Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Trojaner: DLoader (https://www.trojaner-board.de/54621-trojaner-dloader.html)

nlo 24.06.2008 10:01
Trojaner: DLoader
 
Hallo
Auf meinen Rechner findet Norman einen Trojaner Dloader.HPYA, den Norman aber auch mit dem Malware-Programm nicht entfernen kann (auch nicht im abgesicherten Modus). Der Trojaner liegt in der Datei winnt32.dll. Diese habe ich schon gelöscht, bringt aber nichts. Beim Neustart wird sie neuerstellt und von Norman gleich wieder als mit dem Trojaner infiziert gemeldet.
Das Betriebssystem ist XP Professional, SP3, die Systemwiederherstellung ist deaktiviert.
Ich poste nun zum ersten Mal ein Log und hoffe, dass es klappt und mir jemand helfen kann!

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:37, on 24.06.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\LogMeIn\x86\RaMaint.exe
C:\Programme\LogMeIn\x86\LogMeIn.exe
C:\Programme\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\IBM\Messages By IBM\ibmmessages.exe
C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Programme\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programme\LogMeIn\x86\LogMeInSystray.exe
C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Programme\Brother\ControlCenter2\brctrcen.exe
C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programme\LogMeIn\x86\LMIGuardian.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\Logitech\SetPoint\KEM.exe
C:\Programme\PC Connectivity Solution\ServiceLayer.exe
C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe
C:\Programme\Cisco Systems\VPN Client\vpngui.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Logitech\SetPoint\KHALMNPR.EXE
C:\Programme\Tools\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Programme\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [frymxins] "C:\Programme\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Programme\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [Client Access Service] "C:\Programme\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Programme\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Programme\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Programme\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Programme\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Programme\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Glock Suite 1.1] C:\WINDOWS\system32\glock32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programme\IBM\Messages By IBM\ibmmessages.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138718250864
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138722025913
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stark.loc
O17 - HKLM\Software\..\Telephony: DomainName = stark.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stark.loc
O20 - Winlogon Notify: ilkqpaf - C:\WINDOWS\SYSTEM32\ilkqpaf.dll
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O20 - Winlogon Notify: WinNt64 - C:\WINDOWS\SYSTEM32\WinNt64.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - D:\INSTAL~8.EXE (file missing)
O23 - Service: Ablagemappe ClipSrv NJeeves (ClipSrv NJeeves) - Unknown owner - C:\WINDOWS\
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access für Windows - Ferner Befehl (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: Kompatibilität für schnelle Benutzerumschaltung FastUserSwitchingCompatibilityTlntSvr (FastUserSwitchingCompatibilityTlntSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Programme\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Programme\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Telnet TlntSvrLMIMaint (TlntSvrLMIMaint) - Unknown owner - C:\WINDOWS\
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 11690 bytes

Lucky 24.06.2008 10:09
Lass bitte einmal Malwarebytes Antivirus und Combofix über das System laufen.

O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O20 - Winlogon Notify: ilkqpaf - C:\WINDOWS\SYSTEM32\ilkqpaf.dll
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O20 - Winlogon Notify: WinNt64 - C:\WINDOWS\SYSTEM32\WinNt64.dll

Lade diese Dateien bitte einmal bei Virustotal hoch und poste das Ergebnis hier.
Hast du dir LogMeIn installiert?

nlo 24.06.2008 13:07
Danke für die sehr schnelle Antwort!

Malwarebytes habe ich installiert und das Antivirus laufen lassen (Combofix sagt mir leider nichts). Malwarebytes hat sechs Dateien in Quarantäne gestellt, welche ich dann auch löschen konnte. Ein erneuter Scan mit Malwarebytes verlief positiv.

Ja, Logmein habe ich auf dem Notebook installiert.

Die Ergebnisse der genannten Dateien poste ich hier mal, wobei nicht mehr alle Dateien auf dem Rechner waren.

Code:
Datei WinNt64.dll empfangen 2008.06.24 13:54:06 (CET)
Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.6.24.0        2008.06.24        Win-Trojan/Agent.13312.GR
AntiVir        7.8.0.59        2008.06.24        TR/Dldr.Mutant.agn
Authentium        5.1.0.4        2008.06.24        -
Avast        4.8.1195.0        2008.06.23        Win32:Trojan-gen {Other}
AVG        7.5.0.516        2008.06.24        -
BitDefender        7.2        2008.06.24        -
CAT-QuickHeal        9.50        2008.06.23        TrojanDownloader.Mutant.aer
ClamAV        0.93.1        2008.06.24        -
DrWeb        4.44.0.09170        2008.06.24        Trojan.DownLoader.63655
eSafe        7.0.17.0        2008.06.24        Win32.Mutant.agn
eTrust-Vet        31.6.5900        2008.06.24        -
Ewido        4.0        2008.06.24        -
F-Prot        4.4.4.56        2008.06.23        -
F-Secure        7.60.13501.0        2008.06.20        Trojan-Downloader.Win32.Mutant.agn
Fortinet        3.14.0.0        2008.06.24        W32/Mutant.AGN!tr.dldr
GData        2.0.7306.1023        2008.06.24        Trojan-Downloader.Win32.Mutant.agn
Ikarus        T3.1.1.26.0        2008.06.24        Trojan-Downloader.Win32.Mutant.agn
Kaspersky        7.0.0.125        2008.06.24        Trojan-Downloader.Win32.Mutant.agn
McAfee        5323        2008.06.23        -
Microsoft        None        2008.06.24        -
NOD32v2        3212        2008.06.24        -
Norman        5.80.02        2008.06.23        -
Panda        9.0.0.4        2008.06.23        -
Prevx1        V2        2008.06.24        Cloaked Malware
Rising        20.50.10.00        2008.06.24        -
Sophos        4.30.0        2008.06.24        Mal/Generic-A
Sunbelt        3.0.1153.1        2008.06.15        -
Symantec        10        2008.06.24        -
TheHacker        6.2.92.359        2008.06.24        Trojan/Downloader.Mutant.agn
TrendMicro        8.700.0.1004        2008.06.24        TROJ_CUTWAIL.BQ
VBA32        3.12.6.8        2008.06.23        Trojan-Downloader.Win32.Mutant.afa
VirusBuster        4.5.11.0        2008.06.23        -
Webwasher-Gateway        6.6.2        2008.06.24        Trojan.Dldr.Mutant.agn
weitere Informationen
File size: 13312 bytes
MD5...: 9f4a7f1c9a07192bd4d49e74cbd9a8d9
SHA1..: 4a946942fe65a8217201796dd6a3b91c8edbf521
SHA256: 1d1cd20354df3c4c616e2a7c2f408509fcb18e910ecbd7bea28a2669e7154f5d
SHA512: 85d8f8da66f540cdd217fff681f11ac785eb036d28132dbebcdceb4224bad5ae<br>3ee7176abc72d4070d962a13d5268102b32900414fc3bce1b37a79c944fd23c2
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x401010<br>timedatestamp.....: 0x3b7d83c1 (Fri Aug 17 20:51:13 2001)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x1c4 0x200 5.36 0fc5d39997f2a722b1c9a4ba27a91722<br>.rsrc 0x2000 0x2b0c 0x2c00 7.95 cb3401a0173f88fa3817980a1cb677b9<br>.reloc 0x5000 0x24 0x200 0.23 879078394af20d7e7462a1ca3727c9cc<br><br>( 1 imports ) <br>&gt; KERNEL32.dll: RequestDeviceWakeup, VirtualProtect, GetSystemTimeAsFileTime<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=15FF75EE0089F968344000781612AC007F612118

Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.6.24.0        2008.06.24        Win-Trojan/Agent.13312.GR
AntiVir        7.8.0.59        2008.06.24        TR/Dldr.Mutant.agn
Authentium        5.1.0.4        2008.06.24        -
Avast        4.8.1195.0        2008.06.23        Win32:Trojan-gen {Other}
AVG        7.5.0.516        2008.06.24        -
BitDefender        7.2        2008.06.24        -
CAT-QuickHeal        9.50        2008.06.23        TrojanDownloader.Mutant.aer
ClamAV        0.93.1        2008.06.24        -
DrWeb        4.44.0.09170        2008.06.24        Trojan.DownLoader.63655
eSafe        7.0.17.0        2008.06.24        Win32.Mutant.agn
eTrust-Vet        31.6.5900        2008.06.24        -
Ewido        4.0        2008.06.24        -
F-Prot        4.4.4.56        2008.06.23        -
F-Secure        7.60.13501.0        2008.06.20        Trojan-Downloader.Win32.Mutant.agn
Fortinet        3.14.0.0        2008.06.24        W32/Mutant.AGN!tr.dldr
GData        2.0.7306.1023        2008.06.24        Trojan-Downloader.Win32.Mutant.agn
Ikarus        T3.1.1.26.0        2008.06.24        Trojan-Downloader.Win32.Mutant.agn
Kaspersky        7.0.0.125        2008.06.24        Trojan-Downloader.Win32.Mutant.agn
McAfee        5323        2008.06.23        -
Microsoft        None        2008.06.24        -
NOD32v2        3212        2008.06.24        -
Norman        5.80.02        2008.06.23        -
Panda        9.0.0.4        2008.06.23        -
Prevx1        V2        2008.06.24        Cloaked Malware
Rising        20.50.10.00        2008.06.24        -
Sophos        4.30.0        2008.06.24        Mal/Generic-A
Sunbelt        3.0.1153.1        2008.06.15        -
Symantec        10        2008.06.24        -
TheHacker        6.2.92.359        2008.06.24        Trojan/Downloader.Mutant.agn
TrendMicro        8.700.0.1004        2008.06.24        TROJ_CUTWAIL.BQ
VBA32        3.12.6.8        2008.06.23        Trojan-Downloader.Win32.Mutant.afa
VirusBuster        4.5.11.0        2008.06.23        -
Webwasher-Gateway        6.6.2        2008.06.24        Trojan.Dldr.Mutant.agn

weitere Informationen
File size: 13312 bytes
MD5...: 9f4a7f1c9a07192bd4d49e74cbd9a8d9
SHA1..: 4a946942fe65a8217201796dd6a3b91c8edbf521
SHA256: 1d1cd20354df3c4c616e2a7c2f408509fcb18e910ecbd7bea28a2669e7154f5d
SHA512: 85d8f8da66f540cdd217fff681f11ac785eb036d28132dbebcdceb4224bad5ae<br>3ee7176abc72d4070d962a13d5268102b32900414fc3bce1b37a79c944fd23c2
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x401010<br>timedatestamp.....: 0x3b7d83c1 (Fri Aug 17 20:51:13 2001)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name        viradd    virsiz  rawdsiz  ntrpy  md5<br>.text      0x1000    0x1c4    0x200  5.36  0fc5d39997f2a722b1c9a4ba27a91722<br>.rsrc      0x2000    0x2b0c    0x2c00  7.95  cb3401a0173f88fa3817980a1cb677b9<br>.reloc      0x5000      0x24    0x200  0.23  879078394af20d7e7462a1ca3727c9cc<br><br>( 1 imports )  <br>&gt; KERNEL32.dll: RequestDeviceWakeup, VirtualProtect, GetSystemTimeAsFileTime<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=15FF75EE0089F968344000781612AC007F612118
Code:
Datei ilkqpaf.dll empfangen 2008.06.24 13:50:27 (CET)
Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.6.24.0        2008.06.24        Win-Trojan/Pakes.21504.G
AntiVir        7.8.0.59        2008.06.24        TR/Pakes.czu
Authentium        5.1.0.4        2008.06.24        -
Avast        4.8.1195.0        2008.06.23        Win32:Rootkit-gen
AVG        7.5.0.516        2008.06.24        Generic10.AFHM
BitDefender        7.2        2008.06.24        -
CAT-QuickHeal        9.50        2008.06.23        Trojan.Pakes.czu
ClamAV        0.93.1        2008.06.24        -
DrWeb        4.44.0.09170        2008.06.24        Trojan.Inject.3435
eSafe        7.0.17.0        2008.06.24        -
eTrust-Vet        31.6.5900        2008.06.24        -
Ewido        4.0        2008.06.24        -
F-Prot        4.4.4.56        2008.06.23        -
F-Secure        7.60.13501.0        2008.06.20        Trojan.Win32.Pakes.czu
Fortinet        3.14.0.0        2008.06.24        Cutwail!tr
GData        2.0.7306.1023        2008.06.24        Trojan.Win32.Pakes.czu
Ikarus        T3.1.1.26.0        2008.06.24        Trojan.Pakes.czu
Kaspersky        7.0.0.125        2008.06.24        Trojan.Win32.Pakes.czu
McAfee        5323        2008.06.23        Cutwail.dll
Microsoft        None        2008.06.24        -
NOD32v2        3212        2008.06.24        -
Norman        5.80.02        2008.06.23        -
Panda        9.0.0.4        2008.06.23        Bck/Spambot.P
Prevx1        V2        2008.06.24        Fraudulent Security Program
Rising        20.50.10.00        2008.06.24        -
Sophos        4.30.0        2008.06.24        -
Sunbelt        3.0.1153.1        2008.06.15        -
Symantec        10        2008.06.24        -
TheHacker        6.2.92.359        2008.06.24        -
TrendMicro        8.700.0.1004        2008.06.24        TROJ_PAKES.GQ
VBA32        3.12.6.8        2008.06.23        -
VirusBuster        4.5.11.0        2008.06.23        -
Webwasher-Gateway        6.6.2        2008.06.24        Trojan.Pakes.czu
weitere Informationen
File size: 21504 bytes
MD5...: 3002270ed0c11cc15d7b2b1c778d3533
SHA1..: 0f99366caa329166ccc8af5fede072cbc10fc62b
SHA256: 2850bbf76c9777dfe197efb09ea580ff5a56305ba192f353097378dbf4e557e8
SHA512: 84423a9e501b3f4d9ffe8f80fabb9c71723e9efd9d73affa362d1443e77c946b<br>332849c7840bc810a6053eb9a93e4bed1f41c4286ef20d514005cb9092fd7cf4
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x10001000<br>timedatestamp.....: 0x48236f1b (Thu May 08 21:22:35 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x640 0x800 6.28 a66eacd154500023dea6db5715792554<br>.data 0x2000 0x3e20 0x4000 7.79 ce5399e24ae2fdd92fb5bf77952d7b96<br>.rdata 0x6000 0x20 0x200 0.38 f61e8a45bd05f62b656a6b480c765a07<br>.edata 0x7000 0x5e 0x200 0.98 335c9756ab2fe52ee6cf70e97150c263<br>.idata 0x8000 0x19c 0x200 3.54 53689154421d9c9347080be905689fe7<br>.reloc 0x9000 0x34 0x200 0.80 0fabcbeb55b91a1a021bb287bbc474ca<br><br>( 1 imports ) <br>&gt; KERNEL32.dll: CloseHandle, CreateProcessA, GetEnvironmentVariableA, GetThreadContext, ReadProcessMemory, ResumeThread, SetThreadContext, VirtualAllocEx, WriteProcessMemory, lstrcatA, lstrcpyA<br><br>( 2 exports ) <br>DllMain, WLEventStartShell<br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2DC4C9DF008F5BAE54E700605E2BD1000B817A19

Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.6.24.0        2008.06.24        Win-Trojan/Pakes.21504.G
AntiVir        7.8.0.59        2008.06.24        TR/Pakes.czu
Authentium        5.1.0.4        2008.06.24        -
Avast        4.8.1195.0        2008.06.23        Win32:Rootkit-gen
AVG        7.5.0.516        2008.06.24        Generic10.AFHM
BitDefender        7.2        2008.06.24        -
CAT-QuickHeal        9.50        2008.06.23        Trojan.Pakes.czu
ClamAV        0.93.1        2008.06.24        -
DrWeb        4.44.0.09170        2008.06.24        Trojan.Inject.3435
eSafe        7.0.17.0        2008.06.24        -
eTrust-Vet        31.6.5900        2008.06.24        -
Ewido        4.0        2008.06.24        -
F-Prot        4.4.4.56        2008.06.23        -
F-Secure        7.60.13501.0        2008.06.20        Trojan.Win32.Pakes.czu
Fortinet        3.14.0.0        2008.06.24        Cutwail!tr
GData        2.0.7306.1023        2008.06.24        Trojan.Win32.Pakes.czu
Ikarus        T3.1.1.26.0        2008.06.24        Trojan.Pakes.czu
Kaspersky        7.0.0.125        2008.06.24        Trojan.Win32.Pakes.czu
McAfee        5323        2008.06.23        Cutwail.dll
Microsoft        None        2008.06.24        -
NOD32v2        3212        2008.06.24        -
Norman        5.80.02        2008.06.23        -
Panda        9.0.0.4        2008.06.23        Bck/Spambot.P
Prevx1        V2        2008.06.24        Fraudulent Security Program
Rising        20.50.10.00        2008.06.24        -
Sophos        4.30.0        2008.06.24        -
Sunbelt        3.0.1153.1        2008.06.15        -
Symantec        10        2008.06.24        -
TheHacker        6.2.92.359        2008.06.24        -
TrendMicro        8.700.0.1004        2008.06.24        TROJ_PAKES.GQ
VBA32        3.12.6.8        2008.06.23        -
VirusBuster        4.5.11.0        2008.06.23        -
Webwasher-Gateway        6.6.2        2008.06.24        Trojan.Pakes.czu

weitere Informationen
File size: 21504 bytes
MD5...: 3002270ed0c11cc15d7b2b1c778d3533
SHA1..: 0f99366caa329166ccc8af5fede072cbc10fc62b
SHA256: 2850bbf76c9777dfe197efb09ea580ff5a56305ba192f353097378dbf4e557e8
SHA512: 84423a9e501b3f4d9ffe8f80fabb9c71723e9efd9d73affa362d1443e77c946b<br>332849c7840bc810a6053eb9a93e4bed1f41c4286ef20d514005cb9092fd7cf4
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x10001000<br>timedatestamp.....: 0x48236f1b (Thu May 08 21:22:35 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 6 sections )<br>name        viradd    virsiz  rawdsiz  ntrpy  md5<br>.text      0x1000    0x640    0x800  6.28  a66eacd154500023dea6db5715792554<br>.data      0x2000    0x3e20    0x4000  7.79  ce5399e24ae2fdd92fb5bf77952d7b96<br>.rdata      0x6000      0x20    0x200  0.38  f61e8a45bd05f62b656a6b480c765a07<br>.edata      0x7000      0x5e    0x200  0.98  335c9756ab2fe52ee6cf70e97150c263<br>.idata      0x8000    0x19c    0x200  3.54  53689154421d9c9347080be905689fe7<br>.reloc      0x9000      0x34    0x200  0.80  0fabcbeb55b91a1a021bb287bbc474ca<br><br>( 1 imports )  <br>&gt; KERNEL32.dll: CloseHandle, CreateProcessA, GetEnvironmentVariableA, GetThreadContext, ReadProcessMemory, ResumeThread, SetThreadContext, VirtualAllocEx, WriteProcessMemory, lstrcatA, lstrcpyA<br><br>( 2 exports )  <br>DllMain, WLEventStartShell<br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2DC4C9DF008F5BAE54E700605E2BD1000B817A19
Code:
Datei tfswctrl.exe empfangen 2008.06.24 13:53:15 (CET)
Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.6.24.0        2008.06.24        -
AntiVir        7.8.0.59        2008.06.24        -
Authentium        5.1.0.4        2008.06.24        -
Avast        4.8.1195.0        2008.06.23        -
AVG        7.5.0.516        2008.06.24        -
BitDefender        7.2        2008.06.24        -
CAT-QuickHeal        9.50        2008.06.23        -
ClamAV        0.93.1        2008.06.24        -
DrWeb        4.44.0.09170        2008.06.24        -
eSafe        7.0.17.0        2008.06.24        -
eTrust-Vet        31.6.5900        2008.06.24        -
Ewido        4.0        2008.06.24        -
F-Prot        4.4.4.56        2008.06.23        -
F-Secure        7.60.13501.0        2008.06.20        -
Fortinet        3.14.0.0        2008.06.24        -
GData        2.0.7306.1023        2008.06.24        -
Ikarus        T3.1.1.26.0        2008.06.24        -
Kaspersky        7.0.0.125        2008.06.24        -
McAfee        5323        2008.06.23        -
Microsoft        None        2008.06.24        -
NOD32v2        3212        2008.06.24        -
Norman        5.80.02        2008.06.23        -
Panda        9.0.0.4        2008.06.23        -
Prevx1        V2        2008.06.24        -
Rising        20.50.10.00        2008.06.24        -
Sophos        4.30.0        2008.06.24        -
Sunbelt        3.0.1153.1        2008.06.15        -
Symantec        10        2008.06.24        -
TheHacker        6.2.92.359        2008.06.24        -
TrendMicro        8.700.0.1004        2008.06.24        -
VBA32        3.12.6.8        2008.06.23        -
VirusBuster        4.5.11.0        2008.06.23        -
Webwasher-Gateway        6.6.2        2008.06.24        -
weitere Informationen
File size: 114741 bytes
MD5...: deb8d1bbbb819174a4bab11485817099
SHA1..: edb939ba738c3699d62a03eab43aadd00bac0917
SHA256: 3b367ecb75a1c7fecb7b86e1f023cb5ff8901d68345f3a34b95b1380b0238354
SHA512: 66b9b56cbac0f87867cc41855b815c6de581bec4e53b93fcb04839e5baf94937<br>9f84b1f00a625944ac306161a6e5b4484c3eacdef19c3872d4c912f56700e562
PEiD..: Armadillo v1.71
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4090f1<br>timedatestamp.....: 0x3f96dd68 (Wed Oct 22 19:41:28 2003)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xcc0a 0xd000 6.47 daea079fb88f95f890643f9f4252282c<br>.rdata 0xe000 0x1a96 0x2000 4.87 41ae388c081d2a439c9cad72248a68d5<br>.data 0x10000 0x631c 0x5000 2.53 9a24dfbb183da8dc52c7bdfda926ccd2<br>.rsrc 0x17000 0x69e0 0x7000 5.68 5abc1ba344476d3c15db021e6ad87adf<br><br>( 8 imports ) <br>&gt; tfswapi.dll: TfsGetFileSystemStatus, TfsCommand, TfsGetConfigString, TfsGetOpStatus, TfsPnpDevice, TfsCancelCallback, TfsInitInstance, TfsInitCallbacks1, TfsTermInstance, TfsGetDriveStatus2, TfsGetIniFileName, TfsGetDriveClientFolder, TfsStartAsyncOp, TfsFreeOpHandle, TfsGetUserNotificationCode, TfsCallOnUserNotification, TfsGetDriveCaps<br>&gt; tfswcres.dll: GetResourceHandle<br>&gt; KERNEL32.dll: GlobalUnlock, GlobalLock, GetProcAddress, LoadLibraryA, InterlockedIncrement, InterlockedDecrement, GetLastError, CloseHandle, WaitForSingleObject, CreateEventA, GetVolumeInformationA, GetDriveTypeA, lstrcpynA, DeviceIoControl, CreateFileA, GetPrivateProfileIntA, GetTickCount, CreateMutexA, GetVersionExA, FindClose, FindNextFileA, DeleteFileA, FindFirstFileA, MultiByteToWideChar, MapViewOfFile, CreateFileMappingA, OpenFileMappingA, UnmapViewOfFile, GetCurrentProcess, IsBadCodePtr, SetSystemPowerState, lstrlenA, FreeLibrary, WritePrivateProfileStringA, lstrcmpiA, GetProfileStringA, lstrcatA, CreateThread, SetEvent, WaitForMultipleObjects, GetLocalTime, GetPrivateProfileStringA, WriteFile, ReadFile, GetTempFileNameA, GetTempPathA, LocalAlloc, GetFileSize, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, TerminateProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, HeapReAlloc, HeapSize, VirtualAlloc, SetFilePointer, GetCPInfo, GetACP, FormatMessageA, GetStringTypeA, GetStringTypeW, SetStdHandle, LCMapStringA, LCMapStringW, FlushFileBuffers, LocalFree, lstrcpyA, GetOEMCP<br>&gt; USER32.dll: SetForegroundWindow, ShowWindow, GetDlgItem, SetWindowTextA, LoadStringA, SetWindowLongA, IsDlgButtonChecked, EndDialog, EnableWindow, IsWindow, RegisterClipboardFormatA, PostMessageA, DestroyWindow, CreateWindowExA, RegisterClassA, FindWindowA, DefWindowProcA, PostQuitMessage, CharUpperA, SetCursor, LoadCursorA, DispatchMessageA, IsDialogMessageA, PeekMessageA, SetWindowPos, SetActiveWindow, CreateDialogParamA, GetActiveWindow, BroadcastSystemMessage, MessageBoxA, ExitWindowsEx, GetWindowTextA, wsprintfA, GetWindowRect, ScreenToClient, GetParent, MoveWindow, GetClientRect, IsZoomed, IsIconic, FillRect, InvalidateRect, CheckDlgButton, SetDlgItemTextA, GetDlgItemTextA, SetFocus, TranslateMessage, GetSystemMenu, EnableMenuItem, SetTimer, GetDesktopWindow, DialogBoxParamA, KillTimer, SendMessageA, GetMessageA, GetWindowLongA<br>&gt; GDI32.dll: SetTextColor, StretchBlt, CreateBitmap, SetBkColor, DeleteObject, SelectObject, CreateCompatibleDC, DeleteDC<br>&gt; ADVAPI32.dll: AdjustTokenPrivileges, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenProcessToken, RegEnumValueA, LookupPrivilegeValueA, RegDeleteValueA, RegNotifyChangeKeyValue<br>&gt; SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, DragQueryFileA, SHGetMalloc, ShellExecuteA<br>&gt; ole32.dll: ReleaseStgMedium, CoRegisterClassObject, CoInitialize, CoUninitialize, CoRevokeClassObject, CoGetMalloc, CoCreateInstance<br><br>( 0 exports ) <br>

Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.6.24.0        2008.06.24        -
AntiVir        7.8.0.59        2008.06.24        -
Authentium        5.1.0.4        2008.06.24        -
Avast        4.8.1195.0        2008.06.23        -
AVG        7.5.0.516        2008.06.24        -
BitDefender        7.2        2008.06.24        -
CAT-QuickHeal        9.50        2008.06.23        -
ClamAV        0.93.1        2008.06.24        -
DrWeb        4.44.0.09170        2008.06.24        -
eSafe        7.0.17.0        2008.06.24        -
eTrust-Vet        31.6.5900        2008.06.24        -
Ewido        4.0        2008.06.24        -
F-Prot        4.4.4.56        2008.06.23        -
F-Secure        7.60.13501.0        2008.06.20        -
Fortinet        3.14.0.0        2008.06.24        -
GData        2.0.7306.1023        2008.06.24        -
Ikarus        T3.1.1.26.0        2008.06.24        -
Kaspersky        7.0.0.125        2008.06.24        -
McAfee        5323        2008.06.23        -
Microsoft        None        2008.06.24        -
NOD32v2        3212        2008.06.24        -
Norman        5.80.02        2008.06.23        -
Panda        9.0.0.4        2008.06.23        -
Prevx1        V2        2008.06.24        -
Rising        20.50.10.00        2008.06.24        -
Sophos        4.30.0        2008.06.24        -
Sunbelt        3.0.1153.1        2008.06.15        -
Symantec        10        2008.06.24        -
TheHacker        6.2.92.359        2008.06.24        -
TrendMicro        8.700.0.1004        2008.06.24        -
VBA32        3.12.6.8        2008.06.23        -
VirusBuster        4.5.11.0        2008.06.23        -
Webwasher-Gateway        6.6.2        2008.06.24        -

weitere Informationen
File size: 114741 bytes
MD5...: deb8d1bbbb819174a4bab11485817099
SHA1..: edb939ba738c3699d62a03eab43aadd00bac0917
SHA256: 3b367ecb75a1c7fecb7b86e1f023cb5ff8901d68345f3a34b95b1380b0238354
SHA512: 66b9b56cbac0f87867cc41855b815c6de581bec4e53b93fcb04839e5baf94937<br>9f84b1f00a625944ac306161a6e5b4484c3eacdef19c3872d4c912f56700e562
PEiD..: Armadillo v1.71
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4090f1<br>timedatestamp.....: 0x3f96dd68 (Wed Oct 22 19:41:28 2003)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name        viradd    virsiz  rawdsiz  ntrpy  md5<br>.text      0x1000    0xcc0a    0xd000  6.47  daea079fb88f95f890643f9f4252282c<br>.rdata      0xe000    0x1a96    0x2000  4.87  41ae388c081d2a439c9cad72248a68d5<br>.data      0x10000    0x631c    0x5000  2.53  9a24dfbb183da8dc52c7bdfda926ccd2<br>.rsrc      0x17000    0x69e0    0x7000  5.68  5abc1ba344476d3c15db021e6ad87adf<br><br>( 8 imports )  <br>&gt; tfswapi.dll: TfsGetFileSystemStatus, TfsCommand, TfsGetConfigString, TfsGetOpStatus, TfsPnpDevice, TfsCancelCallback, TfsInitInstance, TfsInitCallbacks1, TfsTermInstance, TfsGetDriveStatus2, TfsGetIniFileName, TfsGetDriveClientFolder, TfsStartAsyncOp, TfsFreeOpHandle, TfsGetUserNotificationCode, TfsCallOnUserNotification, TfsGetDriveCaps<br>&gt; tfswcres.dll: GetResourceHandle<br>&gt; KERNEL32.dll: GlobalUnlock, GlobalLock, GetProcAddress, LoadLibraryA, InterlockedIncrement, InterlockedDecrement, GetLastError, CloseHandle, WaitForSingleObject, CreateEventA, GetVolumeInformationA, GetDriveTypeA, lstrcpynA, DeviceIoControl, CreateFileA, GetPrivateProfileIntA, GetTickCount, CreateMutexA, GetVersionExA, FindClose, FindNextFileA, DeleteFileA, FindFirstFileA, MultiByteToWideChar, MapViewOfFile, CreateFileMappingA, OpenFileMappingA, UnmapViewOfFile, GetCurrentProcess, IsBadCodePtr, SetSystemPowerState, lstrlenA, FreeLibrary, WritePrivateProfileStringA, lstrcmpiA, GetProfileStringA, lstrcatA, CreateThread, SetEvent, WaitForMultipleObjects, GetLocalTime, GetPrivateProfileStringA, WriteFile, ReadFile, GetTempFileNameA, GetTempPathA, LocalAlloc, GetFileSize, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, TerminateProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, HeapReAlloc, HeapSize, VirtualAlloc, SetFilePointer, GetCPInfo, GetACP, FormatMessageA, GetStringTypeA, GetStringTypeW, SetStdHandle, LCMapStringA, LCMapStringW, FlushFileBuffers, LocalFree, lstrcpyA, GetOEMCP<br>&gt; USER32.dll: SetForegroundWindow, ShowWindow, GetDlgItem, SetWindowTextA, LoadStringA, SetWindowLongA, IsDlgButtonChecked, EndDialog, EnableWindow, IsWindow, RegisterClipboardFormatA, PostMessageA, DestroyWindow, CreateWindowExA, RegisterClassA, FindWindowA, DefWindowProcA, PostQuitMessage, CharUpperA, SetCursor, LoadCursorA, DispatchMessageA, IsDialogMessageA, PeekMessageA, SetWindowPos, SetActiveWindow, CreateDialogParamA, GetActiveWindow, BroadcastSystemMessage, MessageBoxA, ExitWindowsEx, GetWindowTextA, wsprintfA, GetWindowRect, ScreenToClient, GetParent, MoveWindow, GetClientRect, IsZoomed, IsIconic, FillRect, InvalidateRect, CheckDlgButton, SetDlgItemTextA, GetDlgItemTextA, SetFocus, TranslateMessage, GetSystemMenu, EnableMenuItem, SetTimer, GetDesktopWindow, DialogBoxParamA, KillTimer, SendMessageA, GetMessageA, GetWindowLongA<br>&gt; GDI32.dll: SetTextColor, StretchBlt, CreateBitmap, SetBkColor, DeleteObject, SelectObject, CreateCompatibleDC, DeleteDC<br>&gt; ADVAPI32.dll: AdjustTokenPrivileges, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenProcessToken, RegEnumValueA, LookupPrivilegeValueA, RegDeleteValueA, RegNotifyChangeKeyValue<br>&gt; SHELL32.dll: SHGetSpecialFolderLocation, SHGetPathFromIDListA, DragQueryFileA, SHGetMalloc, ShellExecuteA<br>&gt; ole32.dll: ReleaseStgMedium, CoRegisterClassObject, CoInitialize, CoUninitialize, CoRevokeClassObject, CoGetMalloc, CoCreateInstance<br><br>( 0 exports ) <br>

Lucky 24.06.2008 22:31
Hast du die gefundenen Dateien mit Malwarebytes gelöscht? Wenn ja, mach bitte nochmal ein Logfile.

nlo 25.06.2008 07:24
Ja, die Dateien habe ich mit Malwarebytes gelöscht. Beim erneuten Scan mit Malwarebytes erhalte ich jedoch immer wieder die Meldung über zwei infizierte Bereiche (gemäss Log).

Was kann ich hierbei noch dagegen unternehmen?

Code:
Malwarebytes' Anti-Malware 1.18
Datenbank Version: 885

08:10:45 25.06.2008
mbam-log-6-25-2008 (08-10-13).txt

Scan Art: Komplett Scan (C:\|)
Objekte gescannt: 101409
Scan Dauer: 4 hour(s), 3 minute(s), 13 second(s)

Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Datei Objekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)

Infizierte Speicher Module:
(Keine Malware Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> No action taken.

Infizierte Registrierungswerte:
(Keine Malware Objekte gefunden)

Infizierte Datei Objekte der Registrierung:
(Keine Malware Objekte gefunden)

Infizierte Verzeichnisse:
(Keine Malware Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\6_exception.nls (Trojan.Tibs) -> No action taken.


Alle Zeitangaben in WEZ +1. Es ist jetzt 01:40 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19