System langsam und instabil, daurender Malware und Trojaner Alarm |
||
---|---|---|
#0
| ||
27.04.2008, 00:30
Ehrenmitglied
Beiträge: 29434 |
||
|
||
27.04.2008, 09:56
Ehrenmitglied
Beiträge: 29434 |
#17
Hallo,
laut HijackTHis wäre das hier noch zu fixen: O20 - Winlogon Notify: byXOiHwV - byXOiHwV.dll (file missing) dann stelle noch mal das combofix-Log rein, du hast es gestern rausgelöscht (?) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.04.2008, 17:25
Member
Themenstarter Beiträge: 23 |
#18
Hallo,
habe Combofix gestern nach Anweisung von Dir über Start-Ausführen- Combofix /U deinstalliert. Mit HijackThis habe ich O20 gelöscht. ********************************************+ ComboFix 08-04-26.5 - Admin 2008-04-27 17:43:24.9 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.246 [GMT 2:00] ausgeführt von:: C:\Dokumente und Einstellungen\Admin\Desktop\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt . ((((((((((((((((((((((( Dateien erstellt von 2008-03-27 bis 2008-04-27 )))))))))))))))))))))))))))))) . 2008-04-27 00:58 . 2008-04-27 00:58 <DIR> d-------- C:\fsaua.data 2008-04-26 19:17 . 2008-04-26 19:17 61,440 --a------ C:\WINDOWS\system32\drivers\gkacn.sys 2008-04-26 18:42 . 2008-04-26 18:42 <DIR> d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Malwarebytes 2008-04-26 18:41 . 2008-04-26 18:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2008-04-26 13:53 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-04-26 13:53 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-04-25 23:22 . 2008-04-25 23:22 <DIR> d--h----- C:\WINDOWS\PIF 2008-04-24 19:19 . 2008-04-26 20:01 109,779 --a------ C:\WINDOWS\BM376244ea.xml 2008-03-31 18:24 . 2008-03-31 18:24 0 --a------ C:\WINDOWS\Ui.INI 2008-03-30 22:36 . 2008-03-30 22:36 690 --a------ C:\WINDOWS\system32\Verknüpfung mit DEVENV.EXE.lnk 2008-03-27 14:50 . 2002-04-15 17:38 196,608 -ra------ C:\WINDOWS\system32\SBMiniDrv.dll 2008-03-27 14:50 . 2001-11-08 10:53 18,120 -ra------ C:\WINDOWS\system32\drivers\gt680x.sys 2008-03-27 14:50 . 2001-11-29 16:47 8,192 -ra------ C:\WINDOWS\system32\drivers\SBfw.usb 2008-03-27 14:49 . 2008-03-27 14:49 0 --a------ C:\WINDOWS\WATCH.INI 2008-03-27 14:45 . 2008-03-27 14:45 492 --a------ C:\WINDOWS\MAXLINK.INI 2008-03-27 14:43 . 2008-03-27 14:43 <DIR> d-------- C:\Dokumente und Einstellungen\Admin\WINDOWS 2008-03-27 14:43 . 1995-05-23 01:30 776,240 --a------ C:\WINDOWS\system\lead52.dll 2008-03-27 14:43 . 1997-09-18 01:30 332,800 --a------ C:\WINDOWS\system\hhctrl.ocx 2008-03-27 14:43 . 1997-09-18 01:30 169,120 --a------ C:\WINDOWS\system\itircl.dll 2008-03-27 14:43 . 1997-09-18 01:30 124,336 --a------ C:\WINDOWS\system\itss.dll 2008-03-27 14:42 . 2008-03-27 14:42 <DIR> d-------- C:\Programme\Mustek 1200 UB Plus 2008-03-27 14:38 . 2008-04-27 11:19 <DIR> d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\OpenOffice.org2 2008-03-27 14:37 . 2008-03-27 14:37 <DIR> d-------- C:\Programme\OpenOffice.org 2.1 4 Datei(en) . 3,718,928 C:\ComboFix\Bytes . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-26 19:50 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic 2008-04-26 12:08 90,112 ----a-w C:\WINDOWS\DUMP4a38.tmp 2008-04-19 16:34 36,296 ----a-w C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2008-03-30 20:37 --------- d--h--w C:\Programme\Zero G Registry 2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 18:24 36,864 ----a-w C:\WINDOWS\system32\tjclip.dll 2008-03-02 13:40 --------- d-----w C:\Programme\avmwlanstick 2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-15 15:05 766,365 ----a-w C:\WINDOWS\java\Packages\9JR353X7.ZIP 2008-02-15 15:05 518,922 ----a-w C:\WINDOWS\java\Packages\AT3BTZZ9.ZIP 2008-02-14 19:12 558,142 ----a-w C:\WINDOWS\java\Packages\SXNP7B1J.ZIP 2008-02-14 19:12 155,995 ----a-w C:\WINDOWS\java\Packages\5Z7BPNP7.ZIP . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9D80BA1-5D13-44AD-BD13-61450C6FE558}] C:\WINDOWS\system32\vtUkklLD.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Programme\Messenger\MSMSGS.exe" [ ] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:57 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2002-10-28 08:38 47104 C:\WINDOWS\SOUNDMAN.EXE] "HP Software Update"="C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 12:40 49152] "DeviceDiscovery"="C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 21:56 40960] "NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50 155648] "avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2006-10-31 18:07 299048] "UltraMon"="E:\UltraMon\UltraMon.exe" [2006-10-12 22:27 304640] "AVMWlanClient"="C:\Programme\avmwlanstick\FRITZWLANMini.exe" [2006-06-23 12:24 343552] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:57 15360] C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\ Adobe Reader - Schnellstart.lnk - E:\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696] Microsoft Office.lnk - E:\MicrosoftOfficeXP\Office10\OSA.EXE [2001-02-13 02:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.3iv2"= 3ivxVfWCodec.dll "VIDC.HFYU"= huffyuv.dll "VIDC.VP31"= vp31vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "E:\\BorlandTogehter\\jdk\\jre\\bin\\java.exe"= "E:\\Maxima-5.11.0\\wxMaxima\\wxMaxima.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows-Peer-zu-Peer-Gruppierung "3540:UDP"= 3540:UDPeer Name Resolution-Protokoll (PNRP) "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-11-22 14:29] R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 19:31] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2006-11-22 14:29] R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35] R2 UltraMonUtility;UltraMon Utility Driver;C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 22:22] R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-11-04 16:29] R3 FWLANUSB;AVM FRITZ!WLAN;C:\WINDOWS\system32\DRIVERS\fwlanusb.sys [2005-10-18 03:04] R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-11-04 16:32] R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 22:23] S3 p2pgasvc;Peernetzwerk-Gruppenauthentifizierung;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58] S3 p2pimsvc;Peernetzwerkidentitäts-Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58] S3 p2psvc;Peernetzwerk;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58] S3 PNRPSvc;Peer Name Resolution-Protokoll;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{358ba9ac-e85e-11dc-9a7d-0010dce427e8}] \Shell\AutoRun\command - D:\pushinst.exe *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 17:44:45 Windows 5.1.2600 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Einträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . Zeit der Fertigstellung: 2008-04-27 17:45:45 ComboFix-quarantined-files.txt 2008-04-27 15:45:40 8 Verzeichnis(se), 36,087,296,000 Bytes frei 10 Verzeichnis(se), 36,312,076,288 Bytes frei 123 --- E O F --- 2008-04-26 10:00:28 ____________ MfG Dietmar Dieser Beitrag wurde am 27.04.2008 um 17:46 Uhr von Di editiert.
|
|
|
||
27.04.2008, 18:56
Ehrenmitglied
Beiträge: 29434 |
#19
Hallo,
fixe noch mit hijacktHis: O2 - BHO: (no name) - {D9D80BA1-5D13-44AD-BD13-61450C6FE558} - C:\WINDOWS\system32\vtUkklLD.dll (file missing) --------------------- «« scanne mit dr.web im abgesicherten modus + poste dann den report http://virus-protect.org/cureit.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.04.2008, 22:36
Member
Themenstarter Beiträge: 23 |
#20
Hallo,
*************************************** der report von DrWeb: A0000027.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP1;möglicherweise BATCH.Virus;Verschoben.; A0000032.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP1;möglicherweise SCRIPT.Virus;Verschoben.; A0000063.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP2;möglicherweise BATCH.Virus;Verschoben.; A0000069.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP2;möglicherweise SCRIPT.Virus;Verschoben.; ________________ MfG Dietmar |
|
|
||
27.04.2008, 22:50
Ehrenmitglied
Beiträge: 29434 |
#21
Hallo,
1. Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. dann das Häkchen wieder rausnehmen.(also wieder aktivieren) http://virus-protect.org/systemwiederherstellung.html 2. im Grunde müsste es wieder o.k. sein...wir schauen noch mal die Ports an... - berichte http://virus-protect.org/portauthority.html 3. berichte auch, ob das system nun stabil rollert.......... 4. Virustotal http://www.virustotal.com/flash/index_en.html lade die sys noch mal bei virus-total hoch und warte, bis das log erscheint, dann abkopieren C:\WINDOWS\system32\drivers\gkacn.sys __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.04.2008, 23:25
Member
Themenstarter Beiträge: 23 |
#22
Hallo,
habe die Systemwiderherstellung ausgeschaltet dann im Abgesicherten Modus neu gestartet. -> Systemabsturz. Sollte ich dann in dem Abg. Modus Dr.Web laufen lassen? Reicht der Schnellwaschgang oder muss ich ihn komplett durchlaufen lassen? __________________ MfG Dietmar |
|
|
||
27.04.2008, 23:29
Ehrenmitglied
Beiträge: 29434 |
#23
nein, lass den dr.web erst mal.
überprüfe bitte die sys, aber diesmal abwarten, bis das komplette log aller scanner erscheint __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.04.2008, 23:35
Member
Themenstarter Beiträge: 23 |
#24
Hallo,
sorry komm grad nicht ganz mit. 1. Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. dann das Häkchen wieder rausnehmen.(also wieder aktivieren) . Ok. Soll ich einen Neustart im Abg. Modus machen? Welche sys? Und wo überprüfen lassen? _____________ MfG Dietmar |
|
|
||
27.04.2008, 23:40
Ehrenmitglied
Beiträge: 29434 |
#25
Virustotal http://www.virustotal.com/flash/index_en.html
lade die sys noch mal bei virus-total hoch und warte, bis das log erscheint, dann abkopieren C:\WINDOWS\system32\drivers\gkacn.sys __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.04.2008, 23:50
Member
Themenstarter Beiträge: 23 |
#26
Hallo,
C:\WINDOWS\system32\drivers\gkacn.sys MD5: 589312a3b46721c5a751e4d5222a89be First received: - Datum 2008.04.26 23:19:15 (CET) [+1D] Ergebnisse 0/32 Permalink: analisis/c12c18bc1f71f43cf55d409d0bd80530 habe das Fenster noch offen, kommt da noch was.... Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.4.25.2 2008.04.25 - AntiVir 7.8.0.10 2008.04.25 - Authentium 4.93.8 2008.04.26 - Avast 4.8.1169.0 2008.04.26 - AVG 7.5.0.516 2008.04.26 - BitDefender 7.2 2008.04.26 - CAT-QuickHeal 9.50 2008.04.26 - ClamAV 0.92.1 2008.04.26 - DrWeb 4.44.0.09170 2008.04.26 - eSafe 7.0.15.0 2008.04.21 - eTrust-Vet 31.3.5736 2008.04.26 - Ewido 4.0 2008.04.26 - F-Prot 4.4.2.54 2008.04.26 - F-Secure 6.70.13260.0 2008.04.26 - FileAdvisor 1 2008.04.26 - Fortinet 3.14.0.0 2008.04.26 - Ikarus T3.1.1.26 2008.04.26 - Kaspersky 7.0.0.125 2008.04.26 - McAfee 5282 2008.04.25 - Microsoft 1.3408 2008.04.22 - NOD32v2 3057 2008.04.26 - Norman 5.80.02 2008.04.25 - Panda 9.0.0.4 2008.04.26 - Prevx1 V2 2008.04.26 - Rising 20.41.52.00 2008.04.26 - Sophos 4.28.0 2008.04.26 - Sunbelt 3.0.1056.0 2008.04.17 - Symantec 10 2008.04.26 - TheHacker 6.2.92.294 2008.04.26 - VBA32 3.12.6.5 2008.04.26 - VirusBuster 4.3.26:9 2008.04.26 - Webwasher-Gateway 6.6.2 2008.04.26 - weitere Informationen File size: 61440 bytes MD5...: 589312a3b46721c5a751e4d5222a89be SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30 SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776 a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1d394 timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954 .rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302 .data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389 INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc .reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c ( 1 imports ) > ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion __________ MfG Dietmar Dieser Beitrag wurde am 27.04.2008 um 23:55 Uhr von Di editiert.
|
|
|
||
27.04.2008, 23:57
Ehrenmitglied
Beiträge: 29434 |
#27
wir schauen noch mal die Ports an... - berichte
http://virus-protect.org/portauthority.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
27.04.2008, 23:59
Member
Themenstarter Beiträge: 23 |
#28
Hallo,
soll ich da was runterladen? Network Port Scanner oder grc.com/x/nene.dll?bh0byd2 Habe grc.com/x/nene.dll?bh0byd2 genommen. ************************************** All Service Ports: Alle 32 Ports sind grün ***************************************** File Sharing: Attempting connection to your computer. . . Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet! Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion. Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet. ************************************* Common Ports: Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . . Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.) Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation. Port Service Status Security Implications 0 <nil> Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 21 FTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 22 SSH Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 23 Telnet Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 25 SMTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 79 Finger Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 80 HTTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 110 POP3 Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 113 IDENT Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 119 NNTP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 135 RPC Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 139 Net BIOS Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 143 IMAP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 389 LDAP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 443 HTTPS Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 445 MSFT DS Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1002 ms-ils Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1024 DCOM Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1025 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1026 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1027 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1028 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1029 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1030 Host Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 1720 H.323 Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! 5000 UPnP Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address! Was macht eigentlich der Nsauditor und für was kann ich den benutzen? Muss für heute die Sitzung leider beenden, muss heut früh ins geschäft. Bin heute abend ab ca. 18Uhr wieder online. Angenehme Nacht..... ________________ MfG Dietmar Dieser Beitrag wurde am 28.04.2008 um 00:28 Uhr von Di editiert.
|
|
|
||
28.04.2008, 00:32
Ehrenmitglied
Beiträge: 29434 |
#29
für morgen:
lade avz - Antiviral Toolkit: poste dann den report http://virus-protect.org/artikel/tools/avz.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
28.04.2008, 18:48
Member
Themenstarter Beiträge: 23 |
#30
Hallo,
beim hochladen braucht das system immer länger. (ist beim ersten hochfahren abgestürtzt) Lade jetzt avz. Report kommt auch gleich..... Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update) AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 28.04.2008 18:53:39 Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 70476 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights System Restore: Disabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=082680) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 80559680 KiST = 804E26A8 (284) Function NtClose (19) intercepted (80566D49->EF289D98), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtCreateKey (29) intercepted (8056E7A9->EF289CB8), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtDeleteValueKey (41) intercepted (80593AAC->EF28A12A), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtDuplicateObject (44) intercepted (80572B26->EF2898AA), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtOpenKey (77) intercepted (80567CFB->EF289D2E), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtOpenProcess (7A) intercepted (80572D06->EF2897C8), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtOpenThread (80) intercepted (8058C806->EF28983C), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtQueryValueKey (B1) intercepted (8056B103->EF289E42), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtRestoreKey (CC) intercepted (8064C042->EF289E02), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Function NtSetValueKey (F7) intercepted (80573C8D->EF289F84), hook C:\WINDOWS\System32\Drivers\aswsp.SYS Functions checked: 284, intercepted: 10, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers Checking - complete 2. Scanning memory Number of processes found: 34 Number of modules loaded: 335 Scanning memory - complete 3. Scanning disks C:\WINDOWS\Installer\36c02.msi/{MS-OLE}/\90 >>> suspicion for AdvWare.Win32.TTC.c ( 0055B264 08CD8ABD 001C13F0 001FD6D9 163840) File quarantined succesfully (C:\WINDOWS\Installer\36c02.msi) C:\WINDOWS\Installer\{EDDDC607-91D9-4758-9F57-265FDCD8A772}\_761E6471E682_46E2_B61F_D020A08095D3.exe >>> suspicion for AdvWare.Win32.TTC.c ( 0055B264 08CD8ABD 001C13F0 001FD6D9 163840) File quarantined succesfully (C:\WINDOWS\Installer\{EDDDC607-91D9-4758-9F57-265FDCD8A772}\_761E6471E682_46E2_B61F_D020A08095D3.exe) 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) E:\UltraMon\RTSUltraMonHook.dll --> Suspicion for Keylogger or Trojan DLL E:\UltraMon\RTSUltraMonHook.dll>>> Behavioural analysis 1. Reacts to events: keyboard, mouse, all events E:\UltraMon\RTSUltraMonHook.dll>>> Neural net: file with probability 99.80% like a typical keyboard/mouse events interceptor Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminaldienste) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe) >> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard Checking - complete Files scanned: 264025, extracted from archives: 240652, malicious software found 0, suspicions - 2 Scanning finished at 28.04.2008 19:32:04 Time of scanning: 00:38:26 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference Mag heut niemand mit mir sprechen :-(......... ________________ MfG Dietmar Dieser Beitrag wurde am 28.04.2008 um 20:50 Uhr von Di editiert.
|
|
|
||
2008-04-26 19:17 . 2008-04-26 19:17 61,440 --a------ C:\WINDOWS\system32\drivers\gkacn.sys
__________
MfG Sabina
rund um die PC-Sicherheit