Regdll.exe/3SF1g.exe - Befall mit Generic.Bot.H

Cryptomaniac · 06.03.2010, 22:03

Hallo,
ich habe ein großes Problem:
als ich heute am Pc war meldete TrendMicro Antivirus 2010 plötzlich, dass eine Datei namens regdll.exe die sich im Temp-Ordner befindet einen neuen Autostart-Eintrag anlegen möchte.
Ich habe natürlich auf "Verweigern" geklickt und mal die Datei mal bei Virustotal.com hochgeladen:

h**p://www.virustotal.com/de/analisis/58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f-1267903531

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.03.06 Trojan.Win32.Kreeper!IK
AhnLab-V3 5.0.0.2 2010.03.06 -
AntiVir 8.2.1.180 2010.03.05 -
Antiy-AVL 2.0.3.7 2010.03.05 -
Authentium 5.2.0.5 2010.03.06 W32/VBTrojan.Dropper.4!Maximus
Avast 4.8.1351.0 2010.03.06 -
Avast5 5.0.332.0 2010.03.06 -
AVG 9.0.0.787 2010.03.06 Dropper.Generic.BTHO
BitDefender 7.2 2010.03.06 -
CAT-QuickHeal 10.00 2010.03.06 -
ClamAV 0.96.0.0-git 2010.03.06 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.06 -
eSafe 7.0.17.0 2010.03.04 -
eTrust-Vet 35.2.7342 2010.03.05 -
F-Prot 4.5.1.85 2010.03.06 W32/VBTrojan.Dropper.4!Maximus
F-Secure 9.0.15370.0 2010.03.06 -
Fortinet 4.0.14.0 2010.03.06 -
GData 19 2010.03.06 -
Ikarus T3.1.1.80.0 2010.03.06 Trojan.Win32.Kreeper
Jiangmin 13.0.900 2010.03.06 -
K7AntiVirus 7.10.990 2010.03.04 -
Kaspersky 7.0.0.125 2010.03.06 -
McAfee 5912 2010.03.06 -
McAfee+Artemis 5912 2010.03.06 -
McAfee-GW-Edition 6.8.5 2010.03.06 -
Microsoft 1.5502 2010.03.06 VirTool:Win32/VBInject.DD
NOD32 4921 2010.03.06 -
Norman 6.04.08 2010.03.06 -
nProtect 2009.1.8.0 2010.03.06 -
Panda 10.0.2.2 2010.03.06 -
PCTools 7.0.3.5 2010.03.04 -
Prevx 3.0 2010.03.06 -
Rising 22.37.05.03 2010.03.06 -
Sophos 4.51.0 2010.03.06 Mal/VBDrop-I
Sunbelt 5772 2010.03.06 -
Symantec 20091.2.0.41 2010.03.06 -
TheHacker 6.5.1.9.222 2010.03.06 -
TrendMicro 9.120.0.1004 2010.03.06 -
VBA32 3.12.12.2 2010.03.05 -
ViRobot 2010.3.5.2214 2010.03.05 -
VirusBuster 5.0.27.0 2010.03.05 -
weitere Informationen
File size: 172032 bytes
MD5...: f38cc43f1fa758ed93879bc25ef2c5e8
SHA1..: d3819cc0bd32dffa1eb702df8ea59f04dc250167
SHA256: 58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f
ssdeep: 3072:AT2SZwHMwgWI3MR38Y9Nao4xZYAXu9gYw3l56bx3EQGq1sMZg1I8O:UDMuQ
a17YAXua3l56bREQeMSI8
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1130
timedatestamp.....: 0x4b58c1df (Thu Jan 21 21:06:39 2010)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1e2f4 0x1f000 4.95 dc788d3350fd631a9a4e0e2315c1bf02
.data 0x20000 0x970 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x21000 0x9978 0xa000 7.79 1d28d9d835037dc2c527771c9d1b7de8

( 1 imports )
> MSVBVM60.DLL: -, -, -, -, MethCallEngine, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, ProcCallEngine, -, -, -, -, -, -, -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: aPvqrpufYfJ
copyright....: BHDPhi
product......: uthSuQdrZq
description..: ENlSwLsy
original name: FmYwhm.exe
internal name: FmYwhm
file version.: 3.11.0066
comments.....: Vmqsk
signers......: -
signing date.: -
verified.....: Unsigned

Dann habe ich einmal Malwarebytes laufen lassen:

Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3830
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

06.03.2010 21:50:26
mbam-log-2010-03-06 (21-50-19).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 189597
Laufzeit: 57 minute(s), 37 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{kljaht1a-zs3e-9ajq-nzmh-kvnoy3n5ggsd} (Generic.Bot.H) -> No action taken.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Users\Philip\AppData\Local\Temp\3SF1g.exe (Generic.Bot.H) -> No action taken.

und anschließend noch HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:24, on 06.03.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\7-Zip\7zFM.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\helppane.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\explorer.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Bonus.SSR.FR10] "C:\Program Files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" /autorun
O4 - HKLM\..\Run: [RCx0Z70RrY2] C:\Users\Philip\AppData\Local\Temp\3SF1g.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\Philip\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [dgdfgsdeg] C:\Users\Philip\AppData\Roaming\fgsdfgdrfg\dfhds.exe.exe
O4 - HKCU\..\Run: [Wc8bJKYwn] C:\Users\Philip\AppData\Local\Temp\3SF1g.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7727 bytes

Dabei ließ mich der Eintrag:
O4 - HKCU\..\Run: [Wc8bJKYwn] C:\Users\Philip\AppData\Local\Temp\3SF1g.exe
stutzig werden und ich habe die Datei 3SF1g.exe auch bei Virustotal hochgeladen:

h**p://www.virustotal.com/de/analisis/58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f-1267908529

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.03.06 Trojan.Win32.Kreeper!IK
AhnLab-V3 5.0.0.2 2010.03.06 -
AntiVir 8.2.1.180 2010.03.05 -
Antiy-AVL 2.0.3.7 2010.03.05 -
Authentium 5.2.0.5 2010.03.06 W32/VBTrojan.Dropper.4!Maximus
Avast 4.8.1351.0 2010.03.06 -
Avast5 5.0.332.0 2010.03.06 -
AVG 9.0.0.787 2010.03.06 Dropper.Generic.BTHO
BitDefender 7.2 2010.03.06 -
CAT-QuickHeal 10.00 2010.03.06 -
ClamAV 0.96.0.0-git 2010.03.06 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.06 -
eSafe 7.0.17.0 2010.03.04 -
eTrust-Vet 35.2.7342 2010.03.05 -
F-Prot 4.5.1.85 2010.03.06 W32/VBTrojan.Dropper.4!Maximus
F-Secure 9.0.15370.0 2010.03.06 -
Fortinet 4.0.14.0 2010.03.06 -
GData 19 2010.03.06 -
Ikarus T3.1.1.80.0 2010.03.06 Trojan.Win32.Kreeper
Jiangmin 13.0.900 2010.03.06 -
K7AntiVirus 7.10.990 2010.03.04 -
Kaspersky 7.0.0.125 2010.03.06 -
McAfee 5912 2010.03.06 -
McAfee+Artemis 5912 2010.03.06 Artemis!F38CC43F1FA7
Microsoft 1.5502 2010.03.06 VirTool:Win32/VBInject.DD
NOD32 4921 2010.03.06 -
Norman 6.04.08 2010.03.06 -
nProtect 2009.1.8.0 2010.03.06 -
Panda 10.0.2.2 2010.03.06 Suspicious file
PCTools 7.0.3.5 2010.03.04 -
Rising 22.37.05.03 2010.03.06 -
Sophos 4.51.0 2010.03.06 Mal/VBDrop-I
Sunbelt 5772 2010.03.06 -
Symantec 20091.2.0.41 2010.03.06 -
TheHacker 6.5.1.9.223 2010.03.06 -
TrendMicro 9.120.0.1004 2010.03.06 -
VBA32 3.12.12.2 2010.03.05 -
ViRobot 2010.3.5.2214 2010.03.05 -
VirusBuster 5.0.27.0 2010.03.06 -
weitere Informationen
File size: 172032 bytes
MD5...: f38cc43f1fa758ed93879bc25ef2c5e8
SHA1..: d3819cc0bd32dffa1eb702df8ea59f04dc250167
SHA256: 58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f
ssdeep: 3072:AT2SZwHMwgWI3MR38Y9Nao4xZYAXu9gYw3l56bx3EQGq1sMZg1I8O:UDMuQ
a17YAXua3l56bREQeMSI8
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1130
timedatestamp.....: 0x4b58c1df (Thu Jan 21 21:06:39 2010)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1e2f4 0x1f000 4.95 dc788d3350fd631a9a4e0e2315c1bf02
.data 0x20000 0x970 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x21000 0x9978 0xa000 7.79 1d28d9d835037dc2c527771c9d1b7de8

( 1 imports )
> MSVBVM60.DLL: -, -, -, -, MethCallEngine, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, ProcCallEngine, -, -, -, -, -, -, -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: aPvqrpufYfJ
copyright....: BHDPhi
product......: uthSuQdrZq
description..: ENlSwLsy
original name: FmYwhm.exe
internal name: FmYwhm
file version.: 3.11.0066
comments.....: Vmqsk
signers......: -
signing date.: -
verified.....: Unsigned

Auch den Eintrag
O4 - HKCU\..\Run: [dgdfgsdeg] C:\Users\Philip\AppData\Roaming\fgsdfgdrfg\dfhds.exe.exe
habe ich bei Virustotal überprüft:

h**p://www.virustotal.com/de/analisis/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2-1267909183

a-squared 4.5.0.50 2010.03.06 -
AhnLab-V3 5.0.0.2 2010.03.06 -
AntiVir 8.2.1.180 2010.03.05 -
Antiy-AVL 2.0.3.7 2010.03.05 -
Authentium 5.2.0.5 2010.03.06 -
Avast 4.8.1351.0 2010.03.06 -
Avast5 5.0.332.0 2010.03.06 -
AVG 9.0.0.787 2010.03.06 -
BitDefender 7.2 2010.03.06 -
CAT-QuickHeal 10.00 2010.03.06 -
ClamAV 0.96.0.0-git 2010.03.06 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.06 -
eSafe 7.0.17.0 2010.03.04 Win32.TrojanHorse
eTrust-Vet 35.2.7342 2010.03.05 -
F-Prot 4.5.1.85 2010.03.06 -
F-Secure 9.0.15370.0 2010.03.06 -
Fortinet 4.0.14.0 2010.03.06 -
GData 19 2010.03.06 -
Ikarus T3.1.1.80.0 2010.03.06 -
Jiangmin 13.0.900 2010.03.06 -
K7AntiVirus 7.10.990 2010.03.04 -
Kaspersky 7.0.0.125 2010.03.06 -
McAfee 5912 2010.03.06 -
McAfee+Artemis 5912 2010.03.06 -
McAfee-GW-Edition 6.8.5 2010.03.06 -
Microsoft 1.5502 2010.03.06 -
NOD32 4921 2010.03.06 -
Norman 6.04.08 2010.03.06 -
nProtect 2009.1.8.0 2010.03.06 -
Panda 10.0.2.2 2010.03.06 -
PCTools 7.0.3.5 2010.03.04 -
Prevx 3.0 2010.03.06 -
Rising 22.37.05.03 2010.03.06 -
Sophos 4.51.0 2010.03.06 -
Sunbelt 5772 2010.03.06 -
Symantec 20091.2.0.41 2010.03.06 -
TheHacker 6.5.1.9.223 2010.03.06 -
TrendMicro 9.120.0.1004 2010.03.06 -
VBA32 3.12.12.2 2010.03.05 -
ViRobot 2010.3.5.2214 2010.03.05 -
VirusBuster 5.0.27.0 2010.03.06 -
weitere Informationen
File size: 20992 bytes
MD5...: 54a47f6b5e09a77e61649109c6a08866
SHA1..: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
ssdeep: 384:eipYzV8555BUcKaJEEyKxC0exYQ1k3KFUOLg2JfvaW9C5bW9odW:3peIszaq
EyKxCtxJk6FbXaw
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2104
timedatestamp.....: 0x4a5bc100 (Mon Jul 13 23:19:28 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x39dc 0x3a00 6.29 2eb5bad67734deb71cf023259153ef53
.data 0x5000 0x5a8 0x600 0.81 bdd64867dcbd8117aac049606aa40456
.rsrc 0x6000 0x810 0xa00 3.76 66f21324fc812e3bf717c9aae7a151ee
.reloc 0x7000 0x3cc 0x400 6.40 7d35466317c0fe1186bb026254385afe

( 8 imports )
> msvcrt.dll: __wgetmainargs, _exit, _XcptFilter, exit, _initterm, _amsg_exit, __setusermatherr, memcpy, _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _cexit
> API_MS_Win_Core_ProcessThreads_L1_1_0.dll: TerminateProcess, GetCurrentProcess, OpenProcessToken, GetCurrentProcessId, GetCurrentThreadId
> KERNEL32.dll: LocalAlloc, CloseHandle, DelayLoadFailureHook, GetProcAddress, GetLastError, FreeLibrary, InterlockedCompareExchange, LoadLibraryExA, InterlockedExchange, Sleep, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, UnhandledExceptionFilter, DeactivateActCtx, LoadLibraryExW, ActivateActCtx, LeaveCriticalSection, lstrcmpW, EnterCriticalSection, RegCloseKey, RegOpenKeyExW, HeapSetInformation, lstrcmpiW, lstrlenW, LCMapStringW, RegQueryValueExW, ReleaseActCtx, CreateActCtxW, ExpandEnvironmentStringsW, GetCommandLineW, ExitProcess, SetProcessAffinityUpdateMode, RegDisablePredefinedCacheEx, InitializeCriticalSection, GetProcessHeap, SetErrorMode, RegisterWaitForSingleObjectEx, LocalFree, HeapFree, WideCharToMultiByte, HeapAlloc
> ntdll.dll: RtlAllocateHeap, RtlLengthRequiredSid, RtlSubAuthoritySid, RtlInitializeSid, RtlCopySid, RtlSubAuthorityCountSid, RtlInitializeCriticalSection, RtlSetProcessIsCritical, RtlImageNtHeader, RtlUnhandledExceptionFilter, EtwEventWrite, EtwEventEnabled, EtwEventRegister, RtlFreeHeap
> API_MS_Win_Security_Base_L1_1_0.dll: SetSecurityDescriptorDacl, AddAccessAllowedAce, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetTokenInformation, InitializeSecurityDescriptor, GetLengthSid, InitializeAcl
> API_MS_WIN_Service_Core_L1_1_0.dll: StartServiceCtrlDispatcherW, SetServiceStatus
> API_MS_WIN_Service_winsvc_L1_1_0.dll: RegisterServiceCtrlHandlerW
> RPCRT4.dll: RpcMgmtSetServerStackSize, I_RpcMapWin32Status, RpcServerUnregisterIf, RpcMgmtWaitServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIfEx, RpcServerRegisterIf, RpcServerUseProtseqEpW, RpcServerListen

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Host Process for Windows Services
original name: svchost.exe
internal name: svchost.exe
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Betriebssystem ist Windows 7 Final

Bitte helft mir!
Euer
Cryptomaniac

Cryptomaniac · 07.03.2010, 20:22

Keiner ne Ahnung?

TXL · 07.03.2010, 20:28

Bitte mal RSIT anwenden.
Die beiden Logfiles dann hier posten.

mfg.TXL

Regdll.exe/3SF1g.exe - Befall mit Generic.Bot.H

Plagegeister aller Art und deren Bekämpfung: Regdll.exe/3SF1g.exe - Befall mit Generic.Bot.H