Trojaner-Board - Rechner/Laptop verseucht? Neuinstallation nötig?

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Rechner/Laptop verseucht? Neuinstallation nötig? (https://www.trojaner-board.de/58590-rechner-laptop-verseucht-neuinstallation-noetig.html)

Rechner/Laptop verseucht? Neuinstallation nötig?

Hallo zusammen,

mir wurde nahe gelegt mein Betriebsystem (Win XP) neu aufzuspielen, da sich "wahrscheinlich" Trojaner & co. darauf breit gemacht haben (ständige WerbePop-Ups wie Poker etc. trotz Blocker). Habe aber keine Lust für Nippes alles platt zu machen und neuzuinstallieren.

Habe mir Spyhunter runtergeladen der ne ganze Liste an Trojanern gefunden hat und die mit der kostenpflichtigen Vollversion gerne entfernen würden.. Wie ich nachher erfahren habe, soll das Programm eher fragwürdig sein > Programm runtergeschnissen und AVG, Ad-Aware & Spybot übers System laufen lassen und sie haben nichts gefunden. In einem ähnlichen Posting zum Thema verseuchter PC, sollte der Betroffene sich einige Programme runterladen und enstprechende LogFiles etc. posten damit ihr eine Diagnose abgeben könnt. Das einzige was mir als Laie bekannt ist, war HighJack, was ich hiermit posten möchte. Die anderen Geschichten sollten nur nach ausdrücklicher Empfehkung und detaillierter Anleitung durchgeführt werden. Ich warte somit auf weitere Instruktionen von euch:)

Zitat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:55:41, on 25.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Programme\QuickTime\QTTask.exe
C:\Programme\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programme\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad Muncher] "C:\Programme\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_exclude
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190657916421
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.ak.studivz.net/photouploader/ImageUploader4.cab?nocache=20071219-1
O16 - DPF: {96512D57-F751-4088-A689-5778FCC77F7A} (Photo Uploader Control) - http://www.studivz.net/lib/photouploader/PhotoUploader.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1209206650
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 11986 bytes

Hallo und :hallo:

Wer hat Dir aufgrund welcher Einträge denn empfohlen Windows neuzumachen?
Das Hijackthis-Logfile sieht oweit ok aus.
Acker diese Punkte für weitere Analysen ab:

1.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

2.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:

Code:

C:\WINDOWS\system32\ToolBand.dll

3.) Führe dieses MBR-Tool aus und poste die Ausgabe

4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten

5.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:

[code] Hier das Logfile rein! [/code]

6.) Mach auch ein Filelisting mit diesem script:

Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
Doppelklick auf listing8.cmd auf dem Desktop
nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

Hallo,

irgendwie hat das mit der automatischen Benachrichtigung bei Antworten zu meinen Beiträgen nicht funktioniert, deshlab sehe ich deine Antwort leider jetzt erst.

Bin momentan auch nicht an dem betreffenden Laptop und werde die gennanten Punkte am WE abarbeiten und entsprechen posten.

Vielen Dank schonmal!!!

Greetz
JKP

Hallo,

anbei die abgearbeitenden Schritte meinerseits:

Teil I:

1.) Durchgeführt
2.) Durchgeführt
Ergebnisse VirusTotal.com

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.8.29.0        2008.08.29        -

AntiVir        7.8.1.23        2008.08.31        -

Authentium        5.1.0.4        2008.08.30        -

Avast        4.8.1195.0        2008.08.30        -

AVG        8.0.0.161        2008.08.30        -

BitDefender        7.2        2008.08.31        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.08.31        -

DrWeb        4.44.0.09170        2008.08.31        -

eSafe        7.0.17.0        2008.08.28        -

eTrust-Vet        31.6.6057        2008.08.29        -

Ewido        4.0        2008.08.31        -

F-Prot        4.4.4.56        2008.08.30        -

Fortinet        3.14.0.0        2008.08.31        -

GData        19        2008.08.31        -

Ikarus        T3.1.1.34.0        2008.08.31        -

K7AntiVirus        7.10.433        2008.08.30        -

Kaspersky        7.0.0.125        2008.08.31        -

McAfee        5373        2008.08.29        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3401        2008.08.30        -

Norman        5.80.02        2008.08.29        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.08.31        -

Prevx1        V2        2008.08.31        -

Rising        20.59.61.00        2008.08.31        -

Sophos        4.33.0        2008.08.31        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.08.31        -

TheHacker        6.3.0.6.068        2008.08.30        -

TrendMicro        8.700.0.1004        2008.08.31        -

VBA32        3.12.8.4        2008.08.30        -

ViRobot        2008.8.30.1357        2008.08.30        -

VirusBuster        4.5.11.0        2008.08.31        -

Webwasher-Gateway        6.6.2        2008.08.31        -
 

weitere Informationen

File size: 94208 bytes

MD5...: 420751e7ee59452d8c30eed57e6e0cd2

SHA1..: 8dbbcab5bc6d642a5cbc123d69bd568ed7646c39

SHA256: bfef8170f7432db06da8e31de7e17fb6ba3b131f99b8177dddcef93550a33360

SHA512: a3a073ac695d993297d298c9112e21e2d8ff546fb1344c2eb77a7cec8e39a5e7

74a71fafe23358ee0d2c0a4a8d8d7d5a6973581bd57c699378ee0bdfaf49a6df

PEiD..: -

TrID..: File type identification

DirectShow filter (77.7%)

Win32 Executable MS Visual C++ (generic) (14.5%)

Win32 Executable Generic (3.2%)

Win32 Dynamic Link Library (generic) (2.9%)

Generic Win/DOS Executable (0.7%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x10006530

timedatestamp.....: 0x4355a1cb (Wed Oct 19 01:30:51 2005)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0xba89 0xc000 6.53 9ea9a36aece23fc9f87625853119271e

.rdata 0xd000 0x3215 0x4000 4.06 aeead64a3f7dee1b4d991c73afc732ff

.data 0x11000 0x185c 0x1000 3.69 7528c54f9ba41977f5478b98d068c0ce

.rsrc 0x13000 0x2268 0x3000 3.71 732086f013e4c6a0b0007f504d5f17d5

.reloc 0x16000 0x1750 0x2000 3.73 615e0229f69f5a1c777dc09b33e8034d
 

( 9 imports ) 

> KERNEL32.dll: GetSystemInfo, VirtualProtect, LCMapStringW, LCMapStringA, GetModuleFileNameW, MultiByteToWideChar, GetStringTypeA, EnterCriticalSection, LoadLibraryA, GetCPInfo, GetOEMCP, IsBadCodePtr, InterlockedIncrement, DisableThreadLibraryCalls, DeleteCriticalSection, InitializeCriticalSection, GetStringTypeW, LeaveCriticalSection, WideCharToMultiByte, lstrcpyW, GetSystemDefaultLangID, CreateFileW, WriteFile, CloseHandle, GetCurrentDirectoryW, IsBadReadPtr, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, UnhandledExceptionFilter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, GetStartupInfoA, GetFileType, GetStdHandle, GlobalLock, GlobalUnlock, GetPrivateProfileStringW, FindResourceW, InterlockedExchange, LoadResource, LockResource, HeapAlloc, GetProcessHeap, HeapFree, GetCurrentProcess, FlushInstructionCache, InterlockedDecrement, lstrlenW, GetVersionExW, GetThreadLocale, GetLocaleInfoA, GetACP, GetVersionExA, RaiseException, LocalFree, GetLastError, RtlUnwind, GetCurrentThreadId, GetCommandLineA, ExitProcess, HeapReAlloc, TlsAlloc, SetLastError, TlsFree, TlsSetValue, TlsGetValue, GetProcAddress, GetModuleHandleA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, TerminateProcess, HeapSize, VirtualQuery, SetHandleCount

> USER32.dll: GetFocus, GetWindow, ShowWindow, GetDlgItem, MessageBoxW, GetForegroundWindow, GetClientRect, ReleaseDC, GetDC, SetWindowPos, MoveWindow, GetWindowLongW, SetWindowLongW, CreateWindowExW, CallWindowProcW, LoadBitmapW, SendMessageW, DestroyWindow, LoadStringW, DefWindowProcW, IsWindow

> GDI32.dll: DeleteDC, GetObjectW, DeleteObject, SelectObject, GetStockObject

> ADVAPI32.dll: RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegCreateKeyExW, RegDeleteValueW, RegSetValueExW

> SHELL32.dll: SHGetMalloc, DragQueryFileW, ShellExecuteW

> ole32.dll: CoInitialize, CoCreateInstance, ReleaseStgMedium

> OLEAUT32.dll: -, -, -, -

> ATL71.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

> COMCTL32.dll: ImageList_LoadImageW, ImageList_AddMasked
 

( 4 exports ) 

DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

3.) Ausgabe MBR-Tool

Code:

tealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

4.) BlackLight: nichts gefunden
Malwarebytes Antimalware

Code:

Malwarebytes' Anti-Malware 1.25

Datenbank Version: 1101

Windows 5.1.2600 Service Pack 3
 

19:58:49 31.08.2008

mbam-log-08-31-2008 (19-58-49).txt
 

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|)

Durchsuchte Objekte: 108446

Laufzeit: 37 minute(s), 43 second(s)
 

Infizierte Speicherprozesse: 0

Infizierte Speichermodule: 0

Infizierte Registrierungsschlüssel: 0

Infizierte Registrierungswerte: 0

Infizierte Dateiobjekte der Registrierung: 0

Infizierte Verzeichnisse: 0

Infizierte Dateien: 0
 

Infizierte Speicherprozesse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Speichermodule:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungsschlüssel:

(Keine bösartigen Objekte gefunden)
 

Infizierte Registrierungswerte:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateiobjekte der Registrierung:

(Keine bösartigen Objekte gefunden)
 

Infizierte Verzeichnisse:

(Keine bösartigen Objekte gefunden)
 

Infizierte Dateien:

(Keine bösartigen Objekte gefunden)

Teil II:
5.) ComboFix

Code:

ComboFix 08-08-30.03 - *** 2008-08-31 20:14:05.1 - FAT32x86

Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1031.18.212 [GMT 2:00]

ausgeführt von:: C:\Dokumente und Einstellungen\***\Desktop\ComboFix.exe

 * Neuer Wiederherstellungspunkt wurde erstellt
 
 Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!

.
 

((((((((((((((((((((((((((((((((((((   Weitere L”schungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv.dat

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv.exe

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv_nav.dat

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv_navps.dat

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\ntoskrnl.exe.exe

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\WanPacket.dll

C:\WINDOWS\system32\wpcap.dll
 

.

(((((((((((((((((((((((((((((((((((((((   Treiber/Dienste   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

-------\Service_NPF
 
 

(((((((((((((((((((((((   Dateien erstellt von 2008-07-28 bis 2008-08-31  ))))))))))))))))))))))))))))))

.
 

2008-08-31 19:08 . 2008-08-31 19:08        <DIR>        d--------        C:\Programme\Malwarebytes' Anti-Malware

2008-08-31 19:08 . 2008-08-31 19:08        <DIR>        d--------        C:\Dokumente und Einstellungen\***\Anwendungsdaten\Malwarebytes

2008-08-31 19:08 . 2008-08-31 19:08        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes

2008-08-31 19:08 . 2008-08-17 15:01        38,472        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-31 19:08 . 2008-08-17 15:01        17,144        --a------        C:\WINDOWS\system32\drivers\mbam.sys

2008-08-28 14:45 . 2008-08-28 14:45        <DIR>        d--------        C:\Programme\MyPhoneExplorer

2008-08-28 14:45 . 2008-08-28 14:45        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP

2008-08-28 13:40 . 2008-08-28 13:40        <DIR>        d--------        C:\Programme\CCleaner

2008-08-28 10:53 . 2008-08-28 10:53        <DIR>        d--------        C:\Programme\Apple Software Update

2008-08-28 10:51 . 2008-08-28 10:51        <DIR>        d--------        C:\Programme\Bonjour

2008-08-28 09:58 . 2008-08-28 09:58        <DIR>        d--------        C:\Programme\QuickTime

2008-08-28 09:45 . 2008-08-28 09:45        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple

2008-08-26 17:10 . 2008-08-26 17:10        <DIR>        d--------        C:\WINDOWS\ServicePackFiles

2008-08-26 17:05 . 2006-12-29 00:31        19,569        --a------        C:\WINDOWS\002973_.tmp

2008-08-26 17:01 . 2008-08-26 17:01        <DIR>        d--------        C:\WINDOWS\EHome

2008-08-24 13:25 . 2008-08-24 13:25        <DIR>        d--------        C:\Programme\Trend Micro

2008-08-24 12:35 . 2008-08-24 12:35        <DIR>        d--------        C:\Programme\Ad Muncher

2008-08-24 12:35 . 2008-08-24 12:35        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ad Muncher

2008-08-22 18:44 . 2008-08-22 18:44        <DIR>        d--------        C:\Programme\Enigma Software Group

2008-08-22 18:09 . 2008-08-22 18:09        <DIR>        d--------        C:\Desktop

2008-08-20 15:14 . 2008-08-20 15:14        <DIR>        d--------        C:\Programme\Paint.NET

2008-08-20 14:58 . 2008-08-20 14:58        <DIR>        d--------        C:\WINDOWS\system32\XPSViewer

2008-08-20 14:58 . 2008-08-20 14:58        <DIR>        d--------        C:\Programme\Reference Assemblies

2008-08-20 14:57 . 2006-06-29 13:07        14,048        ---------        C:\WINDOWS\system32\spmsg2.dll

2008-08-20 14:48 . 2008-08-20 14:48        <DIR>        d--------        C:\Programme\MSXML 6.0

2008-08-20 14:31 . 2008-08-20 14:31        <DIR>        d--------        C:\Dokumente und Einstellungen\***\Anwendungsdaten\gtk-2.0

2008-08-20 14:31 . 2008-08-20 14:31        <DIR>        d--------        C:\Dokumente und Einstellungen\***\.thumbnails

2008-08-20 14:28 . 2008-08-20 14:28        <DIR>        d--------        C:\Dokumente und Einstellungen\***\.gimp-2.4

2008-08-20 14:27 . 2008-08-20 14:27        <DIR>        d--------        C:\Programme\GIMP-2.0

2008-08-17 15:25 . 2008-08-17 15:26        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft

2008-08-16 09:09 . 2008-04-11 21:04        691,712        ---------        C:\WINDOWS\system32\dllcache\inetcomm.dll

2008-08-13 14:07 . 2008-08-13 14:07        <DIR>        d--h-----        C:\$AVG8.VAULT$

2008-08-13 14:01 . 2008-08-13 14:01        <DIR>        d--------        C:\Programme\Live-Player

2008-07-29 16:05 . 2008-07-29 16:05        1,296,896        --a------        C:\WINDOWS\system32\SPort.dll

2008-07-25 10:36 . 2008-07-25 10:36        524,288        --a------        C:\WINDOWS\system32\DivXsm.exe

2008-07-25 10:36 . 2008-07-25 10:36        4,816        --a------        C:\WINDOWS\system32\divxsm.tlb

2008-07-23 18:50 . 2008-07-23 18:50        3,596,288        --a------        C:\WINDOWS\system32\qt-dx331.dll

2008-07-23 18:50 . 2008-07-23 18:50        10,152        --a------        C:\WINDOWS\system32\dsm_de.qm

2008-07-23 18:48 . 2008-07-23 18:48        1,044,480        --a------        C:\WINDOWS\system32\libdivx.dll

2008-07-23 18:48 . 2008-07-23 18:48        200,704        --a------        C:\WINDOWS\system32\ssldivx.dll

2008-07-23 18:47 . 2008-07-23 18:47        634,880        --a------        C:\WINDOWS\system32\Divxdec.ax

2008-07-23 18:47 . 2008-07-23 18:47        352,401        --a------        C:\WINDOWS\system32\DivXMedia.ax

2008-07-23 18:47 . 2008-07-23 18:47        8,523        --a------        C:\WINDOWS\system32\dpude.qm

2008-07-23 18:47 . 2008-07-23 18:47        3,051        --a------        C:\WINDOWS\system32\dtu_de.qm

2008-07-23 18:47 . 2008-07-23 18:47        416        --a------        C:\WINDOWS\system32\dtu100.dll.manifest

2008-07-23 18:47 . 2008-07-23 18:47        416        --a------        C:\WINDOWS\system32\dpl100.dll.manifest

2008-07-23 18:46 . 2008-07-23 18:46        12,288        --a------        C:\WINDOWS\system32\DivXWMPExtType.dll

2008-07-22 15:53 . 2008-07-22 15:53        <DIR>        d--------        C:\Programme\MSBuild

2008-07-22 15:53 . 2008-07-22 15:53        <DIR>        d--------        C:\Programme\Microsoft Works

2008-07-22 15:52 . 2008-07-22 15:52        <DIR>        d--------        C:\Programme\Microsoft.NET

2008-07-22 15:43 . 2008-07-22 15:43        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help

2008-07-22 15:40 . 2008-07-22 15:40        <DIR>        dr-h-----        C:\MSOCache

2008-07-22 11:47 . 2008-07-22 11:47        4,667,006        --a------        C:\WINDOWS\system32\World of Thomas Sabo.scr

2008-07-22 11:47 . 2008-07-22 11:47        84,992        --a------        C:\WINDOWS\system32\World of Thomas Sabo_uninst.exe

2008-07-20 20:40 . 2008-07-20 20:40        <DIR>        d--------        C:\Programme\Sun

2008-07-10 21:00 . 2008-07-10 21:00        <DIR>        d--------        C:\WINDOWS\system32\drivers\Avg

2008-07-10 21:00 . 2008-07-10 21:00        <DIR>        d--------        C:\Dokumente und Einstellungen\***\Anwendungsdaten\AVGTOOLBAR

2008-07-10 21:00 . 2008-08-30 08:59        97,928        --a------        C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-10 21:00 . 2008-07-10 21:00        10,520        --a------        C:\WINDOWS\system32\avgrsstx.dll

2008-07-10 19:58 . 2008-07-10 19:58        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avg8

2008-07-07 22:26 . 2008-07-07 22:26        253,952        ---------        C:\WINDOWS\system32\dllcache\es.dll

2008-07-05 18:27 . 2008-07-05 18:27        <DIR>        d--------        C:\Programme\MSECache

2008-07-05 18:27 . 2008-07-05 18:27        <DIR>        d--------        C:\Programme\Microsoft Silverlight

2008-07-04 11:40 . 2007-07-19 18:14        3,727,720        --a------        C:\WINDOWS\system32\d3dx9_35.dll

2008-07-04 11:40 . 2007-05-16 16:45        3,497,832        --a------        C:\WINDOWS\system32\d3dx9_34.dll

2008-07-04 11:40 . 2007-07-19 18:14        1,358,192        --a------        C:\WINDOWS\system32\D3DCompiler_35.dll

2008-07-04 11:40 . 2007-05-16 16:45        1,124,720        --a------        C:\WINDOWS\system32\D3DCompiler_34.dll

2008-07-04 11:40 . 2007-07-19 18:14        444,776        --a------        C:\WINDOWS\system32\d3dx10_35.dll

2008-07-04 11:40 . 2007-05-16 16:45        443,752        --a------        C:\WINDOWS\system32\d3dx10_34.dll

2008-07-04 11:40 . 2007-07-20 00:57        267,112        --a------        C:\WINDOWS\system32\xactengine2_9.dll

2008-07-04 11:40 . 2007-06-20 20:46        266,088        --a------        C:\WINDOWS\system32\xactengine2_8.dll

2008-07-04 11:40 . 2007-10-22 03:37        17,928        --a------        C:\WINDOWS\system32\X3DAudio1_2.dll

2008-07-04 11:39 . 2008-07-04 11:39        <DIR>        d--------        C:\WINDOWS\Logs

2008-07-04 08:15 . 2008-07-04 08:15        <DIR>        d--------        C:\Programme\IKEA HomePlanner

2008-07-04 08:15 . 2008-07-04 08:15        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\Wise Installation Wizard

2008-07-01 08:21 . 2008-07-01 08:21        <DIR>        d--------        C:\Programme\AVG

2008-07-01 08:21 . 2008-07-01 08:21        10,520        --a------        C:\WINDOWS\system32\avgrsstx.dll.old
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-07 20:26        253,952        ----a-w        C:\WINDOWS\system32\es.dll

2008-06-24 16:42        74,240        ----a-w        C:\WINDOWS\system32\mscms.dll

2008-06-24 16:42        74,240        ------w        C:\WINDOWS\system32\dllcache\mscms.dll

2008-06-24 08:14        3,592,192        ----a-w        C:\WINDOWS\system32\dllcache\mshtml.dll

2008-06-23 09:20        70,656        ----a-w        C:\WINDOWS\system32\dllcache\ie4uinit.exe

2008-06-23 09:20        625,664        ----a-w        C:\WINDOWS\system32\dllcache\iexplore.exe

2008-06-23 09:20        13,824        ------w        C:\WINDOWS\system32\dllcache\ieudinit.exe

2008-06-21 05:23        161,792        ----a-w        C:\WINDOWS\system32\dllcache\ieakui.dll

2008-06-20 17:46        247,296        ----a-w        C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:46        247,296        ------w        C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:46        147,968        ------w        C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 11:51        361,600        ------w        C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 11:40        138,496        ------w        C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 11:08        225,856        ------w        C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-14 17:32        273,024        ------w        C:\WINDOWS\system32\dllcache\bthport.sys

2008-05-30 12:19        507,400        ----a-w        C:\WINDOWS\system32\XAudio2_1.dll

2008-05-30 12:18        238,088        ----a-w        C:\WINDOWS\system32\xactengine3_1.dll

2008-05-30 12:17        65,032        ----a-w        C:\WINDOWS\system32\XAPOFX1_0.dll

2008-05-30 12:17        25,608        ----a-w        C:\WINDOWS\system32\X3DAudio1_4.dll

2008-05-30 12:11        467,984        ----a-w        C:\WINDOWS\system32\d3dx10_38.dll

2008-05-30 12:11        3,850,760        ----a-w        C:\WINDOWS\system32\D3DX9_38.dll

2008-05-30 12:11        1,491,992        ----a-w        C:\WINDOWS\system32\D3DCompiler_38.dll

2008-05-16 09:58        12,632        ----a-w        C:\WINDOWS\system32\lsdelete.exe

2008-05-09 10:54        90,112        ----a-w        C:\WINDOWS\system32\wshext.dll

2008-05-09 10:54        90,112        ------w        C:\WINDOWS\system32\dllcache\wshext.dll

2008-05-09 10:54        512,000        ------w        C:\WINDOWS\system32\dllcache\jscript.dll

2008-05-09 10:54        430,080        ----a-w        C:\WINDOWS\system32\vbscript.dll

2008-05-09 10:54        430,080        ------w        C:\WINDOWS\system32\dllcache\vbscript.dll

2008-05-09 10:54        180,224        ----a-w        C:\WINDOWS\system32\scrobj.dll

2008-05-09 10:54        180,224        ------w        C:\WINDOWS\system32\dllcache\scrobj.dll

2008-05-09 10:54        172,032        ----a-w        C:\WINDOWS\system32\scrrun.dll

2008-05-09 10:54        172,032        ------w        C:\WINDOWS\system32\dllcache\scrrun.dll

2008-05-08 14:02        203,136        ------w        C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-08 11:24        155,648        ----a-w        C:\WINDOWS\system32\wscript.exe

2008-05-08 11:24        155,648        ------w        C:\WINDOWS\system32\dllcache\wscript.exe

2008-05-07 09:07        135,168        ----a-w        C:\WINDOWS\system32\cscript.exe

2008-05-07 09:07        135,168        ------w        C:\WINDOWS\system32\dllcache\cscript.exe

2008-05-07 05:10        1,293,824        ----a-w        C:\WINDOWS\system32\quartz.dll

2008-05-07 05:10        1,293,824        ------w        C:\WINDOWS\system32\dllcache\quartz.dll

2008-05-01 14:34        331,776        ----a-w        C:\WINDOWS\system32\dllcache\msadce.dll

2007-10-26 12:29        819        ----a-w        C:\Programme\vpnclient_setup.sms

2007-10-26 12:29        8,613,888        ----a-w        C:\Programme\vpnclient_setup.msi

2007-10-26 12:29        640        ----a-w        C:\Programme\vpnclient_setup.pdf

2007-10-26 12:29        56,832        ----a-w        C:\Programme\vpnclient_setup.exe

2007-10-26 12:29        51,712        ----a-w        C:\Programme\vpnclient_jp.mst

2007-10-26 12:29        51,200        ----a-w        C:\Programme\vpnclient_fc.mst

2007-10-26 12:29        1,822,520        ----a-w        C:\Programme\instmsiw.exe

2007-10-26 12:29        1,708,856        ----a-w        C:\Programme\instmsi.exe

2007-10-26 12:29        1,099        ----a-w        C:\Programme\vpnclient_setup.ini

2007-10-26 12:29        1,073        ----a-w        C:\Programme\sig.dat

2007-10-26 12:27        217,220        ----a-w        C:\Programme\installservice.exe

2007-10-26 12:27        16,506        ----a-w        C:\Programme\DelayInst.exe

2007-03-30 13:54        702,096        ----a-w        C:\Programme\APR2007_d3dx10_33_x64.cab

2007-03-30 13:54        699,466        ----a-w        C:\Programme\APR2007_d3dx10_33_x86.cab

2007-03-30 13:54        56,902        ----a-w        C:\Programme\APR2007_xinput_x86.cab

2007-03-30 13:54        45,302        ----a-w        C:\Programme\dxdllreg_x86.cab

2007-03-30 13:54        199,384        ----a-w        C:\Programme\APR2007_XACT_x64.cab

2007-03-30 13:54        155,350        ----a-w        C:\Programme\APR2007_XACT_x86.cab

2007-03-30 13:54        100,434        ----a-w        C:\Programme\APR2007_xinput_x64.cab

2007-03-30 13:54        1,610,998        ----a-w        C:\Programme\APR2007_d3dx9_33_x64.cab

2007-03-30 13:54        1,610,311        ----a-w        C:\Programme\APR2007_d3dx9_33_x86.cab

2007-03-30 13:38        85,883        ----a-w        C:\Programme\dxupdate.cab

2007-03-30 13:38        77,160        ----a-w        C:\Programme\DSETUP.dll

2007-03-30 13:38        503,144        ----a-w        C:\Programme\DXSETUP.exe

2007-03-30 13:38        1,673,576        ----a-w        C:\Programme\dsetup32.dll

.
 

------- Sigcheck -------
 

2007-07-30 19:19  68440  84d9a61860272d6177d46c86b8431557        C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19  68440  84d9a61860272d6177d46c86b8431557        C:\WINDOWS\system32\dllcache\wuauclt.exe

2008-04-14 07:53  111616  65e60c18ddb0215c201ff75e32d564c8        C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe

.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:52 15360]

"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17 102491]

"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16 692315]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 04:09 94208]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 04:06 77824]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 04:10 114688]

"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 15:54 196608]

"epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-25 15:59 212992]

"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 09:00 1235736]

"Ad Muncher"="C:\Programme\Ad Muncher\AdMunch.exe" [2008-08-24 12:35 779776]

"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 15600128 C:\WINDOWS\RTHDCPL.exe]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 07:52 15360]

"DWQueuedReporting"="C:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.l3acm"= C:\WINDOWS\system32\l3codecp.acm

"msacm.mkdmp3enc"= C:\PROGRA~2\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM

"msacm.l3codec"= C:\WINDOWS\system32\l3codecp.acm

"VIDC.ACDV"= ACDV.dll
 

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Cisco Systems VPN Client.lnk]

path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Cisco Systems VPN Client.lnk

backup=C:\WINDOWS\pss\Cisco Systems VPN Client.lnkCommon Startup
 

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^***^Startmenü^Programme^Autostart^UberIcon.lnk]

path=C:\Dokumente und Einstellungen\***\Startmenü\Programme\Autostart\UberIcon.lnk

backup=C:\WINDOWS\pss\UberIcon.lnkStartup
 

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^***^Startmenü^Programme^Autostart^Y'z Shadow.lnk]

path=C:\Dokumente und Einstellungen\***\Startmenü\Programme\Autostart\Y'z Shadow.lnk

backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\T-Online_Software_6
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePower Management]

--a------ 2005-11-09 11:04 3084288 C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]

--a------ 2005-10-24 16:45 2462208 C:\Acer\Empowering Technology\admtray.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 22:16 39792 C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]

--a------ 2005-10-19 09:30 69632 C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]

--a------ 2005-11-25 15:59 212992 c:\Acer\Empowering Technology\ePower\epm-dm.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

--a------ 2005-12-01 17:38 458752 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

---hs---- 2008-04-14 07:52 1695232 C:\Programme\Messenger\msmsgs.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

--------- 2005-08-31 19:59 147456 C:\Program Files\Acer\Acer Arcade\PCMService.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 10:50 413696 C:\Programme\QuickTime\QTTask.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-08-18 18:41 1832272 C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TapiSrv"=3 (0x3)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=

"C:\\Programme\\Messenger\\msmsgs.exe"=

"C:\\Programme\\Real\\RealPlayer\\RealPlay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Programme\\Gemeinsame Dateien\\NewTech Infosystems\\LiveUpdate\\LiveUpdate.exe"=

"C:\\WINDOWS\\System32\\dpvsetup.exe"=

"C:\\Programme\\AVG\\AVG8\\avgupd.exe"=

"C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programme\\Bonjour\\mDNSResponder.exe"=
 

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 08:59]

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]

R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 08:59]

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]

R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]

R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]

R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]

S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]

.

Inhalt des "geplante Tasks" Ordners

.

- - - - Entfernte verwaiste Registrierungseintr„ge - - - -
 

MSConfigStartUp-Adobe Photo Downloader - C:\Programme\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

MSConfigStartUp-ICQ Lite - C:\Programme\ICQLite\ICQLite.exe

MSConfigStartUp-InCD - C:\Programme\ahead\InCD\InCD.exe

MSConfigStartUp-msnmsgr - C:\Programme\MSN Messenger\msnmsgr.exe

MSConfigStartUp-NBKeyScan - C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

MSConfigStartUp-NeroCheck - C:\WINDOWS\system32\NeroCheck.exe

MSConfigStartUp-Skype - C:\Programme\Skype\Phone\Skype.exe

MSConfigStartUp-WLAN-Access Finder - C:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe

MSConfigStartUp-Veoh - C:\Programme\Veoh Networks\Veoh\VeohClient.exe

MSConfigStartUp-{0228e555-4f9c-4e35-a3ec-b109a192b4c2} - C:\Programme\Google\Gmail Notifier\gnotify.exe
 
 

.

------- Zus„tzlicher Scan -------

.

FireFox -: Profile - C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\0js0k83u.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.msm.uni-due.de/

FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

.
 

**************************************************************************
 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-31 20:18:46

Windows 5.1.2600 Service Pack 3 FAT NTAPI
 

Scanne versteckte Prozesse...
 

Scanne versteckte Autostart Eintr„ge...
 

Scanne versteckte Dateien...
 

Scan erfolgreich abgeschlossen

versteckte Dateien: 0
 

**************************************************************************

.

------------------------ Weitere, laufende Prozesse ------------------------

.

C:\PROGRAMME\WINDOWS DEFENDER\MSMPENG.EXE

C:\PROGRAMME\INTEL\WIRELESS\BIN\EVTENG.EXE

C:\PROGRAMME\INTEL\WIRELESS\BIN\S24EVMON.EXE

C:\PROGRAMME\LAVASOFT\AD-AWARE\AAWSERVICE.EXE

C:\PROGRAMME\AVG\AVG8\AVGWDSVC.EXE

C:\ACER\EMPOWERING TECHNOLOGY\ADMSERV.EXE

C:\PROGRAMME\BONJOUR\MDNSRESPONDER.EXE

C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\TV\CLCAPSVC.EXE

C:\PROGRAMME\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE

C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVER.EXE

C:\PROGRAM FILES\ACER\ACER ARCADE\KERNEL\CLML_NTSERVICE\CLMLSERVICE.EXE

C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\PROGRAMME\INTEL\WIRELESS\BIN\REGSRVC.EXE

C:\Programme\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

C:\Programme\AVG\AVG8\avgrsx.exe

C:\Programme\AVG\AVG8\avgrsx.exe

.

**************************************************************************

.

Zeit der Fertigstellung: 2008-08-31 20:22:43 - PC wurde neu gestartet

ComboFix-quarantined-files.txt  2008-08-31 18:22:32
 

Pre-Run: 19 Verzeichnis(se), 22,833,594,368 Bytes frei

Post-Run: 24 Verzeichnis(se), 22,912,729,088 Bytes frei
 

325        --- E O F ---        2008-08-30 07:24:59

6.) File-Upload.net - listing.txt

Soooo, hoffentlich kommt was Positives bei raus :daumenhoc

Thx schonmal
JKP

Hallo,

Nochmal nachgefragt: wegen welcher Einträge wurden Dir dir Neuinstallation empfohlen?

Code:

((((((((((((((((((((((((((((((((((((   Weitere L”schungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv.dat

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv.exe

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv_nav.dat

C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\sptqv_navps.dat

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\ntoskrnl.exe.exe

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\WanPacket.dll

C:\WINDOWS\system32\wpcap.dll

Combofix hat da einiges gelöscht, die Sicherheitskopien dieser gelöschten Dateien sollten in c:\qoobox liegen. Schau da mal rein und werte die Dateien bei Virustotal.com aus. Bitte alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen.

Hallo,

diese HighJackThis-Logfile und die Tatsache dass ich SP3 zunäachst nicht installieren konnte, waren wohl der Empfehlungsgrund für die Neuinstallation

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:26:08, on 24.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\Intel\Wireless\Bin\EvtEng.exe

C:\Programme\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\Programme\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Acer\Empowering Technology\admServ.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe

C:\Programme\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe

C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Programme\Intel\Wireless\Bin\RegSrvc.exe

C:\Programme\CyberLink\Shared Files\RichVideo.exe

C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Programme\Synaptics\SynTP\SynTPLpr.exe

C:\Programme\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Programme\Java\jre1.6.0_07\bin\jusched.exe

C:\acer\Empowering Technology\ePower\epm-dm.exe

C:\Programme\QuickTime\QTTask.exe

C:\Programme\Windows Defender\MSASCui.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\dokumente und einstellungen\***\lokale einstellungen\anwendungsdaten\sptqv.exe

C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

C:\Programme\Microsoft Office\Office12\OUTLOOK.EXE

C:\Programme\Ad Muncher\AdMunch.exe

C:\Programme\Internet Explorer\IEXPLORE.EXE

C:\Programme\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programme\AVG\AVG8\avgtoolbar.dll

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [epm-dm] c:\acer\Empowering Technology\ePower\epm-dm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Ad Muncher] "C:\Programme\Ad Muncher\AdMunch.exe" /bt

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sptqv] "c:\dokumente und einstellungen\***\lokale einstellungen\anwendungsdaten\sptqv.exe" sptqv

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe

O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM

O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_frame

O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_image

O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_link

O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_exclude

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=1.0&pass=Q2BN2VQR&id=menu_ie_report

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190657916421

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.ak.studivz.net/photouploader/ImageUploader4.cab?nocache=20071219-1

O16 - DPF: {96512D57-F751-4088-A689-5778FCC77F7A} (Photo Uploader Control) - http://www.studivz.net/lib/photouploader/PhotoUploader.cab

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1209206650

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe

O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe

O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
 

--

End of file - 12243 bytes

Zu den Dateien unter C:\QooBox; welche Datei muss gecheckt werden, nur die Textdatei von ComboFix (siehe Screenshot im Anhang)?

Gruß
JKP

Diese Dateien solltest Du auswerten:

Code:

sptqv.dat

sptqv.exe

sptqv_nav.dat

sptqv_navps.dat

npf.sys

ntoskrnl.exe.exe

packet.dll

pthreadVC.dll

WanPacket.dll

wpcap.dll

Die sollten alle irgendwo in c:\qoobox\quarantine liegen. Evtl. haben diese noch zur Entschärfung die Endung .vir zusätzlich von CF verpasst bekommen :)
Eine Dateisuche nach allen Dateien (*.*) in dem vesagten Quarantäneordner könnte hilfreich sein.

Hier kommen die Auswertungen

Teil I

sptqv.dat.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.09.01        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 6414 bytes

MD5...: 31a1b2759a2422fe185b9874901ef702

SHA1..: 592b23ffc35948e471ae1db365b162a1884cffe4

SHA256: 29d655e03b20ac3d89e7ca97a6ab825fe82f8ca7588a57b93cd44a55c6973923

SHA512: 25ca2a5e3e2ebb68d21b530dcf65ca8be9d3dded7af23eb656c4fd5b3d498036

bd6091f139fc003e29b89686fba470b8e8f8d10eafc0870110ec269743cc63d5

PEiD..: -

TrID..: File type identification

Unknown!

PEInfo: -

sptqv.exe.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.09.01        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 282624 bytes

MD5...: 603399744fe25c06d495007a6749ea9f

SHA1..: 242723ef6860e12ca900dd692efc0e3e571779ef

SHA256: f6a3873f11834d97e6f5efe12021b1c110cd21e34a4ab638dce0b651b7dad043

SHA512: 67d632dc2e56a9a4f741f8c24cb429a9493c6f3a99e3fb0d3da3f1ce3ce6617d

3fb185e4a143bd8fcb57a618e859fb8403bffea2f14e64548c372e47dcb634a0

PEiD..: Armadillo v1.71

TrID..: File type identification

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x401c40

timedatestamp.....: 0x4542cd89 (Sat Oct 28 03:24:57 2006)

machinetype.......: 0x14c (I386)
 

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0xdcc 0x1000 6.23 b46cd3c6faf6269c8af9fafcdba8239f

.rdata 0x2000 0xf9e 0x1000 5.24 018537f499ffe1fbbbbfe1940eb15251

.data 0x3000 0x41a3c 0x42000 7.36 ad085f6f9e159bf1ceb7ad0da2369428
 

( 10 imports ) 

> KERNEL32.dll: GetConsoleMode, GetCurrentProcessId, WritePrivateProfileSectionA, SetThreadPriorityBoost, GlobalGetAtomNameW, OpenFile, CreatePipe, GetModuleHandleA, _lopen, GetBinaryTypeA, GetLongPathNameA, GetVersionExA, RemoveDirectoryA, EnumCalendarInfoA, IsBadStringPtrA, SetEndOfFile, TryEnterCriticalSection, PrepareTape, WriteConsoleOutputW, GetTempFileNameA, GetFileAttributesA, GetFullPathNameA, DebugBreak, FileTimeToLocalFileTime, VirtualAlloc, IsValidLocale, GetDriveTypeA, GetFileAttributesExA, SetSystemTime, CreateFileW, GetHandleInformation, PurgeComm, _lclose, ExpandEnvironmentStringsW, WritePrivateProfileStringA, LeaveCriticalSection, EnumSystemCodePagesW, GetProcessTimes, EnumTimeFormatsW, GetPrivateProfileSectionW, SetErrorMode, GetSystemTime, GetCurrentDirectoryW, GetDriveTypeW, GetSystemInfo, GetTapeParameters, SwitchToFiber, GetTapeStatus, CreateWaitableTimerA, VirtualQueryEx, GetLogicalDriveStringsA, LocalFileTimeToFileTime, GetEnvironmentStringsW, lstrlenA, GetUserDefaultLangID, GetStartupInfoA

> USER32.dll: GetSysColorBrush, PostQuitMessage

> GDI32.dll: GetTextExtentPoint32A, TranslateCharsetInfo

> ADVAPI32.dll: ImpersonateSelf, CloseServiceHandle, CopySid, ChangeServiceConfigA, RegSetKeySecurity, EnumDependentServicesW, GetFileSecurityW, CreateProcessAsUserW, BuildTrusteeWithNameW, RegReplaceKeyW, IsValidSid, RegOpenKeyExA, InitializeSecurityDescriptor, RegEnumKeyA, RegDeleteKeyA, CryptGetProvParam, RegSetValueA, SetEntriesInAclA, OpenServiceW, MakeAbsoluteSD, RegQueryInfoKeyW, CryptDestroyHash, QueryServiceStatus, OpenSCManagerA, DestroyPrivateObjectSecurity, AccessCheckAndAuditAlarmW, LookupPrivilegeDisplayNameA, GetSidSubAuthorityCount, SetSecurityDescriptorDacl, CryptGenRandom, CryptCreateHash, LockServiceDatabase, RegOpenKeyExW, RegEnumKeyExW, AbortSystemShutdownW, CryptDestroyKey, ChangeServiceConfigW, InitiateSystemShutdownA

> SHELL32.dll: Shell_NotifyIconA, FindExecutableA, SHChangeNotify

> ole32.dll: CoGetInterfaceAndReleaseStream, OleConvertIStorageToOLESTREAM, CoCreateInstanceEx, CoCreateInstance

> OLEAUT32.dll: -, -

> COMCTL32.dll: PropertySheetA, -, ImageList_EndDrag, ImageList_DrawEx

> SHLWAPI.dll: StrCmpNIW, SHEnumValueW, PathStripToRootA, PathIsRelativeA, StrCatW, wvnsprintfW, PathAppendA, UrlGetPartW

> MSVCRT.dll: _controlfp, _except_handler3, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, _exit
 

( 0 exports )

sptqv_nav.dat.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.09.01        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 235539 bytes

MD5...: 9d29560b763828dac6d2c1b4d20b2c70

SHA1..: 9134a33880b92013ef842f7c3703a6ec6a194c42

SHA256: 330d60031e7477e3099e7aa7a9953ad2811b59a130a6379c4a26a7e3d7709dc8

SHA512: 39bb934673414015f78b240c1d2826f304510ff430bbc80b630f20cf376fe40e

f2df5ead058854c14f53867a5b36cf10cfa1adb8f7124b5c3d79f9ac15fff754

PEiD..: -

TrID..: File type identification

Unknown!

PEInfo: -

Teil II

sptqv_navps.dat.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.09.01        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 1173 bytes

MD5...: e52260d77a097e67a93740287df3df3a

SHA1..: 592c60154df38668b49543c253e73f1b0a960869

SHA256: c3f6c5133a8842b9bb1499100ed51dc8cb81aacbc7f00362a3d752c3073a46ee

SHA512: 2a9c5271896ca038d38ebede4fec9822634a71bfd4ec0894658972bf46114f61

030e1f903a62428108b3d9e80387276b963d117ee7a9ab64d599b5a93379fea6

PEiD..: -

TrID..: File type identification

Unknown!

PEInfo: -

Teil III

packet.dll.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.09.01        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 81920 bytes

MD5...: ab652dab12afdad853fd59207dd2d68b

SHA1..: 0969ebf80723c3f5889dc9d9b94872d4b474c89e

SHA256: 19c6e6603021586092dcedf5592865cdda5cae1ee1db00343cdd523e399b0d65

SHA512: c5fd05fd866fcf17ec1173a049ea03db01301a3fa9073dfeafb6bc11a56f716e

b9385fc1ceec7a80f41c1673aea5ba00dc6f8b6c41883c366a27c2d61ad24e56

PEiD..: Armadillo v1.xx - v2.xx

TrID..: File type identification

Win64 Executable Generic (59.6%)

Win32 Executable MS Visual C++ (generic) (26.2%)

Win32 Executable Generic (5.9%)

Win32 Dynamic Link Library (generic) (5.2%)

Generic Win/DOS Executable (1.3%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x10004796

timedatestamp.....: 0x42efe0b9 (Tue Aug 02 21:08:09 2005)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x957a 0xa000 6.36 fbf180b10a84e59e02535522e28c1fa6

.rdata 0xb000 0x14aa 0x2000 3.98 f4279fbe18f2df4f1f24eca2b13d1ad1

.data 0xd000 0x4b24 0x4000 1.11 881635460d24144907b1ca38dbb88dc9

.rsrc 0x12000 0x458 0x1000 1.15 997d4dcd159c0c79bdd90dd7cd035bcb

.reloc 0x13000 0x11c4 0x2000 3.01 516cea2792ecabd47096a5ab90627994
 

( 7 imports ) 

> WS2_32.dll: -

> WanPacket.dll: WanPacketGetStats, WanPacketSetBpfFilter, WanPacketTestAdapter, WanPacketSetReadTimeout, WanPacketSetMode, WanPacketSetMinToCopy, WanPacketReceivePacket, WanPacketCloseAdapter, WanPacketOpenAdapter, WanPacketGetReadEvent, WanPacketSetBufferSize

> KERNEL32.dll: GetStringTypeA, LCMapStringW, GlobalFree, GlobalUnlock, GlobalHandle, GlobalLock, GlobalAlloc, ReleaseMutex, WaitForSingleObject, WideCharToMultiByte, CloseHandle, LoadLibraryW, GetProcAddress, GetModuleHandleW, CreateMutexW, GetStringTypeW, GetLastError, CreateEventW, DeviceIoControl, GetVersion, SetLastError, CreateFileW, SetEvent, ReadFile, WriteFile, QueryPerformanceFrequency, QueryPerformanceCounter, GetFullPathNameW, LCMapStringA, FlushFileBuffers, MultiByteToWideChar, HeapFree, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, GetCPInfo, GetCommandLineA, GetModuleHandleA, GetModuleFileNameA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, HeapAlloc, VirtualAlloc, HeapReAlloc, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, RtlUnwind, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetFilePointer, InterlockedDecrement, InterlockedIncrement

> USER32.dll: wsprintfW

> ADVAPI32.dll: OpenServiceW, QueryServiceStatus, StartServiceW, OpenSCManagerW, CreateServiceW, CloseServiceHandle, RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, ControlService

> iphlpapi.dll: GetAdaptersInfo

> VERSION.dll: VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
 

( 30 exports ) 

PacketAllocatePacket, PacketCloseAdapter, PacketFreePacket, PacketGetAdapterNames, PacketGetDriverVersion, PacketGetNetInfoEx, PacketGetNetType, PacketGetReadEvent, PacketGetStats, PacketGetStatsEx, PacketGetVersion, PacketInitPacket, PacketIsDumpEnded, PacketLibraryVersion, PacketOpenAdapter, PacketReceivePacket, PacketRequest, PacketSendPacket, PacketSendPackets, PacketSetBpf, PacketSetBuff, PacketSetDumpLimits, PacketSetDumpName, PacketSetHwFilter, PacketSetMinToCopy, PacketSetMode, PacketSetNumWrites, PacketSetReadTimeout, PacketSetSnapLen, PacketStopDriver

pthreadVC.dll.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 53299 bytes

MD5...: f04a90f917ba10ae2dcbe859870f4dea

SHA1..: 6668ebe373ce58c33017697c477557653427e626

SHA256: 99c61abf41c3aec38cab3ed6270adbca9a247bbf5f9aa9d29ecb0659a5527f48

SHA512: aec29301b9ce311b27f1590b0e0c4121acdc183a30b570e087d77b7035684f02

a6dfbdee950c37f3023b32e2ea5a075a5fbe6d18a2804da9490d4959733bb516

PEiD..: Armadillo v1.xx - v2.xx

TrID..: File type identification

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x100064b7

timedatestamp.....: 0x3f67c0c6 (Wed Sep 17 02:02:46 2003)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x6633 0x7000 4.66 8c280534394d81e85515a350a9204b39

.rdata 0x8000 0x138e 0x2000 2.86 78b487b78298fc62644b42b69dbec496

.data 0xa000 0x684 0x1000 0.12 f1b684e0a95ba2ccd3c3d1da7bb33e3c

.idata 0xb000 0x834 0x1000 2.25 48c628e59e24609ef4759f59b604d55e

.reloc 0xc000 0x44a 0x1000 2.00 eddf4130caf2c0a68682480de57036cf
 

( 3 imports ) 

> MSVCRT.dll: calloc, _onexit, __dllonexit, _adjust_fdiv, _initterm, exit, longjmp, _setjmp3, _ftime, _endthreadex, _beginthreadex, _errno, malloc, free

> WSOCK32.dll: -, -

> KERNEL32.dll: GetThreadPriority, Sleep, EnterCriticalSection, TlsFree, TlsAlloc, GetExitCodeThread, ReleaseSemaphore, CreateSemaphoreA, GetCurrentProcessId, OpenProcess, GetLastError, SetThreadPriority, GetProcessAffinityMask, CloseHandle, TlsSetValue, TlsGetValue, SetLastError, InterlockedDecrement, ResetEvent, WaitForSingleObject, SetEvent, ResumeThread, SetThreadContext, GetThreadContext, SuspendThread, LeaveCriticalSection, LoadLibraryA, GetCurrentThreadId, CreateEventA, InterlockedIncrement, DuplicateHandle, GetCurrentThread, GetCurrentProcess, FreeLibrary, WaitForMultipleObjects, InitializeCriticalSection, DeleteCriticalSection, GetProcAddress
 

( 114 exports ) 

pthreadCancelableTimedWait, pthreadCancelableWait, pthread_attr_destroy, pthread_attr_getdetachstate, pthread_attr_getinheritsched, pthread_attr_getschedparam, pthread_attr_getschedpolicy, pthread_attr_getscope, pthread_attr_getstackaddr, pthread_attr_getstacksize, pthread_attr_init, pthread_attr_setdetachstate, pthread_attr_setinheritsched, pthread_attr_setschedparam, pthread_attr_setschedpolicy, pthread_attr_setscope, pthread_attr_setstackaddr, pthread_attr_setstacksize, pthread_barrier_destroy, pthread_barrier_init, pthread_barrier_wait, pthread_barrierattr_destroy, pthread_barrierattr_getpshared, pthread_barrierattr_init, pthread_barrierattr_setpshared, pthread_cancel, pthread_cond_broadcast, pthread_cond_destroy, pthread_cond_init, pthread_cond_signal, pthread_cond_timedwait, pthread_cond_wait, pthread_condattr_destroy, pthread_condattr_getpshared, pthread_condattr_init, pthread_condattr_setpshared, pthread_create, pthread_delay_np, pthread_detach, pthread_equal, pthread_exit, pthread_getconcurrency, pthread_getschedparam, pthread_getspecific, pthread_getw32threadhandle_np, pthread_join, pthread_key_create, pthread_key_delete, pthread_kill, pthread_mutex_destroy, pthread_mutex_init, pthread_mutex_lock, pthread_mutex_timedlock, pthread_mutex_trylock, pthread_mutex_unlock, pthread_mutexattr_destroy, pthread_mutexattr_getkind_np, pthread_mutexattr_getpshared, pthread_mutexattr_gettype, pthread_mutexattr_init, pthread_mutexattr_setkind_np, pthread_mutexattr_setpshared, pthread_mutexattr_settype, pthread_num_processors_np, pthread_once, pthread_rwlock_destroy, pthread_rwlock_init, pthread_rwlock_rdlock, pthread_rwlock_timedrdlock, pthread_rwlock_timedwrlock, pthread_rwlock_tryrdlock, pthread_rwlock_trywrlock, pthread_rwlock_unlock, pthread_rwlock_wrlock, pthread_rwlockattr_destroy, pthread_rwlockattr_getpshared, pthread_rwlockattr_init, pthread_rwlockattr_setpshared, pthread_self, pthread_setcancelstate, pthread_setcanceltype, pthread_setconcurrency, pthread_setschedparam, pthread_setspecific, pthread_spin_destroy, pthread_spin_init, pthread_spin_lock, pthread_spin_trylock, pthread_spin_unlock, pthread_testcancel, pthread_timechange_handler_np, pthread_win32_process_attach_np, pthread_win32_process_detach_np, pthread_win32_thread_attach_np, pthread_win32_thread_detach_np, ptw32_get_exception_services_code, ptw32_pop_cleanup, ptw32_push_cleanup, sched_get_priority_max, sched_get_priority_min, sched_getscheduler, sched_setscheduler, sched_yield, sem_close, sem_destroy, sem_getvalue, sem_init, sem_open, sem_post, sem_post_multiple, sem_timedwait, sem_trywait, sem_unlink, sem_wait

ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=f04a90f917ba10ae2dcbe859870f4dea

WanPacket.dll.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.09.01        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 61440 bytes

MD5...: 12aa2da30d1d2889511b4c1d14fb99b9

SHA1..: e6d09e7581565d5e83563e23027784348fd188ca

SHA256: 3064ea133646c4dbfbe750abbf836492a016b319783bc8166825e0783fd6e462

SHA512: 6a732791d1c54098b4b143e03d21ecdd360d1b629d10afc442eeed5e7aae7ad8

77019f7a1bcf354d9d563f66083fbb9a66b1fde1ab34ac125d188a8f226e9ca0

PEiD..: Armadillo v1.xx - v2.xx

TrID..: File type identification

Win64 Executable Generic (59.6%)

Win32 Executable MS Visual C++ (generic) (26.2%)

Win32 Executable Generic (5.9%)

Win32 Dynamic Link Library (generic) (5.2%)

Generic Win/DOS Executable (1.3%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x100047a3

timedatestamp.....: 0x42efe0b6 (Tue Aug 02 21:08:06 2005)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x761a 0x8000 6.42 dbb2b2ccdb2efecebf5fb5450c809a4d

.rdata 0x9000 0xe3f 0x1000 5.01 22f5b20b9c0d8f6ea3d56dbe71c11bfe

.data 0xa000 0x32a0 0x3000 0.94 00176a924bbd9ac389029fd57388e2f2

.rsrc 0xe000 0x478 0x1000 1.18 6f6d012b02b11d1b744ad5c8499b0a59

.reloc 0xf000 0xefa 0x1000 3.88 60519415df3e9a0c5607fec05b272aef
 

( 3 imports ) 

> NPPTools.dll: CreateNPPInterface, GetNPPBlobTable, SetBoolInBlob, CreateBlob, DestroyBlob

> KERNEL32.dll: GetFileType, GlobalAlloc, GlobalFree, FreeLibrary, LoadLibraryA, GetSystemTimeAsFileTime, LeaveCriticalSection, SetEvent, EnterCriticalSection, GetVersionExA, DeleteCriticalSection, CloseHandle, CreateEventA, InitializeCriticalSection, Sleep, OutputDebugStringA, WaitForSingleObject, ResetEvent, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetLastError, SetHandleCount, GetStdHandle, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, GetModuleHandleA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, HeapFree, WriteFile, HeapAlloc, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, HeapReAlloc, GetProcAddress, RtlUnwind, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, InterlockedDecrement, InterlockedIncrement

> ole32.dll: CoInitializeEx, CoInitialize, CoUninitialize
 

( 11 exports ) 

WanPacketCloseAdapter, WanPacketGetReadEvent, WanPacketGetStats, WanPacketOpenAdapter, WanPacketReceivePacket, WanPacketSetBpfFilter, WanPacketSetBufferSize, WanPacketSetMinToCopy, WanPacketSetMode, WanPacketSetReadTimeout, WanPacketTestAdapter

wpcap.dll.vir

Code:

Antivirus        Version        letzte aktualisierung        Ergebnis

AhnLab-V3        2008.9.2.0        2008.09.01        -

AntiVir        7.8.1.23        2008.09.01        -

Authentium        5.1.0.4        2008.09.01        -

Avast        4.8.1195.0        2008.09.01        -

AVG        8.0.0.161        2008.09.01        -

BitDefender        7.2        2008.09.01        -

CAT-QuickHeal        9.50        2008.08.29        -

ClamAV        0.93.1        2008.09.01        -

DrWeb        4.44.0.09170        2008.09.01        -

eSafe        7.0.17.0        2008.08.31        -

eTrust-Vet        31.6.6062        2008.09.01        -

Ewido        4.0        2008.09.01        -

F-Prot        4.4.4.56        2008.09.01        -

F-Secure        7.60.13501.0        2008.09.01        -

Fortinet        3.14.0.0        2008.09.01        -

GData        19        2008.09.01        -

Ikarus        T3.1.1.34.0        2008.09.01        -

K7AntiVirus        7.10.435        2008.09.01        -

Kaspersky        7.0.0.125        2008.09.01        -

McAfee        5374        2008.09.01        -

Microsoft        1.3807        2008.08.25        -

NOD32v2        3405        2008.09.01        -

Norman        5.80.02        2008.09.01        -

Panda        9.0.0.4        2008.08.31        -

PCTools        4.4.2.0        2008.09.01        -

Prevx1        V2        2008.09.01        -

Rising        20.60.01.00        2008.09.01        -

Sophos        4.33.0        2008.09.01        -

Sunbelt        3.1.1592.1        2008.08.30        -

Symantec        10        2008.09.01        -

TheHacker        6.3.0.8.069        2008.09.01        -

TrendMicro        8.700.0.1004        2008.09.01        -

VBA32        3.12.8.4        2008.08.31        -

ViRobot        2008.9.1.1359        2008.09.01        -

VirusBuster        4.5.11.0        2008.09.01        -

Webwasher-Gateway        6.6.2        2008.09.01        -

weitere Informationen

File size: 233472 bytes

MD5...: 0a478ea707f567efa7f31847dd0e9928

SHA1..: 7748e0d84fb2cc170d46d009250a5762e3a6b9f0

SHA256: ab1bf7740115d2930377a17e41d7f685acf51f128405dde228e492de6ce82725

SHA512: 4c447f53437b8e9a3f974a25b0b992ace066c9d0c1e2449dc65960cd7de8560f

f74e5b87e610f32c46e3712c46070975135d088fea2ae7c1c94b7225a6cacac9

PEiD..: Armadillo v1.xx - v2.xx

TrID..: File type identification

Win32 Executable MS Visual C++ (generic) (53.1%)

Windows Screen Saver (18.4%)

Win32 Executable Generic (12.0%)

Win32 Dynamic Link Library (generic) (10.6%)

Generic Win/DOS Executable (2.8%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x100187fd

timedatestamp.....: 0x42efe335 (Tue Aug 02 21:18:45 2005)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x1f4cb 0x20000 6.52 6a4dfd2cb534c5a90865bd5f1f1b6cf1

.rdata 0x21000 0xc416 0xd000 5.87 50865a68f7f565fa5568471aa646aa14

.data 0x2e000 0xeb8c 0x7000 3.61 826af4a1bcdaddd89e072d99a743b9b7

.rsrc 0x3d000 0x478 0x1000 1.18 935a615b011060a3566fef334d42919a

.reloc 0x3e000 0x2a42 0x3000 5.45 0bf6381c2bd744a57ec11eecee03adee
 

( 3 imports ) 

> KERNEL32.dll: FormatMessageA, GetLastError, FreeLibrary, GetProcAddress, LoadLibraryA, GetSystemDirectoryA, FindClose, FindNextFileA, FindFirstFileA, SetEndOfFile, CreateFileA, GetOEMCP, GetACP, GetCPInfo, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, MultiByteToWideChar, FlushFileBuffers, SetFilePointer, ReadFile, SetStdHandle, CloseHandle, WriteFile, GetEnvironmentStringsW, GetEnvironmentStrings, WideCharToMultiByte, FreeEnvironmentStringsW, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, InterlockedIncrement, InterlockedDecrement, TlsGetValue, SetLastError, TlsFree, TlsAlloc, TlsSetValue, GetCurrentThreadId, RtlUnwind, DeleteCriticalSection, InitializeCriticalSection, VirtualAlloc, VirtualFree, GetVersion, HeapFree, HeapAlloc, GetCommandLineA, EnterCriticalSection, LeaveCriticalSection, ExitProcess, TerminateProcess, GetCurrentProcess, HeapReAlloc, GetModuleHandleA, GetModuleFileNameA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate

> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

> packet.dll: PacketGetReadEvent, PacketGetStatsEx, PacketSendPackets, PacketInitPacket, PacketSetDumpLimits, PacketSetDumpName, PacketSetMode, PacketIsDumpEnded, PacketGetVersion, PacketGetAdapterNames, PacketGetNetInfoEx, PacketSetReadTimeout, PacketSetMinToCopy, PacketSetBuff, PacketAllocatePacket, PacketSetHwFilter, PacketFreePacket, PacketCloseAdapter, PacketGetNetType, PacketOpenAdapter, PacketGetStats, PacketReceivePacket, PacketSendPacket, PacketSetBpf
 

( 77 exports ) 

bpf_dump, bpf_filter, bpf_image, bpf_validate, endservent, eproto_db, getservent, install_bpf_program, pcap_breakloop, pcap_close, pcap_compile, pcap_compile_nopcap, pcap_createsrcstr, pcap_datalink, pcap_datalink_name_to_val, pcap_datalink_val_to_description, pcap_datalink_val_to_name, pcap_dispatch, pcap_dump, pcap_dump_close, pcap_dump_file, pcap_dump_flush, pcap_dump_ftell, pcap_dump_open, pcap_file, pcap_fileno, pcap_findalldevs, pcap_findalldevs_ex, pcap_freealldevs, pcap_freecode, pcap_geterr, pcap_getevent, pcap_getnonblock, pcap_is_swapped, pcap_lib_version, pcap_list_datalinks, pcap_live_dump, pcap_live_dump_ended, pcap_lookupdev, pcap_lookupnet, pcap_loop, pcap_major_version, pcap_minor_version, pcap_next, pcap_next_etherent, pcap_next_ex, pcap_offline_filter, pcap_offline_read, pcap_open, pcap_open_dead, pcap_open_live, pcap_open_offline, pcap_parsesrcstr, pcap_perror, pcap_read, pcap_remoteact_accept, pcap_remoteact_cleanup, pcap_remoteact_close, pcap_remoteact_list, pcap_sendpacket, pcap_sendqueue_alloc, pcap_sendqueue_destroy, pcap_sendqueue_queue, pcap_sendqueue_transmit, pcap_set_datalink, pcap_setbuff, pcap_setfilter, pcap_setmintocopy, pcap_setmode, pcap_setnonblock, pcap_setsampling, pcap_setuserbuffer, pcap_snapshot, pcap_stats, pcap_stats_ex, pcap_strerror, wsockinit

npf.sys.vir

Code:

Antivirus Version letzte aktualisierung Ergebnis 

AhnLab-V3 2008.9.2.0 2008.09.01 - 

AntiVir 7.8.1.23 2008.09.01 - 

Authentium 5.1.0.4 2008.09.01 - 

Avast 4.8.1195.0 2008.09.01 - 

AVG 8.0.0.161 2008.09.01 - 

BitDefender 7.2 2008.09.01 - 

CAT-QuickHeal 9.50 2008.08.29 - 

ClamAV 0.93.1 2008.09.01 - 

DrWeb 4.44.0.09170 2008.09.01 - 

eSafe 7.0.17.0 2008.08.31 - 

eTrust-Vet 31.6.6062 2008.09.01 - 

Ewido 4.0 2008.09.01 - 

F-Prot 4.4.4.56 2008.09.01 - 

F-Secure 7.60.13501.0 2008.09.01 - 

Fortinet 3.14.0.0 2008.09.01 - 

GData 19 2008.09.01 - 

Ikarus T3.1.1.34.0 2008.09.01 - 

K7AntiVirus 7.10.435 2008.09.01 - 

Kaspersky 7.0.0.125 2008.09.01 - 

McAfee 5374 2008.09.01 - 

Microsoft 1.3807 2008.08.25 - 

NOD32v2 3405 2008.09.01 - 

Norman 5.80.02 2008.09.01 - 

Panda 9.0.0.4 2008.08.31 - 

PCTools 4.4.2.0 2008.09.01 - 

Prevx1 V2 2008.09.01 - 

Rising 20.60.01.00 2008.09.01 - 

Sophos 4.33.0 2008.09.01 - 

Sunbelt 3.1.1592.1 2008.08.30 - 

Symantec 10 2008.09.01 - 

TheHacker 6.3.0.8.069 2008.09.01 - 

TrendMicro 8.700.0.1004 2008.09.01 - 

VBA32 3.12.8.4 2008.08.31 - 

ViRobot 2008.9.1.1359 2008.09.01 - 

VirusBuster 4.5.11.0 2008.09.01 - 

Webwasher-Gateway 6.6.2 2008.09.01 - 

weitere Informationen 

File size: 32512 bytes 

MD5...: d21fee8db254ba762656878168ac1db6 

SHA1..: a394b1bc33a3c678e4b6b3c55373468e6afa7b28 

SHA256: 3694aa2145af617c47a7b506bd3d22824659ca3bf1680d220892cac4bd0fc846 

SHA512: c6e366be16e5614313c8ec394cbeda11df8cd57726fec2249db5d7d0f4266a38

e2bc7873b9ea38e820bdf96e6e14619d9e6f2092dcbed4932389ec89bd0c2204 

PEiD..: - 

TrID..: File type identification

Win32 Executable Generic (58.4%)

Clipper DOS Executable (13.8%)

Generic Win/DOS Executable (13.7%)

DOS Executable Generic (13.7%)

VXD Driver (0.2%) 

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x11368

timedatestamp.....: 0x42efe135 (Tue Aug 02 21:10:13 2005)

machinetype.......: 0x14c (I386)
 

( 6 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x480 0x64bc 0x6500 6.41 b1736c1d2544a05b914d3534ba0fd490

.rdata 0x6980 0x2ec 0x300 3.79 04d23de157df609935e4c7da368a3f75

.data 0x6c80 0x208 0x280 1.60 1fc60a198c9f24130f17a1febf77ee89

INIT 0x6f00 0x664 0x680 5.06 78b0795e13a1ad45ed4839a3b6b71826

.rsrc 0x7580 0x460 0x480 3.25 42cf93652de716bd6b41b64d7409b10e

.reloc 0x7a00 0x498 0x500 5.54 d91b5f88846a8570f15d8813c471d92a
 

( 3 imports ) 

> ntoskrnl.exe: DbgPrint, KeQuerySystemTime, _allrem, _alldiv, KeWaitForSingleObject, KeInitializeEvent, _aullrem, _aulldiv, ZwSetInformationThread, KeSetEvent, InterlockedExchange, KeClearEvent, IoCreateNotificationEvent, InterlockedIncrement, ObfDereferenceObject, InterlockedExchangeAdd, KeInitializeSpinLock, IoFreeMdl, MmBuildMdlForNonPagedPool, IoAllocateMdl, InterlockedDecrement, _allmul, ExfInterlockedRemoveHeadList, ExfInterlockedInsertTailList, IofCompleteRequest, IoDeleteSymbolicLink, IoDeleteDevice, RtlCompareMemory, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, IoCreateDevice, IoCreateSymbolicLink, ZwOpenKey, ZwEnumerateKey, RtlInitUnicodeString, ZwQueryValueKey, ZwClose, ExAllocatePoolWithTag, RtlQueryRegistryValues, RtlWriteRegistryValue, MmMapLockedPagesSpecifyCache, ExFreePool

> HAL.dll: KfReleaseSpinLock, KeQueryPerformanceCounter, KfLowerIrql, KfRaiseIrql, KfAcquireSpinLock

> NDIS.SYS: NdisCloseAdapter, NdisFreePacketPool, NdisSystemProcessorCount, NdisOpenAdapter, NdisResetEvent, NdisWaitEvent, NdisSetEvent, NdisDeregisterProtocol, NdisInitializeEvent, NdisAllocatePacketPool, NdisFreePacket, NdisAllocatePacket, NdisRegisterProtocol, NdisUnchainBufferAtFront
 

( 0 exports )

Teil IV

ntoskrnl.exe.exe.vir
File-Upload.net - ntoskrnl.exe.exe.vir.pdf

Ich hoffe die Ergebnisse sind les- und interpretierbar trotz des "verrückten" Formats. Falls es da nen Trick zur besseren Darstellung gibt, werd ich´s nochmal reinstellen.

Gruß
JKP

Nö das ist schon okay wie Du es gepostet hast. :)
Ich wunder mich nur mehr darüber, dass in keiner dieser Dateien irgendwas beanstandet wurde. Da frag ich mich doch warum CF die gelöscht hat. Seit kurzem kursiert da eh ein Bug, CF hat da ZA außer Gefecht gesetzt :rolleyes:

Das ZA außer Gefecht gesetzt :dummguck: ??

Kann man denn nun abschließend sagen: mein Laptop ist geheilt und alles wird gut?

ZA = ZoneAlarm (eine unnötige PFW ;) )

Oberflächlich scheint alles okay zu sein. Wie ist denn das Systemverhalten?