Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


Log-Analyse und Auswertung: Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 24.12.2008, 00:43   #1
koestech
 
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Standard

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


Hi Andreas,

ich habe alles ausgeführt.

Vielen Dank schonmal für Deine Hilfe.

Viele Grüße,

Christian


1) Systemwiderherstellung habe ich deaktiviert.

2a) BlackLight Log:

Code:
ATTFilter
12/23/08 23:20:30 [Info]: BlackLight Engine 2.2.1092 initialized
12/23/08 23:20:30 [Info]: OS: 5.1 build 2600 (Service Pack 3)
12/23/08 23:20:31 [Note]: 7019 4
12/23/08 23:20:31 [Note]: 7005 0
12/23/08 23:20:38 [Note]: 7006 0
12/23/08 23:20:38 [Note]: 7011 1664
12/23/08 23:20:38 [Note]: 7035 0
12/23/08 23:20:38 [Note]: 7026 0
12/23/08 23:20:38 [Note]: 7026 0
12/23/08 23:20:38 [Note]: 7024 3
12/23/08 23:20:38 [Info]: Hidden process: C:\dokumente und einstellungen\christian\lokale einstellungen\anwendungsdaten\mkcka
12/23/08 23:20:40 [Note]: FSRAW library version 1.7.1024
12/23/08 23:20:41 [Info]: Hidden file: c:\Dokumente und Einstellungen\Christian\Lokale Einstellungen\Anwendungsdaten\mkcka.da
12/23/08 23:20:41 [Note]: 10002 1
12/23/08 23:20:42 [Info]: Hidden file: C:\dokumente und einstellungen\christian\lokale einstellungen\anwendungsdaten\mkcka.ex
12/23/08 23:20:42 [Note]: 10002 1
12/23/08 23:20:42 [Info]: Hidden file: c:\Dokumente und Einstellungen\Christian\Lokale Einstellungen\Anwendungsdaten\mkcka_na
12/23/08 23:20:42 [Note]: 10002 1
12/23/08 23:20:43 [Info]: Hidden file: c:\Dokumente und Einstellungen\Christian\Lokale Einstellungen\Anwendungsdaten\mkcka_na
12/23/08 23:20:43 [Note]: 10002 1
12/23/08 23:23:28 [Note]: 2000 1012
12/23/08 23:23:28 [Note]: 2000 1012
12/23/08 23:23:28 [Note]: 2000 1012
12/23/08 23:23:28 [Note]: 2000 1012
12/23/08 23:23:28 [Note]: 2000 1012
12/23/08 23:23:28 [Note]: 2000 1012
12/23/08 23:23:28 [Note]: 2000 1012
2b) Malware Log:

Code:
ATTFilter
Malwarebytes' Anti-Malware 1.31
Datenbank Version: 1537
Windows 5.1.2600 Service Pack 3

24.12.2008 00:19:23
mbam-log-2008-12-24 (00-19-23).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 193210
Laufzeit: 48 minute(s), 58 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Mstsc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Dokumente und Einstellungen\Christian\Anwendungsdaten\Microsoft\mstsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

3) CCleaner ausgeführt.

-> Combofix Log:

Als Link, da sonst der Beitrag zu lang wurde:

http://www.file-upload.net/download-...boFix.txt.html

4) Link zum Filelisting Skript Ergebnis:

http://www.file-upload.net/download-...sting.txt.html

5) Log von umbenannten Hijackthis:
Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:32:56, on 24.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System\cisvc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Canon\MyPrinter\BJMyPrt.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Cyberlink\Shared Files\brs.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
D:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Christian\Desktop\qlketzd.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://w*w.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nTrayFw] C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Programme\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [BDRegion] C:\Programme\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\WINDOWS\System\rsvp.exe /waitservice
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MqtgSVC] C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MqtgSVC] C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe /waitservice (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {ECDB7588-09B7-418F-8F61-D092E84D6E9A} (Gif89 MPG4 Class) - h**p://217.91.67.171:81/xplugmpg4.cab
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - E:\Programme\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: AVM IGD CTRL Service (IGDCTRL) - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe

--
End of file - 8984 bytes

Alt 24.12.2008, 11:19   #2
john.doe
 
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Standard

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


1. Lasse folgende Dateien bei Virustotal auswerten:
Code:
ATTFilter
C:\WINDOWS\System\cisvc.exe
c:\windows\R.COM
c:\windows\system32\T.COM
c:\windows\system32\eEmpty.exe
Sollten die Dateien mit Durchsuchen nicht zu finden sein, dann markiere die Zeile, kopiere und füge sie in das Feld bei Virustotal ein.

2. Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:
  • Doppelklick auf das Avenger-Symbol
  • Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"
Code:
ATTFilter
Registry values to replace with dummy: 
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|load

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run

Files to delete:
C:\WINDOWS\System\cisvc.exe
C:\WINDOWS\System\rsvp.exe
C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe
c:\windows\R.COM
c:\windows\system32\T.COM
c:\windows\system32\eEmpty.exe
  • Schliesse nun alle Programme und Browser-Fenster
  • Um den Avenger zu starten klicke auf -> Execute
  • Dann bestätigen mit "Yes" das der Rechner neu startet
  • Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt
  • Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

3. Mache das Listing(Punkt 4 oben) noch einmal. Die Datei ist beschädigt und nur 32 KB groß. Poste den Link.

4. Start => Ausführen => mrt => OK
Sollte ein Listing nicht möglich sein, dann erstelle ein Screenshot, lade ihn hier hoch und poste den Link.

5. Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe
Editiere die Links und privaten Infos!!


ciao, andreas
__________________
Alt 28.12.2008, 20:56   #3
koestech
 
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Standard

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


Hi Andreas,

Zu 1.


C:\WINDOWS\System\cisvc.exe

Code:
ATTFilter
Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.12.22.0	2008.12.23	-
AntiVir	7.9.0.45	2008.12.23	-
Authentium	5.1.0.4	2008.12.23	-
Avast	4.8.1281.0	2008.12.23	-
AVG	8.0.0.199	2008.12.23	-
BitDefender	7.2	2008.12.23	-
CAT-QuickHeal	10.00	2008.12.23	-
ClamAV	0.94.1	2008.12.23	-
Comodo	804	2008.12.23	-
DrWeb	4.44.0.09170	2008.12.23	-
eSafe	7.0.17.0	2008.12.23	-
eTrust-Vet	31.6.6275	2008.12.23	-
Ewido	4.0	2008.12.23	-
F-Prot	4.4.4.56	2008.12.23	-
F-Secure	8.0.14332.0	2008.12.23	-
Fortinet	3.117.0.0	2008.12.23	-
GData	19	2008.12.23	-
Ikarus	T3.1.1.45.0	2008.12.23	-
K7AntiVirus	7.10.563	2008.12.23	-
Kaspersky	7.0.0.125	2008.12.23	Heur.Trojan.Generic
McAfee	5473	2008.12.23	-
McAfee+Artemis	5473	2008.12.23	-
Microsoft	1.4205	2008.12.23	TrojanDownloader:Win32/Horst.Q
NOD32	3714	2008.12.23	-
Norman	5.80.02	2008.12.23	-
Panda	9.0.0.4	2008.12.23	Suspicious file
PCTools	4.4.2.0	2008.12.23	-
Prevx1	V2	2008.12.23	Cloaked Malware
Rising	21.09.14.00	2008.12.23	-
SecureWeb-Gateway	6.7.6	2008.12.23	-
Sophos	4.37.0	2008.12.23	-
Sunbelt	3.2.1809.2	2008.12.22	-
Symantec	10	2008.12.23	-
TheHacker	6.3.1.4.195	2008.12.20	-
TrendMicro	8.700.0.1004	2008.12.23	-
VBA32	3.12.8.10	2008.12.23	-
ViRobot	2008.12.23.1532	2008.12.23	-
VirusBuster	4.5.11.0	2008.12.23	-
weitere Informationen
File size: 81920 bytes
MD5...: 53e6c9b82b2ce3c04c4b9732af701a2a
SHA1..: b655fe581b88f640f3aef30e657e74cae5a2d502
SHA256: 6df097f35fb66572254872eebf6327be88e2ea14c0ff2ae7a5e489d0faaeacef
SHA512: bf8cd1c40930c5d052dc0f9e61800c9e7867dcb5a090e4e73bdef1a813e349af
450cc18febfcbf9a9847a9c1718c69f6c8d0edeb7347307a18feedcde62cfd0e
ssdeep: 1536:ttozUQyllwFeSOrR3/ZuoY6r4Rq4GaTZB7zAQnsiut:tP4eZt3xue4UiRns
iut
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40b396
timedatestamp.....: 0x48ef6faf (Fri Oct 10 15:07:27 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xfc2f 0x10000 6.29 0c7eddf1865c26650b9961c09234aa7d
.rdata 0x11000 0x1fe2 0x2000 5.47 1b702d640121ab154436ef7e891bb890
.data 0x13000 0x3798 0x1000 1.47 f15f3cc87eddbbde4f54d828668c3d60

( 6 imports ) 
> USER32.dll: LoadImageA
> ADVAPI32.dll: RegCloseKey, RegEnumValueA, RegGetKeySecurity, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, LookupAccountSidA, GetTokenInformation, OpenProcessToken
> WS2_32.dll: -, -
> WININET.dll: InternetReadFile, HttpQueryInfoA, InternetCloseHandle, InternetOpenUrlA, InternetOpenA
> NETAPI32.dll: NetUserGetInfo, NetApiBufferFree
> KERNEL32.dll: SetEnvironmentVariableA, GetSystemInfo, VirtualProtect, GetLocaleInfoA, FlushFileBuffers, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, SetStdHandle, GetCPInfo, GetOEMCP, GetACP, GetFileTime, GetSystemDirectoryA, GetFileType, OpenProcess, GetStartupInfoA, CreateDirectoryA, GetProcessPriorityBoost, GetVolumeInformationA, OpenMutexA, CreateMutexA, CloseHandle, GetLogicalDriveStringsA, GetDriveTypeA, Sleep, GetLastError, GetLocalTime, GetShortPathNameA, GetEnvironmentVariableA, ExitProcess, SetFileAttributesA, CreateFileA, CreateProcessA, GlobalFree, CreateThread, GlobalAlloc, MultiByteToWideChar, GetModuleFileNameA, GetCurrentProcess, CopyFileA, WriteFile, RtlUnwind, GetSystemTimeAsFileTime, GetProcAddress, GetModuleHandleA, TerminateProcess, GetCommandLineA, GetVersionExA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, HeapReAlloc, HeapAlloc, HeapSize, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, HeapDestroy, HeapCreate, VirtualFree, HeapFree, LoadLibraryA, InterlockedExchange, VirtualQuery, SetFilePointer, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, VirtualAlloc
t.com

Code:
ATTFilter
Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.12.17.3	2008.12.17	-
AntiVir	7.9.0.45	2008.12.17	-
Authentium	5.1.0.4	2008.12.17	-
Avast	4.8.1281.0	2008.12.17	-
AVG	8.0.0.199	2008.12.17	-
BitDefender	7.2	2008.12.17	-
CAT-QuickHeal	10.00	2008.12.17	-
ClamAV	0.94.1	2008.12.17	-
Comodo	771	2008.12.17	-
DrWeb	4.44.0.09170	2008.12.17	-
eSafe	7.0.17.0	2008.12.17	-
eTrust-Vet	31.6.6265	2008.12.17	-
Ewido	4.0	2008.12.17	-
F-Prot	4.4.4.56	2008.12.17	-
F-Secure	8.0.14332.0	2008.12.17	-
Fortinet	3.117.0.0	2008.12.17	-
GData	19	2008.12.17	-
Ikarus	T3.1.1.45.0	2008.12.17	-
K7AntiVirus	7.10.556	2008.12.17	-
Kaspersky	7.0.0.125	2008.12.17	-
McAfee	5467	2008.12.17	-
McAfee+Artemis	5467	2008.12.17	-
Microsoft	1.4205	2008.12.17	-
NOD32	3699	2008.12.17	-
Norman	5.80.02	2008.12.17	-
Panda	9.0.0.4	2008.12.17	-
PCTools	4.4.2.0	2008.12.17	-
Prevx1	V2	2008.12.17	-
Rising	21.08.22.00	2008.12.17	-
SecureWeb-Gateway	6.7.6	2008.12.17	-
Sophos	4.37.0	2008.12.17	-
Sunbelt	3.2.1801.2	2008.12.11	-
Symantec	10	2008.12.17	-
TheHacker	6.3.1.4.190	2008.12.17	-
TrendMicro	8.700.0.1004	2008.12.17	-
VBA32	3.12.8.10	2008.12.17	-
ViRobot	2008.12.17.1523	2008.12.17	-
VirusBuster	4.5.11.0	2008.12.17	-
weitere Informationen
File size: 140800 bytes
MD5...: b198cb3b0689b10fdc4c8ccf8c3c3289
SHA1..: bc4b968b213bc87ce3ae38f73ebc828975f9df8a
SHA256: c3825263a7d5a7a1114233cee7b6c129689e81cba8fffdce964d061418165308
SHA512: 9977dc85c7f2ff3748e24b193e47ae04e8c698ff339931206012b43a32433bf5
b8e319a00e44440520c98fff86bf2be2787504b95b72076f881349fa40bbe942
ssdeep: 3072:Ubkh3VK2abS5VHwO8KdKiZuNuEJ+4PmtvCWv8v9PfmJvp5T39RKifwe8Q+T
aZ2IF:USVQO8uZUE4y/
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1005944
timedatestamp.....: 0x48025274 (Sun Apr 13 18:35:32 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x13f1a 0x14000 6.44 6023fb54332a750c6bd1e4e4b44ab0c5
.data 0x15000 0x170c 0x600 2.79 44a98784179a334c27cbc27b57643de2
.rsrc 0x17000 0xdbb8 0xdc00 3.81 05820a56bdfb477b87c3b8db51b46f77

( 11 imports ) 
> ADVAPI32.dll: RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, IsValidSid, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, RegOpenKeyExA, RegQueryValueExA, LookupPrivilegeValueW
> KERNEL32.dll: GetProcessAffinityMask, OpenProcess, MultiByteToWideChar, GetThreadTimes, TerminateProcess, GetPriorityClass, lstrcmpW, SetEvent, CreateEventW, GetComputerNameW, Sleep, FreeLibrary, SetProcessAffinityMask, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCurrentDirectoryW, SetUnhandledExceptionFilter, lstrcmpiW, GetTickCount, HeapSize, GetProcAddress, GetNumberFormatW, HeapReAlloc, lstrlenW, GetCurrentProcess, SetPriorityClass, GetCommandLineW, GetStartupInfoW, GetModuleHandleW, ExitProcess, CreateMutexW, GetCurrentProcessId, ProcessIdToSessionId, ReleaseMutex, SetProcessShutdownParameters, WaitForSingleObject, ExpandEnvironmentStringsW, CreateProcessW, GetCurrentThreadId, FormatMessageW, lstrcatW, GetVersionExW, GetLocaleInfoW, LocalAlloc, LocalFree, HeapFree, HeapAlloc, GetProcessHeap, CreateThread, CloseHandle, lstrcpynW, lstrcpyW, GetLastError, LoadLibraryW, InterlockedCompareExchange, GetVersionExA, IsBadWritePtr, SetLastError, GetCurrentThread, DelayLoadFailureHook, UnhandledExceptionFilter
> GDI32.dll: CreateFontIndirectW, GetCharWidth32W, CreateCompatibleBitmap, Rectangle, SetBkMode, SetTextColor, CreateCompatibleDC, DeleteDC, GetCurrentObject, GetObjectW, BitBlt, SelectObject, MoveToEx, LineTo, CreatePen, GetStockObject, CreateRectRgn, DeleteObject, CreateSolidBrush, CombineRgn, SetRectRgn, GetDeviceCaps, FillRgn
> USER32.dll: DestroyIcon, LoadImageW, BeginDeferWindowPos, GetMenuItemCount, EnableMenuItem, GetSystemMetrics, SetMenuItemInfoW, LoadMenuW, DestroyMenu, ExitWindowsEx, LockWorkStation, GetAsyncKeyState, SetForegroundWindow, OpenIcon, LoadAcceleratorsW, MessageBoxW, CheckDlgButton, EndDialog, GetWindowTextW, IsDlgButtonChecked, GetSubMenu, InvalidateRect, GetSysColor, MonitorFromRect, SetTimer, LoadIconW, GetThreadDesktop, GetDialogBaseUnits, KillTimer, GetDesktopWindow, DestroyWindow, MessageBeep, MoveWindow, PostQuitMessage, IsZoomed, DispatchMessageW, TranslateMessage, IsDialogMessageW, TranslateAcceleratorW, GetMessageW, CreateDialogParamW, SendMessageTimeoutW, AllowSetForegroundWindow, GetWindowThreadProcessId, FindWindowW, RegisterWindowMessageW, FillRect, DrawTextW, UpdateWindow, GetDlgCtrlID, SetFocus, CreateWindowExW, DialogBoxParamW, GetShellWindow, SetScrollPos, GetScrollInfo, IsWindow, EnableWindow, GetFocus, CharLowerBuffW, TrackPopupMenuEx, GetGuiResources, EnumWindowStationsW, GetClassLongW, IsHungAppWindow, InternalGetWindowText, IsWindowVisible, GetWindow, SetMenuDefaultItem, EnumWindows, CloseDesktop, SetThreadDesktop, OpenDesktopW, EnumDesktopsW, CloseWindowStation, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, CascadeWindows, TileWindows, SwitchToThisWindow, GetLastActivePopup, EndTask, PostMessageW, ShowWindowAsync, GetCursorPos, SetDlgItemTextW, GetParent, GetWindowTextLengthW, SetRect, SetCursor, LoadCursorW, GetWindowRect, DeferWindowPos, EndDeferWindowPos, GetMenuItemInfoW, IsIconic, BeginPaint, EndPaint, DrawEdge, GetForegroundWindow, GetKeyState, PostThreadMessageW, wsprintfW, GetClientRect, SetScrollInfo, ShowWindow, SetWindowPos, SetMenu, GetDlgItem, MapWindowPoints, SendMessageW, GetMenu, CheckMenuRadioItem, CheckMenuItem, DeleteMenu, LoadStringW, SetWindowTextW, GetClassInfoW, RegisterClassW, GetDC, ReleaseDC, SystemParametersInfoW, GetWindowLongW, SetWindowLongW, CallWindowProcW, DefWindowProcW, RemoveMenu, GetWindowLongA
> ntdll.dll: _chkstk, _snwprintf, RtlUnwind, _wcsicmp, NtQueryVirtualMemory, NtOpenThread, NtClose, strrchr, RtlLargeIntegerToChar, RtlAnsiStringToUnicodeString, _ui64tow, mbstowcs, memmove, NtQuerySystemInformation, wcstol, NtShutdownSystem, NtInitiatePowerAction, NtPowerInformation, RtlTimeToElapsedTimeFields
> iphlpapi.dll: GetInterfaceInfo, GetNumberOfInterfaces, NhGetInterfaceNameFromDeviceGuid, GetIfEntry
> COMCTL32.dll: -, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetIconSize, ImageList_Create, CreateStatusWindowW
> SHLWAPI.dll: StrStrIW, -, StrFormatByteSizeW, -, wnsprintfW
> SHELL32.dll: Shell_NotifyIconW, -, ShellAboutW, -, -, -, -
> Secur32.dll: GetUserNameExW
> VDMDBG.dll: VDMEnumTaskWOWEx, VDMTerminateTaskWOW

Eempty.com
Code:
ATTFilter
Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.12.17.3	2008.12.17	-
AntiVir	7.9.0.45	2008.12.17	-
Authentium	5.1.0.4	2008.12.17	-
Avast	4.8.1281.0	2008.12.16	-
AVG	8.0.0.199	2008.12.16	-
BitDefender	7.2	2008.12.17	-
CAT-QuickHeal	10.00	2008.12.17	-
ClamAV	0.94.1	2008.12.17	-
Comodo	764	2008.12.16	-
DrWeb	4.44.0.09170	2008.12.17	-
eSafe	7.0.17.0	2008.12.16	-
eTrust-Vet	31.6.6265	2008.12.17	-
Ewido	4.0	2008.12.16	-
F-Prot	4.4.4.56	2008.12.16	-
Fortinet	3.117.0.0	2008.12.17	-
GData	19	2008.12.17	-
Ikarus	T3.1.1.45.0	2008.12.17	-
K7AntiVirus	7.10.555	2008.12.16	-
Kaspersky	7.0.0.125	2008.12.17	-
McAfee	5466	2008.12.16	-
McAfee+Artemis	5466	2008.12.16	-
Microsoft	1.4205	2008.12.17	-
NOD32	3697	2008.12.17	-
Norman	5.80.02	2008.12.16	-
Panda	9.0.0.4	2008.12.17	-
PCTools	4.4.2.0	2008.12.16	-
Rising	21.08.22.00	2008.12.17	-
SecureWeb-Gateway	6.7.6	2008.12.17	-
Sophos	4.36.0	2008.12.17	-
Sunbelt	3.2.1801.2	2008.12.11	-
Symantec	10	2008.12.17	-
TheHacker	6.3.1.4.189	2008.12.16	-
TrendMicro	8.700.0.1004	2008.12.17	-
VBA32	3.12.8.10	2008.12.16	-
ViRobot	2008.12.17.1523	2008.12.17	-
VirusBuster	4.5.11.0	2008.12.16	-
weitere Informationen
File size: 28672 bytes
MD5...: 531c58770c9c4c5c8715dc141abd4ddd
SHA1..: 592520b5c123fb1a558d3aed687c12be1a19d973
SHA256: 8c61e30b251d4756a3081ef1b70f96c90ebe5713a9966dc20721af9c4165d1e9
SHA512: aa14c3c3a62e6f9df79b2e8dc4711fede8352dab092156ae8ffbde33803b413d
90ae3d05dd2164cf111d98f1f7d4c5dc6e1e3e63956cbdd8dc39143afd069aa0
ssdeep: 384:Wg0MvVx9fzmlXUBWEYHyyBYrh6oZqWtR:LfXKTHyY+h6on
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401010
timedatestamp.....: 0x48ef47c1 (Fri Oct 10 12:17:05 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x288e 0x3000 5.91 198f4e38f8e14d9c5d88044d22617c84
.rdata 0x4000 0x736 0x1000 3.01 30beb8b339ff491f47a323f852d5e3c0
.data 0x5000 0x9bc 0x1000 0.87 5dd0366f742b8f20fd3b8ef03763cab4
.rsrc 0x6000 0x6a8 0x1000 2.23 1b4e4145b58e683ef4eac921fcc561f4

( 1 imports ) 
> KERNEL32.dll: GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, WriteFile, GetCPInfo, GetACP, GetOEMCP, HeapAlloc, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

( 0 exports ) 
CWSandbox info: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=531c58770c9c4c5c8715dc141abd4ddd


r.com

Code:
ATTFilter
Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.11.14.3	2008.11.16	-
AntiVir	7.9.0.31	2008.11.14	-
Authentium	5.1.0.4	2008.11.15	-
Avast	4.8.1281.0	2008.11.16	-
AVG	8.0.0.199	2008.11.16	-
BitDefender	7.2	2008.11.16	-
CAT-QuickHeal	10.00	2008.11.15	-
ClamAV	0.94.1	2008.11.15	-
DrWeb	4.44.0.09170	2008.11.16	-
eSafe	7.0.17.0	2008.11.16	-
eTrust-Vet	31.6.6210	2008.11.14	-
Ewido	4.0	2008.11.16	-
F-Prot	4.4.4.56	2008.11.15	-
F-Secure	8.0.14332.0	2008.11.16	-
Fortinet	3.117.0.0	2008.11.15	-
GData	19	2008.11.16	-
Ikarus	T3.1.1.45.0	2008.11.16	-
K7AntiVirus	7.10.526	2008.11.15	-
Kaspersky	7.0.0.125	2008.11.16	-
McAfee	5435	2008.11.15	-
Microsoft	1.4104	2008.11.16	-
NOD32	3615	2008.11.15	-
Norman	5.80.02	2008.11.14	-
Panda	9.0.0.4	2008.11.16	-
PCTools	4.4.2.0	2008.11.16	-
Prevx1	V2	2008.11.16	-
Rising	21.03.42.00	2008.11.14	-
SecureWeb-Gateway	6.7.6	2008.11.16	-
Sophos	4.35.0	2008.11.16	-
Sunbelt	3.1.1801.2	2008.11.14	Trojan-Proxy.Win32.Horst.J (vf)
Symantec	10	2008.11.16	-
TheHacker	6.3.1.1.155	2008.11.15	-
TrendMicro	8.700.0.1004	2008.11.14	-
VBA32	3.12.8.9	2008.11.15	-
ViRobot	2008.11.15.1470	2008.11.15	-
VirusBuster	4.5.11.0	2008.11.16	-
weitere Informationen
File size: 153600 bytes
MD5...: ad9226bf3ced13636083bb9c76e9d2a2
SHA1..: 5192bd0e6cbbb4074172463804f8ffb0fab916e4
SHA256: 832faa57842c1bc8343ce0934f66d85fa2852ffcb16011902a67ecf9d0cd8241
SHA512: 63d140f04ade495036de8168621832bb8c4ea7b17cf46df4fcbb756bcfc51290
7cdfcb9b872032a14e960ef6be98d6b8a73cb54a44ab5fcedb6f6a637dc8418e
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x101691e
timedatestamp.....: 0x48025214 (Sun Apr 13 18:33:56 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x17902 0x17a00 6.37 c955a3871382133757b77b2ef8713803
.data 0x19000 0x40da0 0x400 1.20 def7edb164ce2210badeb06959cdaa48
.rsrc 0x5a000 0xd510 0xd600 3.70 e285afbe730d03d7363a5527697d112a

( 14 imports ) 
> msvcrt.dll: __p__commode, _adjust_fdiv, __p__fmode, _initterm, __getmainargs, _acmdln, __set_app_type, _except_handler3, __setusermatherr, _controlfp, exit, _XcptFilter, _exit, _c_exit, swprintf, iswprint, wcsncpy, wcslen, wcscat, wcscpy, _purecall, iswctype, wcscmp, wcschr, wcsncmp, wcsrchr, _cexit, memmove
> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, InitializeSecurityDescriptor, RegDeleteValueW, InitializeAcl, SetSecurityDescriptorDacl, SetSecurityDescriptorSacl, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetInheritanceSourceW, LookupAccountSidW, GetSidSubAuthorityCount, GetSidSubAuthority, GetSecurityDescriptorControl, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, GetSecurityDescriptorDacl, GetSecurityDescriptorSacl, SetSecurityInfo, SetNamedSecurityInfoW, GetNamedSecurityInfoW, MapGenericMask, RegSetValueExA, RegSetValueW, RegFlushKey, RegSaveKeyW, RegRestoreKeyW, RegConnectRegistryW, RegQueryValueExW, RegCloseKey, RegOpenKeyW, RegSetValueExW, RegCreateKeyW, RegEnumValueW, RegEnumKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegUnLoadKeyW, RegLoadKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegDeleteKeyW
> KERNEL32.dll: ReadFile, DeleteFileW, WriteFile, WideCharToMultiByte, CreateFileW, OutputDebugStringW, GetLastError, SetFilePointer, GetFileSize, SearchPathW, GetTimeFormatW, GetDateFormatW, GetSystemDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, FreeLibrary, LoadLibraryW, MulDiv, lstrcpynW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, MultiByteToWideChar, lstrcmpW, FormatMessageW, GetThreadLocale, GetModuleHandleW, ExitProcess, GetCommandLineW, GetProcessHeap, lstrcatW, LocalAlloc, GetCurrentProcess, CloseHandle, LocalFree, GetComputerNameW, lstrcmpiW, lstrlenW, lstrcpyW, LocalReAlloc, GlobalAlloc, GlobalLock, GlobalUnlock, GetProcAddress, LoadLibraryA
> GDI32.dll: GetStockObject, SetAbortProc, StartDocW, StartPage, SetViewportOrgEx, EndPage, EndDoc, AbortDoc, DeleteDC, CreateBitmap, CreatePatternBrush, PatBlt, ExcludeClipRect, SelectClipRgn, DeleteObject, SetBkColor, SetTextColor, ExtTextOutW, GetDeviceCaps, CreateFontIndirectW, SelectObject, GetTextMetricsW
> USER32.dll: SendDlgItemMessageW, SetDlgItemTextW, SetWindowLongW, DefWindowProcW, ReleaseDC, GetDC, SetScrollInfo, wsprintfW, DestroyCaret, ReleaseCapture, KillTimer, SetCaretPos, ScrollWindowEx, ShowCaret, HideCaret, InvalidateRect, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, GetClipboardData, WinHelpW, EndDialog, GetWindowLongW, EndPaint, BeginPaint, CreateCaret, SetTimer, SetCapture, SetFocus, CharLowerW, GetDlgItem, DestroyMenu, TrackPopupMenuEx, IsClipboardFormatAvailable, EnableMenuItem, GetSubMenu, LoadMenuW, GetKeyState, RegisterClassW, LoadCursorW, RegisterClipboardFormatW, CheckRadioButton, SendMessageW, GetWindowTextW, GetParent, GetDlgItemTextW, IsDlgButtonChecked, GetDlgCtrlID, CallWindowProcW, GetWindowTextLengthW, GetDlgItemInt, PostQuitMessage, GetWindowPlacement, SetWindowTextW, EnableWindow, GetWindowRect, DrawMenuBar, InsertMenuItemW, DeleteMenu, SetMenuItemInfoW, GetMenu, GetMenuItemInfoW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, IsIconic, DestroyIcon, LoadImageW, GetSysColor, SetCursor, ShowCursor, ShowWindow, SetWindowPlacement, CreateWindowExW, GetProcessDefaultLayout, GetMessageW, ScreenToClient, SetCursorPos, DispatchMessageW, ClientToScreen, GetDesktopWindow, LoadIconW, PostMessageW, SetMenuDefaultItem, InsertMenuW, GetMenuItemID, CheckMenuItem, UpdateWindow, RegisterClassExW, CharNextW, GetClientRect, DestroyWindow, CreateDialogParamW, CheckDlgButton, DrawAnimatedRects, IntersectRect, ModifyMenuW, GetMessagePos, TranslateMessage, TranslateAcceleratorW, LoadAcceleratorsW, SetForegroundWindow, GetLastActivePopup, BringWindowToTop, FindWindowW, LoadStringW, GetWindow, IsDialogMessageW, PeekMessageW, MessageBoxW, CharUpperBuffW, CharUpperW, IsCharAlphaNumericW, GetSystemMetrics, MoveWindow, MapWindowPoints, DialogBoxParamW, SetWindowPos, MessageBeep
> COMCTL32.dll: -, -, -, -, InitCommonControlsEx, -, -, ImageList_SetBkColor, ImageList_Create, ImageList_Destroy, -, -, ImageList_ReplaceIcon, -, -, -, -, CreateStatusWindowW
> comdlg32.dll: GetOpenFileNameW, GetSaveFileNameW, PrintDlgExW
> SHELL32.dll: ShellAboutW, DragQueryFileW, DragFinish
> AUTHZ.dll: AuthzInitializeContextFromSid, AuthzAccessCheck, AuthzFreeContext, AuthzFreeResourceManager, AuthzInitializeResourceManager
> ACLUI.dll: -
> ole32.dll: CoCreateInstance, CoUninitialize, CoInitializeEx, ReleaseStgMedium
> ulib.dll: _Resize@DSTRING@@UAEEK@Z, _Initialize@ARRAY@@QAEEKK@Z, _NewBuf@DSTRING@@UAEEK@Z, __1DSTRING@@UAE@XZ, __1OBJECT@@UAE@XZ, __0OBJECT@@IAE@XZ, _Compare@OBJECT@@UBEJPBV1@@Z, __0DSTRING@@QAE@XZ, _Initialize@WSTRING@@QAEEPBV1@KK@Z, _Strcat@WSTRING@@QAEEPBV1@@Z, __0ARRAY@@QAE@XZ, _Initialize@WSTRING@@QAEEPBGK@Z
> clb.dll: ClbAddData, ClbSetColumnWidths
> ntdll.dll: RtlFreeHeap, RtlAllocateHeap
__________________
Alt 28.12.2008, 20:58   #4
koestech
 
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Standard

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


2. Dabei gab es ein paar Probleme (Syntax Fehler, siehe Protokoll)

Code:
ATTFilter
//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Dec 28 16:56:06 2008

16:56:00: Error: Invalid registry syntax in command:
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|load"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry value replacement mode)  
16:56:06: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Dec 28 16:56:46 2008

16:56:19: Error: Invalid registry syntax in command:
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|load"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry value replacement mode)  
16:56:45: Error: Invalid syntax in command:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Skipping line.  (Registry value deletion mode)  
16:56:46: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Dec 28 16:58:01 2008

16:57:29: Error: Invalid registry syntax in command:
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|load"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry value replacement mode)  
16:57:32: Error: Invalid syntax in command:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Skipping line.  (Registry value deletion mode)  
16:57:47: Error: Invalid syntax in command:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Skipping line.  (Registry value deletion mode)  
16:57:54: Error: Invalid syntax in command:
"HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run"
Skipping line.  (Registry value deletion mode)  
16:58:01: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Dec 28 17:01:07 2008

17:00:56: Error: Invalid registry syntax in command:
"HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|load"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line.  (Registry value replacement mode)  
17:00:57: Error: Invalid syntax in command:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Skipping line.  (Registry value deletion mode)  
17:00:57: Error: Invalid syntax in command:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Skipping line.  (Registry value deletion mode)  
17:01:01: Error: Invalid syntax in command:
"HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run"
Skipping line.  (Registry value deletion mode)  


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\System\cisvc.exe" deleted successfully.
File "C:\WINDOWS\System\rsvp.exe" deleted successfully.
File "C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe" deleted successfully.
File "c:\windows\R.COM" deleted successfully.
File "c:\windows\system32\T.COM" deleted successfully.
File "c:\windows\system32\eEmpty.exe" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
3. http://www.file-upload.net/download-1342767/listing.txt.html

4. Trojan:Win32/Horst.gen!B gefunden und entfernt

5.
Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:52:37, on 28.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\sessmgr.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Canon\MyPrinter\BJMyPrt.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Cyberlink\Shared Files\brs.exe
C:\Programme\QuickTime\QTTask.exe
D:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Trillian\trillian.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Download\1_Neue Downloads\qlketzd(3).com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://w*w.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\sessmgr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nTrayFw] C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Programme\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [BDRegion] C:\Programme\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\WINDOWS\System\rsvp.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [MqtgSVC] C:\WINDOWS\System32\drivers\mqtgsvc.exe /waitservice
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MqtgSVC] C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MqtgSVC] C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe /waitservice (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {ECDB7588-09B7-418F-8F61-D092E84D6E9A} (Gif89 MPG4 Class) - h**p://217.91.67.171:81/xplugmpg4.cab
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - E:\Programme\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Programme\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: AVM IGD CTRL Service (IGDCTRL) - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Programme\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Programme\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9527 bytes
Vielen Dank.

Viele Grüße,

Christian

Alt 28.12.2008, 21:15   #5
john.doe
 
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Standard

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


Starte HJT => Do a system scan only => Markiere:
Code:
ATTFilter
F3 - REG:win.ini: load=C:\WINDOWS\sessmgr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O4 - HKLM\..\Policies\Explorer\Run: [rsvp] C:\WINDOWS\System\rsvp.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [MqtgSVC] C:\WINDOWS\System32\drivers\mqtgsvc.exe /waitservice
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MqtgSVC] C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MqtgSVC] C:\DOKUME~1\CHRIST~1\ANWEND~1\mqtgsvc.exe /waitservice (User 'Default user')
=> Fix checked => Neustart => Kontrolliere ob die Einträge weg sind.

Traust du dir zu mit regedit zu arbeiten?

ciao, andreas


Alt 28.12.2008, 22:00   #6
koestech
 
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Standard

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


Hi Andreas,

ich habe die Einträge gefixt. Sie sind auch nach dem Neustart weg geblieben.

Regedit sollte kein Problem sein.

Viele Grüße,

Christian

Alt 28.12.2008, 22:25   #7
john.doe
 
Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Standard

Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


Zeigt der Rechner noch Auffälligkeiten?

ciao, andreas

Antwort

Themen zu Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)
acroiehelper.dll, antivir, application, auswerten, avira, bho, bonjour, canon, dsl, entfernen, error, excel, firefox, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, magix, mozilla, notepad.exe, nt.dll, plug-in, prozesse, registry, rundll, server, software, suchlauf, svchost.exe, systemcheck, trojaner, trojaner entferne, trojaner entfernen, verweise, virus, virus gefunden, virustotal.com, windows, windows xp, windows xp sp3, xp sp3


« Antivirus 2009/ Virtumonde | Sicherheitsbestätigung nach Trojanerbefall »


Ähnliche Themen: Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)


  1. trojan.Agent/Gen-downloader auf XP
    Log-Analyse und Auswertung - 17.02.2015 (3)
  2. Trojan.Downloader, Trojan.Agent.VGENX, Trojan.Agent, PUP.Pantsoff.PasswordFinder, TR/spy.banker.gen5
    Log-Analyse und Auswertung - 27.10.2012 (1)
  3. Trojaner: downloader.small.hgx lässt sich nicht finden bzw. entfernen
    Plagegeister aller Art und deren Bekämpfung - 03.08.2010 (17)
  4. Trojaner-Downloader.Win32.Agent.daow
    Plagegeister aller Art und deren Bekämpfung - 02.02.2010 (3)
  5. Trojaner.Downloader.Agent.AAJI (was kann ich machen?)
    Log-Analyse und Auswertung - 22.04.2009 (17)
  6. Trojaner Downloader.Win32.Agent variant.
    Mülltonne - 09.11.2008 (0)
  7. Trojaner Downloader.Win32.Agent variant gefunden
    Mülltonne - 30.10.2008 (0)
  8. Trojaner-downloader.win32.agent variant
    Plagegeister aller Art und deren Bekämpfung - 01.07.2008 (1)
  9. JS/Psyme.QM und JS/Downloader.agent
    Plagegeister aller Art und deren Bekämpfung - 16.03.2008 (7)
  10. Was tun beim Trojaner JS/Downloader.Agent?
    Plagegeister aller Art und deren Bekämpfung - 08.11.2007 (5)
  11. JS/Downloader.Agent
    Plagegeister aller Art und deren Bekämpfung - 31.10.2007 (0)
  12. Hilfe - Trojaner-Downloader.Win32.Agent variant auf dem sys
    Log-Analyse und Auswertung - 30.10.2007 (1)
  13. Downloader.Agent.uj
    Log-Analyse und Auswertung - 31.07.2006 (3)
  14. Win32.agent Trojaner downloader!
    Log-Analyse und Auswertung - 19.02.2006 (2)
  15. Trojaner Downloader.JH entfernen?
    Plagegeister aller Art und deren Bekämpfung - 31.01.2005 (2)
  16. Trojaner: Downloader.Agent.AS
    Plagegeister aller Art und deren Bekämpfung - 01.12.2004 (14)
  17. trojaner downloader win 32.Agent.an
    Plagegeister aller Art und deren Bekämpfung - 28.06.2004 (2)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) - Hi Andreas, ich habe alles ausgeführt. Vielen Dank schonmal für Deine Hilfe. Viele Grüße, Christian 1) Systemwiderherstellung habe ich deaktiviert. 2a) BlackLight Log: Code: Alles auswählen Aufklappen ATTFilter 12/23/08 23:20:30 - Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job)...
Archiv
Du betrachtest: Trojaner entfernen (TR/Downloader.Gen, TR/Agent.job) auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131