System langsam und instabil, daurender Malware und Trojaner Alarm

#16 es muss vor kurzem geladen worden sein...was kann das sein ? ein Treiber... aber unbekannt

2008-04-26 19:17 . 2008-04-26 19:17 61,440 --a------ C:\WINDOWS\system32\drivers\gkacn.sys
__________
MfG Sabina

rund um die PC-Sicherheit

#17 Hallo,

laut HijackTHis wäre das hier noch zu fixen:

O20 - Winlogon Notify: byXOiHwV - byXOiHwV.dll (file missing)

dann stelle noch mal das combofix-Log rein, du hast es gestern rausgelöscht (?)
__________
MfG Sabina

rund um die PC-Sicherheit

#18 Hallo,

habe Combofix gestern nach Anweisung von Dir über Start-Ausführen- Combofix /U deinstalliert.

Mit HijackThis habe ich O20 gelöscht.

********************************************+
ComboFix 08-04-26.5 - Admin 2008-04-27 17:43:24.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.246 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Admin\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((( Dateien erstellt von 2008-03-27 bis 2008-04-27 ))))))))))))))))))))))))))))))
.

2008-04-27 00:58 . 2008-04-27 00:58 <DIR> d-------- C:\fsaua.data
2008-04-26 19:17 . 2008-04-26 19:17 61,440 --a------ C:\WINDOWS\system32\drivers\gkacn.sys
2008-04-26 18:42 . 2008-04-26 18:42 <DIR> d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Malwarebytes
2008-04-26 18:41 . 2008-04-26 18:41 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-04-26 13:53 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-26 13:53 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-25 23:22 . 2008-04-25 23:22 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-24 19:19 . 2008-04-26 20:01 109,779 --a------ C:\WINDOWS\BM376244ea.xml
2008-03-31 18:24 . 2008-03-31 18:24 0 --a------ C:\WINDOWS\Ui.INI
2008-03-30 22:36 . 2008-03-30 22:36 690 --a------ C:\WINDOWS\system32\Verknüpfung mit DEVENV.EXE.lnk
2008-03-27 14:50 . 2002-04-15 17:38 196,608 -ra------ C:\WINDOWS\system32\SBMiniDrv.dll
2008-03-27 14:50 . 2001-11-08 10:53 18,120 -ra------ C:\WINDOWS\system32\drivers\gt680x.sys
2008-03-27 14:50 . 2001-11-29 16:47 8,192 -ra------ C:\WINDOWS\system32\drivers\SBfw.usb
2008-03-27 14:49 . 2008-03-27 14:49 0 --a------ C:\WINDOWS\WATCH.INI
2008-03-27 14:45 . 2008-03-27 14:45 492 --a------ C:\WINDOWS\MAXLINK.INI
2008-03-27 14:43 . 2008-03-27 14:43 <DIR> d-------- C:\Dokumente und Einstellungen\Admin\WINDOWS
2008-03-27 14:43 . 1995-05-23 01:30 776,240 --a------ C:\WINDOWS\system\lead52.dll
2008-03-27 14:43 . 1997-09-18 01:30 332,800 --a------ C:\WINDOWS\system\hhctrl.ocx
2008-03-27 14:43 . 1997-09-18 01:30 169,120 --a------ C:\WINDOWS\system\itircl.dll
2008-03-27 14:43 . 1997-09-18 01:30 124,336 --a------ C:\WINDOWS\system\itss.dll
2008-03-27 14:42 . 2008-03-27 14:42 <DIR> d-------- C:\Programme\Mustek 1200 UB Plus
2008-03-27 14:38 . 2008-04-27 11:19 <DIR> d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\OpenOffice.org2
2008-03-27 14:37 . 2008-03-27 14:37 <DIR> d-------- C:\Programme\OpenOffice.org 2.1
4 Datei(en) . 3,718,928 C:\ComboFix\Bytes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 19:50 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-04-26 12:08 90,112 ----a-w C:\WINDOWS\DUMP4a38.tmp
2008-04-19 16:34 36,296 ----a-w C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-03-30 20:37 --------- d--h--w C:\Programme\Zero G Registry
2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 18:24 36,864 ----a-w C:\WINDOWS\system32\tjclip.dll
2008-03-02 13:40 --------- d-----w C:\Programme\avmwlanstick
2008-03-01 12:54 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 15:05 766,365 ----a-w C:\WINDOWS\java\Packages\9JR353X7.ZIP
2008-02-15 15:05 518,922 ----a-w C:\WINDOWS\java\Packages\AT3BTZZ9.ZIP
2008-02-14 19:12 558,142 ----a-w C:\WINDOWS\java\Packages\SXNP7B1J.ZIP
2008-02-14 19:12 155,995 ----a-w C:\WINDOWS\java\Packages\5Z7BPNP7.ZIP
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9D80BA1-5D13-44AD-BD13-61450C6FE558}]
C:\WINDOWS\system32\vtUkklLD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programme\Messenger\MSMSGS.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:57 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-10-28 08:38 47104 C:\WINDOWS\SOUNDMAN.EXE]
"HP Software Update"="C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 12:40 49152]
"DeviceDiscovery"="C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 21:56 40960]
"NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50 155648]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2006-10-31 18:07 299048]
"UltraMon"="E:\UltraMon\UltraMon.exe" [2006-10-12 22:27 304640]
"AVMWlanClient"="C:\Programme\avmwlanstick\FRITZWLANMini.exe" [2006-06-23 12:24 343552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:57 15360]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Adobe Reader - Schnellstart.lnk - E:\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]
Microsoft Office.lnk - E:\MicrosoftOfficeXP\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\BorlandTogehter\\jdk\\jre\\bin\\java.exe"=
"E:\\Maxima-5.11.0\\wxMaxima\\wxMaxima.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows-Peer-zu-Peer-Gruppierung
"3540:UDP"= 3540:UDPeer Name Resolution-Protokoll (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2006-11-22 14:29]
R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 19:31]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2006-11-22 14:29]
R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 22:22]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2002-11-04 16:29]
R3 FWLANUSB;AVM FRITZ!WLAN;C:\WINDOWS\system32\DRIVERS\fwlanusb.sys [2005-10-18 03:04]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2002-11-04 16:32]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 22:23]
S3 p2pgasvc;Peernetzwerk-Gruppenauthentifizierung;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58]
S3 p2pimsvc;Peernetzwerkidentitäts-Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58]
S3 p2psvc;Peernetzwerk;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58]
S3 PNRPSvc;Peer Name Resolution-Protokoll;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{358ba9ac-e85e-11dc-9a7d-0010dce427e8}]
\Shell\AutoRun\command - D:\pushinst.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 17:44:45
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-04-27 17:45:45
ComboFix-quarantined-files.txt 2008-04-27 15:45:40

8 Verzeichnis(se), 36,087,296,000 Bytes frei
10 Verzeichnis(se), 36,312,076,288 Bytes frei

123 --- E O F --- 2008-04-26 10:00:28

____________
MfG Dietmar

#19 Hallo,

fixe noch mit hijacktHis:

O2 - BHO: (no name) - {D9D80BA1-5D13-44AD-BD13-61450C6FE558} - C:\WINDOWS\system32\vtUkklLD.dll (file missing)

---------------------

««
scanne mit dr.web im abgesicherten modus + poste dann den report
http://virus-protect.org/cureit.html
__________
MfG Sabina

rund um die PC-Sicherheit

#20 Hallo,

***************************************
der report von DrWeb:

A0000027.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP1;möglicherweise BATCH.Virus;Verschoben.;
A0000032.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP1;möglicherweise SCRIPT.Virus;Verschoben.;
A0000063.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP2;möglicherweise BATCH.Virus;Verschoben.;
A0000069.bat;C:\System Volume Information\_restore{00AA45B3-6A6D-44CA-8BA1-7D8A65A8E133}\RP2;möglicherweise SCRIPT.Virus;Verschoben.;

________________
MfG Dietmar

#21 Hallo,

1.
Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
dann das Häkchen wieder rausnehmen.(also wieder aktivieren)
http://virus-protect.org/systemwiederherstellung.html

2.
im Grunde müsste es wieder o.k. sein...wir schauen noch mal die Ports an... - berichte
http://virus-protect.org/portauthority.html

3.
berichte auch, ob das system nun stabil rollert..........

4.
Virustotal http://www.virustotal.com/flash/index_en.html
lade die sys noch mal bei virus-total hoch und warte, bis das log erscheint, dann abkopieren
C:\WINDOWS\system32\drivers\gkacn.sys
__________
MfG Sabina

rund um die PC-Sicherheit

#22 Hallo,

habe die Systemwiderherstellung ausgeschaltet dann im Abgesicherten Modus neu gestartet. -> Systemabsturz.

Sollte ich dann in dem Abg. Modus Dr.Web laufen lassen? Reicht der Schnellwaschgang oder muss ich ihn komplett durchlaufen lassen?

__________________
MfG Dietmar

#23 nein, lass den dr.web erst mal.
überprüfe bitte die sys, aber diesmal abwarten, bis das komplette log aller scanner erscheint
__________
MfG Sabina

rund um die PC-Sicherheit

#24 Hallo,

sorry komm grad nicht ganz mit.

1. Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
dann das Häkchen wieder rausnehmen.(also wieder aktivieren) . Ok.

Soll ich einen Neustart im Abg. Modus machen?

Welche sys? Und wo überprüfen lassen?

_____________
MfG Dietmar

#25 Virustotal http://www.virustotal.com/flash/index_en.html
lade die sys noch mal bei virus-total hoch und warte, bis das log erscheint, dann abkopieren
C:\WINDOWS\system32\drivers\gkacn.sys
__________
MfG Sabina

rund um die PC-Sicherheit

#26 Hallo,

C:\WINDOWS\system32\drivers\gkacn.sys

MD5: 589312a3b46721c5a751e4d5222a89be
First received: -
Datum 2008.04.26 23:19:15 (CET) [+1D]
Ergebnisse 0/32
Permalink: analisis/c12c18bc1f71f43cf55d409d0bd80530

habe das Fenster noch offen, kommt da noch was....

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.26 -
AVG 7.5.0.516 2008.04.26 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.26 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.26 -
F-Prot 4.4.2.54 2008.04.26 -
F-Secure 6.70.13260.0 2008.04.26 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.26 -
Ikarus T3.1.1.26 2008.04.26 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3057 2008.04.26 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.26 -
Prevx1 V2 2008.04.26 -
Rising 20.41.52.00 2008.04.26 -
Sophos 4.28.0 2008.04.26 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.294 2008.04.26 -
VBA32 3.12.6.5 2008.04.26 -
VirusBuster 4.3.26:9 2008.04.26 -
Webwasher-Gateway 6.6.2 2008.04.26 -
weitere Informationen
File size: 61440 bytes
MD5...: 589312a3b46721c5a751e4d5222a89be
SHA1..: 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae
SHA512: c8abe050c97efe34541c3ef293a750e34b82117ae41f41d83db1f1489eb5d776
a1d59d0b4a1e13536e5bebda630693daf4be66cc386f587a69288c76df98cf7b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1d394
timedatestamp.....: 0x476b398b (Fri Dec 21 03:56:59 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0xd756 0xd780 5.52 e0dc8fff10e3a7c6343455cd02a67954
.rdata 0xdb80 0x10e 0x180 3.44 d2fd0bc28e070ccc67879e04b7cd5302
.data 0xdd00 0xc0 0x100 0.04 66a415a49d751cb335895306ecfb3389
INIT 0xde00 0x376 0x380 5.17 79cc3d62ef3ba8053786e08dc9b6cddc
.reloc 0xe180 0xe2c 0xe80 6.60 4f845320301140370066cbceee4c5e4c

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, wcslen, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, wcscat, wcscpy, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePoolWithTag, RtlPrefixUnicodeString, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwOpenFile, ZwSetInformationFile, KeTickCount, ZwQueryInformationFile, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion



__________
MfG Dietmar

#27 wir schauen noch mal die Ports an... - berichte
http://virus-protect.org/portauthority.html
__________
MfG Sabina

rund um die PC-Sicherheit

#28 Hallo,

soll ich da was runterladen?

Network Port Scanner oder grc.com/x/nene.dll?bh0byd2

Habe grc.com/x/nene.dll?bh0byd2 genommen.

**************************************
All Service Ports:
Alle 32 Ports sind grün

*****************************************
File Sharing:
Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!

Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

*************************************
Common Ports:

Solicited TCP Packets: PASSED — No TCP packets were received from your system as a direct result of our attempts to elicit some response from any of the ports listed below — they are all either fully stealthed or blocked by your ISP. However . . .



Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)



Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.



Port
Service
Status Security Implications

0
<nil>
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

21
FTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

22
SSH
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

23
Telnet
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

25
SMTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

79
Finger
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

80
HTTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

110
POP3
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

113
IDENT
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

119
NNTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

135
RPC
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

139
Net
BIOS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

143
IMAP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

389
LDAP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

443
HTTPS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

445
MSFT
DS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1002
ms-ils
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1024
DCOM
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1025
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1026
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1027
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1028
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1029
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1030
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1720
H.323
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

5000
UPnP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!


Was macht eigentlich der Nsauditor und für was kann ich den benutzen?

Muss für heute die Sitzung leider beenden, muss heut früh ins geschäft. Bin heute abend ab ca. 18Uhr wieder online. Angenehme Nacht.....
________________
MfG Dietmar

#29 für morgen:

lade avz - Antiviral Toolkit: poste dann den report
http://virus-protect.org/artikel/tools/avz.html
__________
MfG Sabina

rund um die PC-Sicherheit

#30 Hallo,

beim hochladen braucht das system immer länger. (ist beim ersten hochfahren abgestürtzt)

Lade jetzt avz. Report kommt auch gleich.....

Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 28.04.2008 18:53:39
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: Disabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=082680)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 80559680
KiST = 804E26A8 (284)
Function NtClose (19) intercepted (80566D49->EF289D98), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtCreateKey (29) intercepted (8056E7A9->EF289CB8), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtDeleteValueKey (41) intercepted (80593AAC->EF28A12A), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtDuplicateObject (44) intercepted (80572B26->EF2898AA), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtOpenKey (77) intercepted (80567CFB->EF289D2E), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtOpenProcess (7A) intercepted (80572D06->EF2897C8), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtOpenThread (80) intercepted (8058C806->EF28983C), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtQueryValueKey (B1) intercepted (8056B103->EF289E42), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtRestoreKey (CC) intercepted (8064C042->EF289E02), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Function NtSetValueKey (F7) intercepted (80573C8D->EF289F84), hook C:\WINDOWS\System32\Drivers\aswsp.SYS
Functions checked: 284, intercepted: 10, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 34
Number of modules loaded: 335
Scanning memory - complete
3. Scanning disks
C:\WINDOWS\Installer\36c02.msi/{MS-OLE}/\90 >>> suspicion for AdvWare.Win32.TTC.c ( 0055B264 08CD8ABD 001C13F0 001FD6D9 163840)
File quarantined succesfully (C:\WINDOWS\Installer\36c02.msi)
C:\WINDOWS\Installer\{EDDDC607-91D9-4758-9F57-265FDCD8A772}\_761E6471E682_46E2_B61F_D020A08095D3.exe >>> suspicion for AdvWare.Win32.TTC.c ( 0055B264 08CD8ABD 001C13F0 001FD6D9 163840)
File quarantined succesfully (C:\WINDOWS\Installer\{EDDDC607-91D9-4758-9F57-265FDCD8A772}\_761E6471E682_46E2_B61F_D020A08095D3.exe)
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
E:\UltraMon\RTSUltraMonHook.dll --> Suspicion for Keylogger or Trojan DLL
E:\UltraMon\RTSUltraMonHook.dll>>> Behavioural analysis
1. Reacts to events: keyboard, mouse, all events
E:\UltraMon\RTSUltraMonHook.dll>>> Neural net: file with probability 99.80% like a typical keyboard/mouse events interceptor
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 264025, extracted from archives: 240652, malicious software found 0, suspicions - 2
Scanning finished at 28.04.2008 19:32:04
Time of scanning: 00:38:26
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

Mag heut niemand mit mir sprechen :-(.........
________________
MfG Dietmar