So, ich hoffe ich poste hier das Richtige. Ich habe sowas noch nie gemacht :/
Die Dateiüberprüfung bei virustotal Code:
msauc.exe
Ergebnis: 10/36 (27.78%)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 DR/Delphi.Gen
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.08 -
AVG 8.0.0.156 2008.08.09 Win32/Heur
BitDefender 7.2 2008.08.09 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 Trojan.MulDrop.18267
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 Trojan.Win32.Buzus.qpv
Ikarus T3.1.1.34.0 2008.08.09 Downloader.Delphi
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 Trojan.Win32.Buzus.qpv
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 VirTool:Win32/DelfInject.gen!AM
NOD32v2 3341 2008.08.08 a variant of Win32/Injector.CA
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 Cloaked Malware
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Trojan.Dropper.Delphi.Gen
weitere Informationen
File size: 173056 bytes
MD5...: c18d9afdd46e9a37f0efd9798db965c8
SHA1..: f6b2bd1109603370cec532b24756c86d593a580a
SHA256: d2cb609c81557fd7140297a07ff7da91bafbcfbfdd40f9b7c221fc8f77dba0dc
SHA512: 309347b725e3e3da42153cb20f0125e19d84cc11986e82bf7601e4d2badbad59
1dd0a29dc41d67427de2f949d1e8189ed0daa9e41be19c74ed9b9aca7563906d
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x20224c
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x1464 0x1600 6.07 2162c62f09932d6119e70d15c523d9d2
DATA 0x3000 0x28078 0x28200 8.00 8dd745f546e58c2c1014b05cb59a7b29
BSS 0x2c000 0x255 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x2d000 0x200 0x200 4.27 dd6bdda0840264dd36df36d1d6d3c93c
.tls 0x2e000 0x4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x2f000 0x18 0x200 0.20 194a1236d8d346ed37e56d37571e2196
.reloc 0x30000 0x1c0 0x200 5.60 1c4ab4b8798b59c4a0a0334a6cbf3122
.rsrc 0x31000 0x78 0x200 0.42 b5d4ff36683bc2f3edcf97b0dd597eb5
( 4 imports )
> kernel32.dll: GetCurrentThreadId, ExitProcess, RtlUnwind, RaiseException, GetCommandLineA, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
> kernel32.dll: LoadLibraryA, GetProcAddress
> gdi32.dll: SetTextColor
> user32.dll: GetDC
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=0A3C483A0085FA7EA49102443A166A00393B5FDE Code:
Datei lphclsej0e93w.exe
Ergebnis: 4/36 (11.11%)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - TrojanDownloader:Win32/Renos.gen!AQ
NOD32v2 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - Malicious Software
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - -
weitere Informationen
MD5: d5c215bd13f4ae57f07cc82cea7da85d
SHA1: 3be3077f61b35effcdb59ce0515f0b79b316c3d6
SHA256: a3e8d3eaacb65a64ce9c2a6318c38f627dd96bd7a8805d94ba7af72555a92b57
SHA512: 37f19581445060887587fb7f9f5aa06abedca2051773c289fc60e6090ffc951ebd81c1895a582db9db857c8364ac17233aaf08c2c37f5edba87c596a14880471 Code:
Datei rhcgsej0e93w.exe
Ergebnis: 9/35 (25.72%)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 -
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.08 -
AVG 8.0.0.156 2008.08.09 Generic11.HJK
BitDefender 7.2 2008.08.09 -
CAT-QuickHeal 9.50 2008.08.08 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.09 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 Trojan.Win32.Monder.gen
Fortinet 3.14.0.0 2008.08.09 W32/Monder.ZDC!tr
GData 2.0.7306.1023 2008.08.09 Trojan.Win32.Monder.gen
Ikarus T3.1.1.34.0 2008.08.09 Virus.Trojan.Win32.Monder
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 Trojan.Win32.Monder.gen
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 Program:Win32/Antivirus2008
NOD32v2 3341 2008.08.08 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 Malicious Software
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 -
weitere Informationen
File size: 790528 bytes
MD5...: 5d26da4de5c59fd2e4f2eb66626d0160
SHA1..: a9d1e4d3d33753071cdb33e1a4fb50b961f627d6
SHA256: 061d3d3c5c433475ce4021ee7fa79ac4e4f32514ee4a8b83af611d0cbc06e737
SHA512: d4fb4bc0d92cb58b09c2e698a281e1a9a0145a29642261fb3b7add7bd21ac68a
29d5347c0890ae619bc021e2c033e4edeb0e858d681750fb4bd888e57f93655c
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x401bd7
timedatestamp.....: 0x489c6d2c (Fri Aug 08 15:58:36 2008)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x96fdec 0x4000 5.10 abe9e076c8ca5e676946e080f8f1e3c4
.rdata 0x971000 0xadc64 0xae000 7.99 3af97df68ee3967fda003dc118ea61e9
.rsrc 0xa1f000 0xd000 0xd000 4.18 716295caba74e83b629eb981e3f96b1f
.pack32 0xa2c000 0xd5c 0x1000 0.89 d7b6b9ba844af8d248b75a3c70ed3b80
( 2 imports )
> kernel32.dll: CreateDirectoryExA, ReadConsoleInputExA, IsBadWritePtr, FlushConsoleInputBuffer, ReadProcessMemory, FindNextFileW, Process32NextW
> user32.dll: DdeAccessData, GetClassInfoA, IsHungAppWindow, GetDlgItemTextW, CreateMDIWindowA, SetDebugErrorLevel, GetDlgItem, FrameRect
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=D1CF9C8800A2395510800C311D7A5800E822021B Code:
Datei svchost.exe
Ergebnis: 11/36 (30.56%)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.08 -
AVG 8.0.0.156 2008.08.09 Pakes
BitDefender 7.2 2008.08.09 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 -
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 Trojan-Downloader.Win32.Small.aapn
Ikarus T3.1.1.34.0 2008.08.09 Trojan.Crypt.XPACK
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 Trojan-Downloader.Win32.Small.aapn
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 -
NOD32v2 3341 2008.08.08 -
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 Suspicious file
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 Cloaked Malware
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 Mal/EncPk-EI
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 suspected of Malware-Cryptor.Win32.General.2
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 Trojan.Crypt.PL
Webwasher-Gateway 6.6.2 2008.08.09 Trojan.Crypt.XPACK.Gen
weitere Informationen
File size: 25088 bytes
MD5...: 281391922c3f5466e970cedc92c93ea9
SHA1..: ecd2f0ec1113d75e885ee28c72aa640b4c7d0bab
SHA256: 5a08874f23c7c26b5f6ab97077ed807ef286a7f49715e4a88c9e586e5a5f061f
SHA512: 8ccc50c2b05e5925257b38e0d44fa697eb8832c0470fc05e5667a4cea792a51f
2eebf6a7535807547ff781380fcf72b05a487d9130fe147f81d8efc92cbcf186
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4010a3
timedatestamp.....: 0x47f48d4d (Thu Apr 03 07:54:53 2008)
machinetype.......: 0x14c (I386)
( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x103c 0x1200 2.84 f0a6c524a61fa0d470a7e71a6608a18f
.data 0x3000 0x12f94 0x4c00 7.76 8cbed7d1834462e51ca853b73a83a4b6
( 1 imports )
> comctl32.dll: ImageList_GetIconSize, ImageList_Draw, DrawStatusTextW, CreateToolbar, ImageList_Add, ImageList_DrawEx, ImageList_DragEnter, ImageList_GetIcon, CreateUpDownControl
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=91D5316000329F1B62ED003B3C2E07003F9AD1BC Code:
Datei pphclsej0e93w.exe
Ergebnis: 26/36 (72.23%)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.9.0 2008.08.08 Win-Trojan/Fackav.94208
AntiVir 7.8.1.19 2008.08.09 TR/Dldr.FraudLoa.NC
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.08 -
AVG 8.0.0.156 2008.08.09 Agent.ZAK
BitDefender 7.2 2008.08.09 Dropped:BAT.AutoDelete.A
CAT-QuickHeal 9.50 2008.08.08 FraudTool.MalwareProtector.d (Not a Virus)
ClamAV 0.93.1 2008.08.09 BAT.AutoDelete.A
DrWeb 4.44.0.09170 2008.08.09 Trojan.Fakealert.949
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 Win32/FakeAlert.AL
Ewido 4.0 2008.08.09 Not-A-Virus.PUP.MalwareProtector.d
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 FraudTool.Win32.MalwareProtector.d
Fortinet 3.14.0.0 2008.08.09 Misc/MalwareProtector
GData 2.0.7306.1023 2008.08.09 -
Ikarus T3.1.1.34.0 2008.08.09 BAT.AutoDelete.A
K7AntiVirus 7.10.408 2008.08.09 not-a-virus:FraudTool.Win32.MalwareProtector.d
Kaspersky 7.0.0.125 2008.08.09 not-a-virus:FraudTool.Win32.MalwareProtector.d
McAfee 5357 2008.08.08 FakeAlert-AQ
Microsoft 1.3807 2008.08.09 Trojan:Win32/XPAntiVirus.C
NOD32v2 3341 2008.08.08 Win32/TrojanDownloader.FakeAlert.FK
Norman 5.80.02 2008.08.08 W32/WinFixer.CBQ
Panda 9.0.0.4 2008.08.09 Application/AntivirusXP2008
PCTools 4.4.2.0 2008.08.09 RogueAntiSpyware.AntivirusXP2008
Prevx1 V2 2008.08.09 Cloaked Malware
Rising 20.56.41.00 2008.08.08 Trojan.Win32.Undef.ive
Sophos 4.32.0 2008.08.09 Troj/FakeAle-ES
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 XPAntivirus
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 TROJ_FAKEALER.HO
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Trojan.Dldr.FraudLoa.NC
weitere Informationen
File size: 94208 bytes
MD5...: bbc8fa3899a801ce9ea1f77bcc161662
SHA1..: eefa3e03424239ec0b53006336f2f9714434aa1a
SHA256: c8050919cffaf4018875b4980cbb1eb0c717fa00f98afcbd99f245694b6afff6
SHA512: e0f92e768b704ddc6b834655624a34bad1d17b43da4710138cf905fe344f65b8
3872ca9a2dd54dc34b4fdc68720176a33caac602a415e01fa142bbd62024e1c1
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x406df5
timedatestamp.....: 0x489c5376 (Fri Aug 08 14:08:54 2008)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xda92 0xe000 6.56 36c45dcede157a764a7b5959a20fc4bf
.rdata 0xf000 0x2df4 0x3000 4.87 901149a62bb2def63a4308ba01db3b69
.data 0x12000 0x2ac0 0x2000 2.17 9a5b1b0544a0ba83777a36cb94f62677
.tls 0x15000 0x7 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x16000 0x1e20 0x2000 5.42 c257661d6c95eb7c3b5231af545a237d
( 5 imports )
> KERNEL32.dll: WaitForSingleObject, CreateMutexA, Sleep, TerminateProcess, GetTickCount, FindFirstFileA, FindClose, GetTempPathA, lstrcpyA, CreateFileA, WriteFile, CloseHandle, lstrcatA, GetModuleFileNameA, GetEnvironmentVariableA, GetDriveTypeA, GetVolumeInformationA, HeapAlloc, HeapFree, UnmapViewOfFile, OpenFileMappingA, MapViewOfFile, GetModuleHandleA, GetLastError, LoadLibraryA, GetProcAddress, SetStdHandle, GetOEMCP, IsBadCodePtr, IsBadReadPtr, FindResourceA, GetCurrentProcess, SizeofResource, LockResource, LoadResource, DeleteCriticalSection, InitializeCriticalSection, RaiseException, lstrlenW, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetACP, GetLocaleInfoA, GetThreadLocale, InterlockedExchange, lstrlenA, InterlockedDecrement, GetStringTypeW, GetStringTypeA, GetSystemInfo, VirtualProtect, GetCurrentProcessId, QueryPerformanceCounter, SetUnhandledExceptionFilter, VirtualQuery, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, UnhandledExceptionFilter, LocalFree, EnterCriticalSection, LeaveCriticalSection, InterlockedIncrement, GetSystemTimeAsFileTime, GetStartupInfoA, GetCommandLineA, RtlUnwind, ExitProcess, HeapReAlloc, LCMapStringA, LCMapStringW, GetCPInfo, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, HeapSize, TlsAlloc, SetLastError, GetCurrentThreadId, TlsFree, TlsSetValue, TlsGetValue, SetFilePointer, FlushFileBuffers, GetStdHandle
> ADVAPI32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> SHELL32.dll: ShellExecuteA
> ole32.dll: OleRun, CoInitialize, CoCreateInstance
> OLEAUT32.dll: -, -, -, -, -, -, -, -
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=80A554FC00389FB1701801BECADF06008DCBE955 Wenn ich die Datei: C:\WINDOWS\system32\kduuu.exe analysieren wollten, kam folgendes: '0 bytes size received / Se ha recibido un archivo vacio' Code:
Datei iexplorer.exe
Ergebnis: 8/36 (22.23%)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 DR/Delphi.Gen
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.08 -
AVG 8.0.0.156 2008.08.09 Win32/Heur
BitDefender 7.2 2008.08.09 -
CAT-QuickHeal 9.50 2008.08.08 -
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 Trojan.MulDrop.18267
eSafe 7.0.17.0 2008.08.07 -
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 -
Ikarus T3.1.1.34.0 2008.08.09 Downloader.Delphi
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 -
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 VirTool:Win32/DelfInject.gen!AM
NOD32v2 3341 2008.08.08 a variant of Win32/Injector.CA
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 Malicious Software
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 -
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Trojan.Dropper.Delphi.Gen
weitere Informationen
File size: 29696 bytes
MD5...: 157f604376aea90af48082e229d4c55e
SHA1..: 0149a9eb3b0d33dad05dedf28c3059889cd6c73b
SHA256: 415d7042d3f70fa0302aa0cc77339eb1639ce6523c4afdc98c11f3db70c0277d
SHA512: bdbc738b8fbcd87443fbfb5856d668b4a04b653177538b4c6ecf847bed3725a6
e8321a03cd1cb99a6050fbcf0c056d9d2eb3d211c82961df3ec9e0961e5fcf39
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x202240
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x1450 0x1600 6.06 50ba97808b11a1e182a5f47780b3c326
DATA 0x3000 0x5078 0x5200 7.95 579b274f46e6270e7fa4a62d2496a7b5
BSS 0x9000 0x255 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xa000 0x200 0x200 4.04 817c381c774fb84001e980b9a0df6325
.tls 0xb000 0x4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xc000 0x18 0x200 0.20 3513355d908e1e90946c81cd71f650b6
.reloc 0xd000 0x1c0 0x200 5.54 ded59fef6b2dc016d5adec27aca97b3b
.rsrc 0xe000 0x78 0x200 0.40 09a545128d00c99d8241e48b9a5d2fe2
( 4 imports )
> kernel32.dll: GetCurrentThreadId, ExitProcess, RtlUnwind, RaiseException, GetCommandLineA, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
> kernel32.dll: LoadLibraryA, GetProcAddress
> gdi32.dll: SetTextColor
> user32.dll: GetDC
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AA1A930A00000AC074D500946925EC000A336375 Malwarebytes Log Code:
Malwarebytes' Anti-Malware 1.24
Datenbank Version: 1034
Windows 5.1.2600 Service Pack 2
20:07:25 09.08.2008
mbam-log-8-9-2008 (20-07-25).txt
Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|G:\|)
Durchsuchte Objekte: 214473
Laufzeit: 1 hour(s), 11 minute(s), 0 second(s)
Infizierte Speicherprozesse: 5
Infizierte Speichermodule: 4
Infizierte Registrierungsschlüssel: 4
Infizierte Registrierungswerte: 9
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 12
Infizierte Dateien: 26
Infizierte Speicherprozesse:
C:\Programme\rhcgsej0e93w\rhcgsej0e93w.exe (Rogue.Multiple) -> Unloaded process successfully.
C:\WINDOWS\msauc.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\lphclsej0e93w.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\pphclsej0e93w.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.
Infizierte Speichermodule:
C:\Programme\rhcgsej0e93w\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Programme\rhcgsej0e93w\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Programme\rhcgsej0e93w\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\blphclsej0e93w.scr (Trojan.FakeAlert) -> Delete on reboot.
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcgsej0e93w (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcgsej0e93w (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcgsej0e93w (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexplorer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphclsej0e93w (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kduuu.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
C:\Programme\rhcgsej0e93w (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\rhcgsej0e93w\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
Infizierte Dateien:
C:\WINDOWS\system32\kduuu.exe (Rootkit.DNSChanger) -> Delete on reboot.
C:\WINDOWS\system32\wpx11.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Programme\The KMPlayer\KIconLib.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\rhcgsej0e93w.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\rhcgsej0e93w.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcgsej0e93w\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iexplorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msauc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpx12.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lich.dat (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phclsej0e93w.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphclsej0e93w.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphclsej0e93w.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphclsej0e93w.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. |