Trojaner-Board - Speicherplatz verringert sich

ich glaube jetzt hat es geklappt

Log of the AVZ antivirus utility version 4.19
Scanning started at 14.08.2006 09:04:05
Database loaded 32749 signatures, 2 NN profile, 55 scripts cure, AV base from 13.08.2006 17:28
Heuristics microprograms loaded : 359
Digital signatures of system files loaded: 51173
Heuristic analyzer mode Maximum heuristics level
Cure mode: enabled
1. Searching for rootkits and programs that intercept API functions
1.1 Searching for user-mode API hooks
Analysis kernel32.dll, export table found in section .text
Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C882FC4<>7C801D77
Hook kernel32.dll:LoadLibraryA (578) neutralized
>>> Functions LoadLibraryA - vaccination of the process by AVZ against interception by address replacement !!)
Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C882FD3<>7C801D4F
Hook kernel32.dll:LoadLibraryExA (579) neutralized
>>> Functions LoadLibraryExA - vaccination of the process by AVZ against interception by address replacement !!)
Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C882FF1<>7C801AF1
Hook kernel32.dll:LoadLibraryExW (580) neutralized
Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C882FE2<>7C80AE4B
Hook kernel32.dll:LoadLibraryW (581) neutralized
Analysis ntdll.dll, export table found in section .text
Analysis user32.dll, export table found in section .text
Analysis advapi32.dll, export table found in section .text
Analysis ws2_32.dll, export table found in section .text
Analysis wininet.dll, export table found in section .text
Analysis rasapi32.dll, export table found in section .text
Analysis urlmon.dll, export table found in section .text
Analysis netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver is successfully loaded
SDT found (RVA=07B180)
Kernel ntkrnlpa.exe located in the memory at the address 804D7000
SDT = 80552180
KiST = 85ED7160 (297)
>>> Attention, the KiST table is relocated ! (80501030(284)->85ED7160(297))
Functions checked: 284, intercepted: 0, restored: 0
2. Scanning the memory
Processes found: 36
Analyzer - the process is under analysis 2004 C:\WINDOWS\system32\oodag.exe
[ES]:Contains networking functionality
[ES]:Listens TCP ports !
[ES]:Application has no visible windows
[ES]:EXE packer ?
[ES]:Located in the system folder
[ES]:Loads RASAPI DLL - most likely uses dialing?
Analyzer - the process is under analysis 2320 C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[ES]:Application has no visible windows
[ES]:Registered in autorun !!
Analyzer - the process is under analysis 2648 C:\PROGRA~1\MI3AA1~1\rapimgr.exe
[ES]:Contains networking functionality
[ES]:Listens TCP ports !
[ES]:Application has no visible windows
Analyzer - the process is under analysis 2740 C:\Programme\Logitech\SetPoint\SetPoint.exe
[ES]:Contains networking functionality
[ES]:Application has no visible windows
[ES]:Registered in autorun !!
Analyzer - the process is under analysis 1204 C:\Programme\ewido anti-spyware 4.0\guard.exe
[ES]:Contains networking functionality
[ES]:Application has no visible windows
Modules loaded: 532
Memory check completed
3. Scanning disks
C:\Programme\Symantec\Norton PartitionMagic 8.0\RESCUEME\DOSYSTEM\COMMAND.COM - PE file with modified extension, allowing for startup (typical for viruses)(level of danger 35%)
C:\Programme\Symantec\Norton PartitionMagic 8.0\RESCUEME\DOSYSTEM\FDISK.COM - PE file with modified extension, allowing for startup (typical for viruses)(level of danger 35%)
C:\Programme\Symantec\Norton PartitionMagic 8.0\RESCUEME\DOSYSTEM\KEYB.COM - PE file with modified extension, allowing for startup (typical for viruses)(level of danger 35%)
C:\Programme\Symantec\Norton PartitionMagic 8.0\RESCUEME\DOSYSTEM\MODE.COM - PE file with modified extension, allowing for startup (typical for viruses)(level of danger 35%)
C:\Programme\WinRAR\RAR.exe.bak - PE file with nonstandard extension(level of danger 5%)
C:\Programme\WinRAR\WinRAR.exe.bak - PE file with nonstandard extension(level of danger 5%)
C:\Programme\WS_FTP\ftpscrpt.com - PE file with modified extension, allowing for startup (typical for viruses)(level of danger 35%)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors have been detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Programme\Logitech\SetPoint\lgscroll.dll --> Suspicion for a Keylogger or Trojan DLL
C:\Programme\Logitech\SetPoint\lgscroll.dll>>> Behavioral analysis:
1. Reacts to events: keyboard, mouse, window events, all events
C:\Programme\Logitech\SetPoint\lgscroll.dll>>> Neural network: file with probability 96.40% appears like a typical keyboard/mouse events trap
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hook DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
In the database 319 port description
Opened on this PC 15 TCP ports and 16 UDP ports
Check completed, no suspicious objects detected
7. Heuristic system check
Check completed
Files scanned: 194576, extracted from archives: 120326, malicious programs found 0
Scanning terminated at 14.08.2006 09:31:22
Scanning lasted 00:27:17
Autoquarantine is executed
Autoquarantine completed
Creating the arhive of files from the quarantine
Creating the arhive of files from the quarantine is completed
Standard script is executed: Update databases with automatic settings
Starting automatic update
Update parameters:Use Internet Explorer settings
Automatic update completed successfully
AV databases (according to IE settings) updated successfully