| |
| |||||||
Log-Analyse und Auswertung: Unbekannter AutostartWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
02.01.2011, 08:05
| #2 |
  |  Unbekannter Autostart Guten Morgen und ein frohes neues Jahr,
__________________Ich habe besagte exe mal bei Anubis laufen lassen. Vielleicht kann jemand was damit anfangen: Code:
ATTFilter ___ __ _
+ /- / | ____ __ __/ /_ (_)____ -\ +
/s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\
oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho
shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs
-:+hhdhyys/- -\syyhdhh+:-
-//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\-
/++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\
-+++///////odh/- -+hdo\\\\\\\+++-
+++++++++//yy+/: :\+yy\\+++++++++
/+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+
[#############################################################################]
Analysis Report for c88c64609de58fa3d8637c4866c7c6bb
MD5: c88c64609de58fa3d8637c4866c7c6bb
[#############################################################################]
Summary:
- Performs Registry Activities:
The executable reads and modifies registry values. It also creates and
monitors registry keys.
[=============================================================================]
Table of Contents
[=============================================================================]
- General information
- c88c64609d.exe
a) Registry Activities
b) File Activities
c) Other Activities
[#############################################################################]
1. General Information
[#############################################################################]
[=============================================================================]
Information about Anubis' invocation
[=============================================================================]
Time needed: 240 s
Report created: 12/23/10, 22:52:16 UTC
Termination reason: Timeout
Program version: 1.74.3195
[#############################################################################]
2. c88c64609d.exe
[#############################################################################]
[=============================================================================]
General information about this executable
[=============================================================================]
Analysis Reason: Primary Analysis Subject
Filename: c88c64609d.exe
MD5: c88c64609de58fa3d8637c4866c7c6bb
SHA-1: b1484070813fe2910385ab92167199d5784ea3ef
File Size: 709456 Bytes
Command Line: "C:\c88c64609d.exe"
Process-status
at analysis end: alive
Exit Code: 0
[=============================================================================]
Load-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
Base Address: [0x7C900000 ], Size: [0x000AF000 ]
Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
Base Address: [0x7C800000 ], Size: [0x000F6000 ]
Module Name: [ C:\WINDOWS\system32\user32.dll ],
Base Address: [0x7E410000 ], Size: [0x00091000 ]
Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
Base Address: [0x77F10000 ], Size: [0x00049000 ]
Module Name: [ C:\WINDOWS\system32\oleaut32.dll ],
Base Address: [0x77120000 ], Size: [0x0008B000 ]
Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
Base Address: [0x77E70000 ], Size: [0x00092000 ]
Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
Base Address: [0x77FE0000 ], Size: [0x00011000 ]
Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
Base Address: [0x77C10000 ], Size: [0x00058000 ]
Module Name: [ C:\WINDOWS\system32\ole32.dll ],
Base Address: [0x774E0000 ], Size: [0x0013D000 ]
Module Name: [ C:\WINDOWS\system32\mpr.dll ],
Base Address: [0x71B20000 ], Size: [0x00012000 ]
Module Name: [ C:\WINDOWS\system32\version.dll ],
Base Address: [0x77C00000 ], Size: [0x00008000 ]
Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ],
Base Address: [0x773D0000 ], Size: [0x00103000 ]
Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],
Base Address: [0x77F60000 ], Size: [0x00076000 ]
Module Name: [ C:\WINDOWS\system32\shell32.dll ],
Base Address: [0x7C9C0000 ], Size: [0x00817000 ]
Module Name: [ C:\WINDOWS\system32\comdlg32.dll ],
Base Address: [0x763B0000 ], Size: [0x00049000 ]
[=============================================================================]
Run-time Dlls
[=============================================================================]
Module Name: [ C:\WINDOWS\system32\uxtheme.dll ],
Base Address: [0x5AD70000 ], Size: [0x00038000 ]
Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
Base Address: [0x74720000 ], Size: [0x0004C000 ]
[=============================================================================]
2.a) c88c64609d.exe - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ],
Value Name: [ CUAS ], Value: [ 0 ], 1 time
Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ],
Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
Key: [ HKLM\SYSTEM\Setup ],
Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time
Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ],
Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ],
Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Monitored Registry Keys:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ],
Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time
[=============================================================================]
2.b) c88c64609d.exe - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Files Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\c88c64609d.exe ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ]
File Name: [ C:\WINDOWS\WindowsShell.Manifest ]
File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
File Name: [ C:\WINDOWS\system32\imm32.dll ]
File Name: [ C:\WINDOWS\system32\netmsg.dll ]
File Name: [ C:\WINDOWS\system32\rpcss.dll ]
File Name: [ C:\WINDOWS\system32\shell32.dll ]
File Name: [ C:\WINDOWS\system32\uxtheme.dll ]
[=============================================================================]
2.c) c88c64609d.exe - Other Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Mutexes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]
Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Windows SEH exceptions:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
Description: [ Exception 0xeedface at 0x7c812aeb ], 1 time
[#############################################################################]
International Secure Systems Lab
http://www.iseclab.org
Vienna University of Technology Eurecom France UC Santa Barbara
http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu
Contact: anubis@iseclab.org
__________________ |
| Themen zu Unbekannter Autostart |
| .dll, 64-bit, adobe, adobe flash player, autorun, c:\windows\system32\rundll32.exe, converter, error, escan, explorer, firefox, firefox.exe, flash player, format, hitman pro, home, home premium, ieframe.dll, install.exe, langs, location, logfile, microsoft security, mozilla, mozilla thunderbird, mp3, nvidia, oldtimer, otl.exe, plug-in, programdata, programme, realtek, registry, rundll, saver, scan, searchplugins, security, shell32.dll, shortcut, software, suspekt, system, syswow64, webcheck, windows |
Baum-Darstellung