|
Regdll.exe/3SF1g.exe - Befall mit Generic.Bot.H Hallo, ich habe ein großes Problem: als ich heute am Pc war meldete TrendMicro Antivirus 2010 plötzlich, dass eine Datei namens regdll.exe die sich im Temp-Ordner befindet einen neuen Autostart-Eintrag anlegen möchte. Ich habe natürlich auf "Verweigern" geklickt und mal die Datei mal bei Virustotal.com hochgeladen: h**p://www.virustotal.com/de/analisis/58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f-1267903531 Antivirus Version letzte aktualisierung Ergebnis a-squared 4.5.0.50 2010.03.06 Trojan.Win32.Kreeper!IK AhnLab-V3 5.0.0.2 2010.03.06 - AntiVir 8.2.1.180 2010.03.05 - Antiy-AVL 2.0.3.7 2010.03.05 - Authentium 5.2.0.5 2010.03.06 W32/VBTrojan.Dropper.4!Maximus Avast 4.8.1351.0 2010.03.06 - Avast5 5.0.332.0 2010.03.06 - AVG 9.0.0.787 2010.03.06 Dropper.Generic.BTHO BitDefender 7.2 2010.03.06 - CAT-QuickHeal 10.00 2010.03.06 - ClamAV 0.96.0.0-git 2010.03.06 - Comodo 4091 2010.02.28 - DrWeb 5.0.1.12222 2010.03.06 - eSafe 7.0.17.0 2010.03.04 - eTrust-Vet 35.2.7342 2010.03.05 - F-Prot 4.5.1.85 2010.03.06 W32/VBTrojan.Dropper.4!Maximus F-Secure 9.0.15370.0 2010.03.06 - Fortinet 4.0.14.0 2010.03.06 - GData 19 2010.03.06 - Ikarus T3.1.1.80.0 2010.03.06 Trojan.Win32.Kreeper Jiangmin 13.0.900 2010.03.06 - K7AntiVirus 7.10.990 2010.03.04 - Kaspersky 7.0.0.125 2010.03.06 - McAfee 5912 2010.03.06 - McAfee+Artemis 5912 2010.03.06 - McAfee-GW-Edition 6.8.5 2010.03.06 - Microsoft 1.5502 2010.03.06 VirTool:Win32/VBInject.DD NOD32 4921 2010.03.06 - Norman 6.04.08 2010.03.06 - nProtect 2009.1.8.0 2010.03.06 - Panda 10.0.2.2 2010.03.06 - PCTools 7.0.3.5 2010.03.04 - Prevx 3.0 2010.03.06 - Rising 22.37.05.03 2010.03.06 - Sophos 4.51.0 2010.03.06 Mal/VBDrop-I Sunbelt 5772 2010.03.06 - Symantec 20091.2.0.41 2010.03.06 - TheHacker 6.5.1.9.222 2010.03.06 - TrendMicro 9.120.0.1004 2010.03.06 - VBA32 3.12.12.2 2010.03.05 - ViRobot 2010.3.5.2214 2010.03.05 - VirusBuster 5.0.27.0 2010.03.05 - weitere Informationen File size: 172032 bytes MD5...: f38cc43f1fa758ed93879bc25ef2c5e8 SHA1..: d3819cc0bd32dffa1eb702df8ea59f04dc250167 SHA256: 58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f ssdeep: 3072:AT2SZwHMwgWI3MR38Y9Nao4xZYAXu9gYw3l56bx3EQGq1sMZg1I8O:UDMuQ a17YAXua3l56bREQeMSI8 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1130 timedatestamp.....: 0x4b58c1df (Thu Jan 21 21:06:39 2010) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1e2f4 0x1f000 4.95 dc788d3350fd631a9a4e0e2315c1bf02 .data 0x20000 0x970 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x21000 0x9978 0xa000 7.79 1d28d9d835037dc2c527771c9d1b7de8 ( 1 imports ) > MSVBVM60.DLL: -, -, -, -, MethCallEngine, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, ProcCallEngine, -, -, -, -, -, -, - ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: aPvqrpufYfJ copyright....: BHDPhi product......: uthSuQdrZq description..: ENlSwLsy original name: FmYwhm.exe internal name: FmYwhm file version.: 3.11.0066 comments.....: Vmqsk signers......: - signing date.: - verified.....: Unsigned Dann habe ich einmal Malwarebytes laufen lassen: Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3830 Windows 6.1.7600 Internet Explorer 8.0.7600.16385 06.03.2010 21:50:26 mbam-log-2010-03-06 (21-50-19).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 189597 Laufzeit: 57 minute(s), 37 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 1 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 1 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{kljaht1a-zs3e-9ajq-nzmh-kvnoy3n5ggsd} (Generic.Bot.H) -> No action taken. Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Users\Philip\AppData\Local\Temp\3SF1g.exe (Generic.Bot.H) -> No action taken. und anschließend noch HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:39:24, on 06.03.2010 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\NOTEPAD.EXE C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\NOTEPAD.EXE C:\Program Files\Microsoft Office\Office12\EXCEL.EXE C:\Windows\system32\wuauclt.exe C:\Windows\system32\DeviceDisplayObjectProvider.exe C:\Windows\helppane.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\explorer.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\UfNavi.exe C:\Windows\system32\taskmgr.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Philip\AppData\Local\Google\Chrome\Application\chrome.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\Program Files\Orbitdownloader\orbitnet.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Bonus.SSR.FR10] "C:\Program Files\ABBYY FineReader 10\Bonus.ScreenshotReader.exe" /autorun O4 - HKLM\..\Run: [RCx0Z70RrY2] C:\Users\Philip\AppData\Local\Temp\3SF1g.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [Google Update] "C:\Users\Philip\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [dgdfgsdeg] C:\Users\Philip\AppData\Roaming\fgsdfgdrfg\dfhds.exe.exe O4 - HKCU\..\Run: [Wc8bJKYwn] C:\Users\Philip\AppData\Local\Temp\3SF1g.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- End of file - 7727 bytes Dabei ließ mich der Eintrag: O4 - HKCU\..\Run: [Wc8bJKYwn] C:\Users\Philip\AppData\Local\Temp\3SF1g.exe stutzig werden und ich habe die Datei 3SF1g.exe auch bei Virustotal hochgeladen: h**p://www.virustotal.com/de/analisis/58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f-1267908529 Antivirus Version letzte aktualisierung Ergebnis a-squared 4.5.0.50 2010.03.06 Trojan.Win32.Kreeper!IK AhnLab-V3 5.0.0.2 2010.03.06 - AntiVir 8.2.1.180 2010.03.05 - Antiy-AVL 2.0.3.7 2010.03.05 - Authentium 5.2.0.5 2010.03.06 W32/VBTrojan.Dropper.4!Maximus Avast 4.8.1351.0 2010.03.06 - Avast5 5.0.332.0 2010.03.06 - AVG 9.0.0.787 2010.03.06 Dropper.Generic.BTHO BitDefender 7.2 2010.03.06 - CAT-QuickHeal 10.00 2010.03.06 - ClamAV 0.96.0.0-git 2010.03.06 - Comodo 4091 2010.02.28 - DrWeb 5.0.1.12222 2010.03.06 - eSafe 7.0.17.0 2010.03.04 - eTrust-Vet 35.2.7342 2010.03.05 - F-Prot 4.5.1.85 2010.03.06 W32/VBTrojan.Dropper.4!Maximus F-Secure 9.0.15370.0 2010.03.06 - Fortinet 4.0.14.0 2010.03.06 - GData 19 2010.03.06 - Ikarus T3.1.1.80.0 2010.03.06 Trojan.Win32.Kreeper Jiangmin 13.0.900 2010.03.06 - K7AntiVirus 7.10.990 2010.03.04 - Kaspersky 7.0.0.125 2010.03.06 - McAfee 5912 2010.03.06 - McAfee+Artemis 5912 2010.03.06 Artemis!F38CC43F1FA7 Microsoft 1.5502 2010.03.06 VirTool:Win32/VBInject.DD NOD32 4921 2010.03.06 - Norman 6.04.08 2010.03.06 - nProtect 2009.1.8.0 2010.03.06 - Panda 10.0.2.2 2010.03.06 Suspicious file PCTools 7.0.3.5 2010.03.04 - Rising 22.37.05.03 2010.03.06 - Sophos 4.51.0 2010.03.06 Mal/VBDrop-I Sunbelt 5772 2010.03.06 - Symantec 20091.2.0.41 2010.03.06 - TheHacker 6.5.1.9.223 2010.03.06 - TrendMicro 9.120.0.1004 2010.03.06 - VBA32 3.12.12.2 2010.03.05 - ViRobot 2010.3.5.2214 2010.03.05 - VirusBuster 5.0.27.0 2010.03.06 - weitere Informationen File size: 172032 bytes MD5...: f38cc43f1fa758ed93879bc25ef2c5e8 SHA1..: d3819cc0bd32dffa1eb702df8ea59f04dc250167 SHA256: 58c6fe6a63843a7a71ef65363dd33b3d0e90386cfadf9ebde87eca61e773ea4f ssdeep: 3072:AT2SZwHMwgWI3MR38Y9Nao4xZYAXu9gYw3l56bx3EQGq1sMZg1I8O:UDMuQ a17YAXua3l56bREQeMSI8 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1130 timedatestamp.....: 0x4b58c1df (Thu Jan 21 21:06:39 2010) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1e2f4 0x1f000 4.95 dc788d3350fd631a9a4e0e2315c1bf02 .data 0x20000 0x970 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x21000 0x9978 0xa000 7.79 1d28d9d835037dc2c527771c9d1b7de8 ( 1 imports ) > MSVBVM60.DLL: -, -, -, -, MethCallEngine, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, ProcCallEngine, -, -, -, -, -, -, - ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: aPvqrpufYfJ copyright....: BHDPhi product......: uthSuQdrZq description..: ENlSwLsy original name: FmYwhm.exe internal name: FmYwhm file version.: 3.11.0066 comments.....: Vmqsk signers......: - signing date.: - verified.....: Unsigned Auch den Eintrag O4 - HKCU\..\Run: [dgdfgsdeg] C:\Users\Philip\AppData\Roaming\fgsdfgdrfg\dfhds.exe.exe habe ich bei Virustotal überprüft: h**p://www.virustotal.com/de/analisis/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2-1267909183 a-squared 4.5.0.50 2010.03.06 - AhnLab-V3 5.0.0.2 2010.03.06 - AntiVir 8.2.1.180 2010.03.05 - Antiy-AVL 2.0.3.7 2010.03.05 - Authentium 5.2.0.5 2010.03.06 - Avast 4.8.1351.0 2010.03.06 - Avast5 5.0.332.0 2010.03.06 - AVG 9.0.0.787 2010.03.06 - BitDefender 7.2 2010.03.06 - CAT-QuickHeal 10.00 2010.03.06 - ClamAV 0.96.0.0-git 2010.03.06 - Comodo 4091 2010.02.28 - DrWeb 5.0.1.12222 2010.03.06 - eSafe 7.0.17.0 2010.03.04 Win32.TrojanHorse eTrust-Vet 35.2.7342 2010.03.05 - F-Prot 4.5.1.85 2010.03.06 - F-Secure 9.0.15370.0 2010.03.06 - Fortinet 4.0.14.0 2010.03.06 - GData 19 2010.03.06 - Ikarus T3.1.1.80.0 2010.03.06 - Jiangmin 13.0.900 2010.03.06 - K7AntiVirus 7.10.990 2010.03.04 - Kaspersky 7.0.0.125 2010.03.06 - McAfee 5912 2010.03.06 - McAfee+Artemis 5912 2010.03.06 - McAfee-GW-Edition 6.8.5 2010.03.06 - Microsoft 1.5502 2010.03.06 - NOD32 4921 2010.03.06 - Norman 6.04.08 2010.03.06 - nProtect 2009.1.8.0 2010.03.06 - Panda 10.0.2.2 2010.03.06 - PCTools 7.0.3.5 2010.03.04 - Prevx 3.0 2010.03.06 - Rising 22.37.05.03 2010.03.06 - Sophos 4.51.0 2010.03.06 - Sunbelt 5772 2010.03.06 - Symantec 20091.2.0.41 2010.03.06 - TheHacker 6.5.1.9.223 2010.03.06 - TrendMicro 9.120.0.1004 2010.03.06 - VBA32 3.12.12.2 2010.03.05 - ViRobot 2010.3.5.2214 2010.03.05 - VirusBuster 5.0.27.0 2010.03.06 - weitere Informationen File size: 20992 bytes MD5...: 54a47f6b5e09a77e61649109c6a08866 SHA1..: 4af001b3c3816b860660cf2de2c0fd3c1dfb4878 SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2 ssdeep: 384:eipYzV8555BUcKaJEEyKxC0exYQ1k3KFUOLg2JfvaW9C5bW9odW:3peIszaq EyKxCtxJk6FbXaw PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x2104 timedatestamp.....: 0x4a5bc100 (Mon Jul 13 23:19:28 2009) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x39dc 0x3a00 6.29 2eb5bad67734deb71cf023259153ef53 .data 0x5000 0x5a8 0x600 0.81 bdd64867dcbd8117aac049606aa40456 .rsrc 0x6000 0x810 0xa00 3.76 66f21324fc812e3bf717c9aae7a151ee .reloc 0x7000 0x3cc 0x400 6.40 7d35466317c0fe1186bb026254385afe ( 8 imports ) > msvcrt.dll: __wgetmainargs, _exit, _XcptFilter, exit, _initterm, _amsg_exit, __setusermatherr, memcpy, _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _cexit > API_MS_Win_Core_ProcessThreads_L1_1_0.dll: TerminateProcess, GetCurrentProcess, OpenProcessToken, GetCurrentProcessId, GetCurrentThreadId > KERNEL32.dll: LocalAlloc, CloseHandle, DelayLoadFailureHook, GetProcAddress, GetLastError, FreeLibrary, InterlockedCompareExchange, LoadLibraryExA, InterlockedExchange, Sleep, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, UnhandledExceptionFilter, DeactivateActCtx, LoadLibraryExW, ActivateActCtx, LeaveCriticalSection, lstrcmpW, EnterCriticalSection, RegCloseKey, RegOpenKeyExW, HeapSetInformation, lstrcmpiW, lstrlenW, LCMapStringW, RegQueryValueExW, ReleaseActCtx, CreateActCtxW, ExpandEnvironmentStringsW, GetCommandLineW, ExitProcess, SetProcessAffinityUpdateMode, RegDisablePredefinedCacheEx, InitializeCriticalSection, GetProcessHeap, SetErrorMode, RegisterWaitForSingleObjectEx, LocalFree, HeapFree, WideCharToMultiByte, HeapAlloc > ntdll.dll: RtlAllocateHeap, RtlLengthRequiredSid, RtlSubAuthoritySid, RtlInitializeSid, RtlCopySid, RtlSubAuthorityCountSid, RtlInitializeCriticalSection, RtlSetProcessIsCritical, RtlImageNtHeader, RtlUnhandledExceptionFilter, EtwEventWrite, EtwEventEnabled, EtwEventRegister, RtlFreeHeap > API_MS_Win_Security_Base_L1_1_0.dll: SetSecurityDescriptorDacl, AddAccessAllowedAce, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetTokenInformation, InitializeSecurityDescriptor, GetLengthSid, InitializeAcl > API_MS_WIN_Service_Core_L1_1_0.dll: StartServiceCtrlDispatcherW, SetServiceStatus > API_MS_WIN_Service_winsvc_L1_1_0.dll: RegisterServiceCtrlHandlerW > RPCRT4.dll: RpcMgmtSetServerStackSize, I_RpcMapWin32Status, RpcServerUnregisterIf, RpcMgmtWaitServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIfEx, RpcServerRegisterIf, RpcServerUseProtseqEpW, RpcServerListen ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Microsoft Corporation copyright....: (c) Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: Host Process for Windows Services original name: svchost.exe internal name: svchost.exe file version.: 6.1.7600.16385 (win7_rtm.090713-1255) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Betriebssystem ist Windows 7 Final Bitte helft mir! Euer Cryptomaniac |
Keiner ne Ahnung? |
:hallo: Bitte mal RSIT anwenden. Die beiden Logfiles dann hier posten. mfg.TXL |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 18:32 Uhr. |
Copyright ©2000-2025, Trojaner-Board