e-5f1b-4bca-8604-a911dce08b37} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> No action taken.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\hayt.dll (Trojan.FakeAlert) -> No action taken.

So das war erstmal alles !!!

cosinus · 22.08.2008, 09:22

Wenn Combofix nicht funktioniert, dann mach mal bitte nen Durchlauf mit Silentrunners (siehe Signatur).

Das Filelisting ist doch ganz einfach. Speicher einfach mein Script aufm Desktop ab, dann führst Du es mit nem Doppelklick aus. Es erscheint dann die filelisting.txt die Du dann (gezippt) hochlädst.

Das MBR- und Blacklight_Log ist schonmal ok.

Rattlesnake8 · 22.08.2008, 10:23

Code:

ATTFilter

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"CCWinTray" = "C:\WINDOWS\Tray\wintmr.exe" ["Salfeld Computer"]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"ChicoSys" = "C:\WINDOWS\system32\cc32\webtmr.exe" ["Salfeld Computer"]
"Easy-PrintToolBox" = "C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Nero AG"]
"Prism_Utility" = "Prismsta.exe" ["Intersil Americas Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"AppleSyncNotifier" = "C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" ["Apple Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""D:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"Dit" = "Dit.exe" [null data]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{055FD26D-3A88-4e15-963D-DC8493744B1D}\(Default) = "XTTBPos00"
  -> {HKLM...CLSID} = "XTTBPos00 Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["IE Toolbar"]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
  -> {HKLM...CLSID} = "Adobe PDF Link Helper"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
  -> {HKLM...CLSID} = "Skype add-on (mastermind)"
                   \InProcServer32\(Default) = "C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{F73DBD9E-5F1B-4BCA-8604-A911DCE08B37}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "IE Shop"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hayt.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
  -> {HKLM...CLSID} = "TuneUp Theme Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{39DD67E0-73B6-4a11-AF55-49E1EBBF72BE}" = "SmartFTP Favorites Namespace"
  -> {HKLM...CLSID} = "SmartFTP FavoritesShellFolder Class"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFavoritesShellExtension.dll" ["SmartSoft Ltd."]
"{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}" = "SmartFTP ContextMenu"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{40FDFA48-5F4E-4627-A78E-6A49A3D4492F}" = "SmartFTP ShellDropHandler"
  -> {HKLM...CLSID} = "SmartFTP ShellDropHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}" = "SmartFTP Drop ShellIconOverlayHandler"
  -> {HKLM...CLSID} = "SmartFTP Drop ShellIconOverlayHandler"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
  -> {HKLM...CLSID} = "Meine freigegebenen Ordner"
                   \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{EB5EE1F3-041A-4c03-9D51-2BEC6715FB00}" = "SmartFTP Search Shell Namespace Extension"
  -> {HKLM...CLSID} = "ShellFolderSearchRoot Class"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{A68961C7-3B1B-4845-97A8-1A11ED4F7866}" = "SmartFTP Search Shell Namespace Extension"
  -> {HKLM...CLSID} = "ShellFolderSearch Class"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{2ED7FD81-CBA6-45E5-A49A-5E84889A94E2}" = "SmartFTP Drop Handler"
  -> {HKLM...CLSID} = "ShellFolderDragDropHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{82AA9188-44E0-40B9-B956-43A10C315B4F}" = "SmartFTP Shell Namespace Extension"
  -> {HKLM...CLSID} = "RootShellFolder Class"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                   \InProcServer32\(Default) = "D:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWA	RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\Programme\Gemeinsame Dateien\Tray\ccexec.exe" [MS], [file not found], [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoControlPanel" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) dword:0x00000000
{Don't save settings at exit}

"NoRun" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFind" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableClock" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{Prevent access to registry editing tools}

"NoDispCPL" = (REG_DWORD) dword:0x00000000
{Remove Display in Control Panel}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{Remove Task Manager}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000
{Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Fabian\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Programme\Gemeinsame Dateien\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]

MSVideoCameraArrival\
"Provider" = "@C:\Programme\Movie Maker\1031\wmm2res.dll,-100"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\Movie Maker\moviemk.exe" /RECORD"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWMEncVCArrival\
"Provider" = "Windows Media Encoder 9-Reihe"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Windows Media-Komponenten\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
  -> {HKLM...CLSID} = "ICQ Toolbar"
                   \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["IE Toolbar"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
  -> {HKLM...CLSID} = "ICQ Toolbar"
                   \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["IE Toolbar"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
  -> {HKLM...CLSID} = "ICQ Toolbar"
                   \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["IE Toolbar"]
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
  -> {HKLM...CLSID} = "Easy-WebPrint"
                   \InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [null data]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [null data]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{82DEF876-14E4-4CE5-9CA4-DE79A2EE46D2}\
"ButtonText" = "MedionShop"
"Exec" = "http://www.medionshop.de/" [file not found]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
  -> {HKLM...CLSID} = "Skype add-on (button)"
                   \InProcServer32\(Default) = "C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.aldi.com

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
  -> {HKLM...CLSID} = "ICQ Toolbar"
                   \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["IE Toolbar"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]

Rattlesnake8 · 22.08.2008, 10:24

Hier der Rest:

Code:

ATTFilter

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Windows-CCHook-Service, Windows-CCHook-Service, "C:\WINDOWS\system32\cchservice.exe" ["Salfeld Computer"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-08-22 11:08:49)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 223 seconds.
---------- (total run time: 305 seconds)

Und dein Script:

http://www.file-upload.net/download-1059672/listing.txt.html

Hoffe hab alles richtig gemacht...

cosinus · 22.08.2008, 15:23

Du benutzt nicht zufällig irgendwelche Crackz und Warez?

Hab da ein paar Dateien im Prefetch-Ordner von Windows gesehen, die auf sowas hindeuten könnten...
Bearshare hast/hattest Du installiert? Davon kann ich nur abraten, das Programm selbst kam mal mit Spyware daher und was Du Dir davon laden kannst ist meist verseucht oder illegal.

Löschn wir noch ein paar Objekte:

Lade dir das Tool Avenger und speichere es auf dem Desktop:[/b]

Doppelklick auf das Avenger-Symbol

Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code:

ATTFilter

files to delete:
C:\WINDOWS\system32\hayt.dll

registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F73DBD9E-5F1B-4BCA-8604-A911DCE08B37}

folders to delete:
C:\WINDOWS\NV6201172.TMP
C:\WINDOWS\NV6161144.TMP

Schliesse nun alle Programme und Browser-Fenster

Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet

Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Rattlesnake8 · 22.08.2008, 16:52

Code:

ATTFilter

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\hayt.dll" deleted successfully.
Folder "C:\WINDOWS\NV6201172.TMP" deleted successfully.
Folder "C:\WINDOWS\NV6161144.TMP" deleted successfully.

Warning:  HKLM\Software did not load within MAX_WAIT_ITERATIONS


Error:  registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F73DBD9E-5F1B-4BCA-8604-A911DCE08B37}" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F73DBD9E-5F1B-4BCA-8604-A911DCE08B37}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

Nachdem ich dieses programm ausgeführt hab und dem anschließenden Neustart kam folgende Fehlermeldung:

http://www.file-upload.net/view-1060457/Problem.JPG.html

cosinus · 22.08.2008, 17:09

Taucht der Fehler jetzt bei jedem Start auf?

Rattlesnake8 · 22.08.2008, 17:25

Hab nochma neugestartet, jetzt kommt der Fehler nicht mehr

Rattlesnake8 · 22.08.2008, 19:19

Ich merke gerade, dass der Fehler behoben ist. klappt wieder alles wie ich mir das vorstelle.
Hast du sonst noch was gefunden was meinem PC schadet?
Vielen Dank schonmal !!!

cosinus · 23.08.2008, 13:00

Ich hab soweit nichts mehr gesehen, auch wenn der PC nun normal zu sein scheint, solltest Du die Augen offen halten.

22.08.2008, 17:09	#10
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Virus Fehler beim Öffnen eines Ordners !!! Taucht der Fehler jetzt bei jedem Start auf? __________________ Logfiles bitte immer in CODE-Tags posten

23.08.2008, 13:00	#13
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Virus Fehler beim Öffnen eines Ordners !!! Ich hab soweit nichts mehr gesehen, auch wenn der PC nun normal zu sein scheint, solltest Du die Augen offen halten. __________________ Logfiles bitte immer in CODE-Tags posten

Virus Fehler beim Öffnen eines Ordners !!!

Log-Analyse und Auswertung: Virus Fehler beim Öffnen eines Ordners !!!