1886

Hi Leute

ich hab mir den Trojaner Hiloti auf einer "canters.dll" in der AppData geholt. Hab den dann mit malwarebytes entfernt. Nun zeigte es mir beim Systemstart an, dass nicht auf diese canters.dll zugegriffen werden kann. Sie wurde wohl gelöscht. Ist diese dll wichtig? Habe bisher noch keine Auswirkungen bemerkt...

Hier noch der mwb log:

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Datenbank Version: 6462

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

28.04.2011 15:02:49
mbam-log-2011-04-28 (15-02-49).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 399286
Laufzeit: 49 Minute(n), 54 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 45

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
c:\Users\Reton\AppData\Local\canters.dll (Trojan.Hiloti) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Qvuyalolacihi (Trojan.Hiloti) -> Value: Qvuyalolacihi -> Delete on reboot.

Infizierte Dateiobjekte der Registrierung:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(defa ult) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Users\Reton\AppData\Local\canters.dll (Trojan.Hiloti) -> Delete on reboot.
c:\Users\Reton\AppData\Local\Temp\err.log26779927 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\D62.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup2092087876. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup2143820272. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup2324131248. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup2822761740. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup2913807856. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3006737768. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3111574472. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3224040852. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup4022361832. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup4176132584. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup4280528844. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup467115152.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1136830276. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1449008728. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1559471136. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1575112596. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup876161160.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup902872096.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup995095936.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\sewomxarnc.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3295947552. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3326981432. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3343634272. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3347462584. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3361795096. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3403461760. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3599757896. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3727441056. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3821798824. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3862896584. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3890544272. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1709147836. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1819256696. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1923769116. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup2003486864. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup2037497256. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup517188120.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup663820692.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup710411288.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup799270512.e xe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup1686130340. exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Reton\AppData\Local\Temp\setup3229576800. exe (Trojan.Agent) -> Quarantined and deleted successfully.

danke im voraus für eure Hilfe

Leonixx

Ist klar. Der Schädling hat sich tief ins System eingeschlichen und diese .dll installiert, damit beim Start der Schädling geladen wird.

RSIT anwenden wie im Link in meiner Signatur. Logfiles posten wie beschrieben.

Start, Ausführen, msconfig eingeben, unter Systemstart nachschauen, ob die dll dort plaziert wurde.

1886

Ok hab die beiden Logs angehängt. Im Systemstart hab ich nichts gefunden.

EDIT: Die Meldung kommt jetzt auch beim Start nichtmehr. War denn diese Datei selbst der Trojaner? Ich hab eigentlich gedacht, der hat sich auf einer Datei von meinem PC eingenistet. Aber wenn das so ist ist das Problem jetzt eigentlich gelöst oder? Malwarebytes findet auch nix mehr.

Angehängte Dateien

	info.txt (37,4 KB, 1x aufgerufen)
	log.txt (28,7 KB, 2x aufgerufen)

Leonixx

Dies Datei bei Virustotal prüfen lassen. Anleitung in meiner Sig. Poste Ergebnis.
C:\Windows\patchw32.dll

1886

Additional information
Show all
MD5 : 3f30e7d132d62476db9ba5ebb0f7b902
SHA1 : de83f87fcf06d5e468dc7cb5ac74a52baa0c9f07
SHA256: 9d8a1abb2023068ba8c02a8e65046d2f8a0d77c6f2d63edf96 90f3763d20d45b
ssdeep: 6144:BzuSU6//FNSJHurd930aGssW7VAE0OxaEAiSKLvnxYm7aB8n:BzAk9NSJH mUW7VD7xxLvn
File size : 197120 bytes
First seen: 2009-05-15 00:04:17
Last seen : 2011-05-01 08:13:34
TrID:
Win32 Executable MS Visual C++ (generic) (65.1%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Pocket Soft, Inc.
copyright....: (C) Copyright Pocket Soft, Inc., 2002. All Rights Reserved.
product......: RTPatch
description..: RTPatch Executable
original name: n/a
internal name:
file version.: 6.50
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x20528
timedatestamp....: 0x3C7D11B5 (Wed Feb 27 17:04:53 2002)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x26C1A, 0x26E00, 6.43, e0e7252d72d3ad4958ea614deb1e57a2
.bss, 0x28000, 0x48F4, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.rdata, 0x2D000, 0xE1, 0x200, 2.94, 2feedda6d28c1504d21b4445f73155c7
.data, 0x2E000, 0x2F7C, 0x3000, 4.34, 1da4729f76e5192b2260932674f8f5ff
.idata, 0x31000, 0x10BE, 0x1200, 5.27, aa185f974cde9fc961ecbf522557a03e
.edata, 0x33000, 0x19C, 0x200, 4.44, fea988816c8bff8427463acb38cc4038
.rsrc, 0x34000, 0x1838, 0x1A00, 5.34, 38b343cba444aca2f47bf7b478a3f87b
.reloc, 0x36000, 0x2E7E, 0x3000, 6.57, e08c3c338b835b3dd76bbcd855ecf8ef

[[ 5 import(s) ]]
USER32.dll: LoadStringA, OemToCharA, wsprintfA, TranslateMessage, PeekMessageA, DispatchMessageA, DdeDisconnect, CharToOemA, DdeUninitialize, DdeFreeStringHandle, DdeClientTransaction, DdeCreateDataHandle, DdeInitializeA, DdeConnect, DdeCreateStringHandleA, wvsprintfA
ADVAPI32.dll: RegOpenKeyExW, RegQueryInfoKeyA, RegEnumValueA, RegEnumKeyA, RegEnumValueW, RegSetValueExW, RegEnumKeyW, RegDeleteValueA, RegDeleteValueW, RegQueryValueExW, RegOpenKeyExA, RegCreateKeyExW, RegDeleteKeyA, RegDeleteKeyW, RegEnumKeyExA, SetFileSecurityW, GetFileSecurityW, RegCloseKey, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA
ole32.dll: CoUninitialize, CoInitialize
VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW, GetFileVersionInfoSizeA, VerQueryValueA
KERNEL32.dll: GetLocalTime, WriteProfileSectionA, GetPrivateProfileStringA, WriteFile, GetSystemTime, VirtualAlloc, VirtualFree, FlushFileBuffers, CreateDirectoryA, GetLogicalDrives, ReadFile, DeleteFileW, GetFileType, MoveFileW, GetDriveTypeW, GetCommandLineA, GetCurrentProcessId, GetCPInfo, GetOEMCP, GetACP, GetTimeZoneInformation, GetStartupInfoA, GlobalFree, GlobalAlloc, MulDiv, GetVersion, FreeLibrary, GetDriveTypeA, GetProcAddress, LoadLibraryA, SetEndOfFile, SetFilePointer, CloseHandle, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileSize, CreateFileA, GetWindowsDirectoryA, GetShortPathNameA, GetFullPathNameA, MoveFileExW, MoveFileExA, CopyFileA, GetFileAttributesA, GetModuleFileNameA, MoveFileA, SetEnvironmentVariableA, GetTempPathA, SetErrorMode, CreateMutexA, SetFileApisToANSI, ReleaseMutex, AreFileApisANSI, WaitForSingleObject, GetVolumeInformationA, GetDiskFreeSpaceA, GetSystemDirectoryA, WideCharToMultiByte, GetProfileSectionA, GetPrivateProfileSectionA, GetProfileStringA, FindFirstFileW, SetStdHandle, DeleteFileA, SetFileAttributesA, WriteProfileStringA, FileTimeToSystemTime, WritePrivateProfileStringA, WritePrivateProfileSectionA, WriteProfileStringW, WritePrivateProfileStringW, CopyFileW, GetExitCodeProcess, CreateProcessA, lstrcmpiA, GetLastError, CreateFileW, GetSystemInfo, LockResource, LoadResource, FindResourceA, SetFileApisToOEM, MultiByteToWideChar, GetFullPathNameW, FindClose, FindNextFileW, RaiseException, FindFirstFileA, FindNextFileA, GetModuleHandleA, FileTimeToLocalFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, SetFileAttributesW, SetFileTime, GetFileAttributesW, GetShortPathNameW, SetCurrentDirectoryA, GetStdHandle, CreateDirectoryW, RtlUnwind, RemoveDirectoryW, RemoveDirectoryA, GetCurrentDirectoryA, ExitProcess, SetCurrentDirectoryW, SetEnvironmentVariableW, GetCurrentDirectoryW, GetEnvironmentStrings

[[ 13 export(s) ]]
RTPBatSvr, RTPRegSvr, RTPRenSvr, RTPatchApply32@12, RTPatchApply32NoCall, RTPatchEnumPatches@12, RTPatchSetAttribGet@8, RTPatchSetAttribSet@8, RTPatchSetCreate@8, RTPatchSetDelete@8, RTPatchSetDirWalk@8, RTPatchSetOpen@8, RTPatchSetRename@8
ExifTool:
file metadata
CharacterSet: Windows, Latin1
CodeSize: 159232
CompanyName: Pocket Soft, Inc.
EntryPoint: 0x20528
FileDescription: RTPatch Executable
FileFlagsMask: 0x0000
FileOS: Win32
FileSize: 192 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 6.5
FileVersionNumber: 6.50.0.0
ImageVersion: 0.0
InitializedDataSize: 36864
InternalName:
LanguageCode: English (U.S.)
LegalCopyright: (C) Copyright Pocket Soft, Inc., 2002. All Rights Reserved.
LinkerVersion: 2.55
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 1.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: RTPatch
ProductVersion: 6.5
ProductVersionNumber: 6.50.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2002:02:27 18:04:53+01:00
UninitializedDataSize: 18944


Am Anfang hatte es da noch eine Liste mit Antiviren Programmen, alle mit einem "-" bei Result.

Leonixx

Auf view last report klicken bzw. auch das was bei den AV Scannern angezeigt wird.

1886

Oke hier der Bericht inkl. AV Scanner:

Antivirus Version Last Update Result
AhnLab-V3 2011.05.01.00 2011.04.30 -
AntiVir 7.11.7.92 2011.04.30 -
Antiy-AVL 2.0.3.7 2011.05.01 -
Avast 4.8.1351.0 2011.04.30 -
Avast5 5.0.677.0 2011.04.30 -
AVG 10.0.0.1190 2011.04.30 -
BitDefender 7.2 2011.05.01 -
CAT-QuickHeal 11.00 2011.04.30 -
ClamAV 0.97.0.0 2011.05.01 -
Commtouch 5.3.2.6 2011.05.01 -
Comodo 8536 2011.05.01 -
DrWeb 5.0.2.03300 2011.05.01 -
Emsisoft 5.1.0.5 2011.05.01 -
eSafe 7.0.17.0 2011.04.28 -
eTrust-Vet 36.1.8299 2011.04.29 -
F-Prot 4.6.2.117 2011.05.01 -
F-Secure 9.0.16440.0 2011.05.01 -
Fortinet 4.2.257.0 2011.05.01 -
GData 22 2011.05.01 -
Ikarus T3.1.1.103.0 2011.05.01 -
Jiangmin 13.0.900 2011.04.30 -
K7AntiVirus 9.98.4527 2011.04.30 -
Kaspersky 9.0.0.837 2011.05.01 -
McAfee 5.400.0.1158 2011.05.01 -
McAfee-GW-Edition 2010.1D 2011.04.30 -
Microsoft 1.6802 2011.05.01 -
NOD32 6084 2011.05.01 -
Norman 6.07.07 2011.05.01 -
Panda 10.0.3.5 2011.04.30 -
PCTools 7.0.3.5 2011.04.29 -
Prevx 3.0 2011.05.01 -
Rising 23.55.04.03 2011.04.29 -
Sophos 4.64.0 2011.05.01 -
SUPERAntiSpyware 4.40.0.1006 2011.05.01 -
Symantec 20101.3.2.89 2011.05.01 -
TheHacker 6.7.0.1.184 2011.04.30 -
TrendMicro 9.200.0.1012 2011.05.01 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.01 -
VBA32 3.12.16.0 2011.04.29 -
VIPRE 9167 2011.05.01 -
ViRobot 2011.4.30.4439 2011.04.30 -
VirusBuster 13.6.329.0 2011.04.30 -
Additional information
Show all
MD5 : 3f30e7d132d62476db9ba5ebb0f7b902
SHA1 : de83f87fcf06d5e468dc7cb5ac74a52baa0c9f07
SHA256: 9d8a1abb2023068ba8c02a8e65046d2f8a0d77c6f2d63edf96 90f3763d20d45b
ssdeep: 6144:BzuSU6//FNSJHurd930aGssW7VAE0OxaEAiSKLvnxYm7aB8n:BzAk9NSJH mUW7VD7xxLvn
File size : 197120 bytes
First seen: 2009-05-15 00:04:17
Last seen : 2011-05-01 08:13:34
Magic: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
TrID:
Win32 Executable MS Visual C++ (generic) (65.1%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Pocket Soft, Inc.
copyright....: (C) Copyright Pocket Soft, Inc., 2002. All Rights Reserved.
product......: RTPatch
description..: RTPatch Executable
original name: n/a
internal name:
file version.: 6.50
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x20528
timedatestamp....: 0x3C7D11B5 (Wed Feb 27 17:04:53 2002)
machinetype......: 0x14C (Intel I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x26C1A, 0x26E00, 6.43, e0e7252d72d3ad4958ea614deb1e57a2
.bss, 0x28000, 0x48F4, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e
.rdata, 0x2D000, 0xE1, 0x200, 2.94, 2feedda6d28c1504d21b4445f73155c7
.data, 0x2E000, 0x2F7C, 0x3000, 4.34, 1da4729f76e5192b2260932674f8f5ff
.idata, 0x31000, 0x10BE, 0x1200, 5.27, aa185f974cde9fc961ecbf522557a03e
.edata, 0x33000, 0x19C, 0x200, 4.44, fea988816c8bff8427463acb38cc4038
.rsrc, 0x34000, 0x1838, 0x1A00, 5.34, 38b343cba444aca2f47bf7b478a3f87b
.reloc, 0x36000, 0x2E7E, 0x3000, 6.57, e08c3c338b835b3dd76bbcd855ecf8ef

[[ 5 import(s) ]]
advapi32.dll: RegOpenKeyExW, RegQueryInfoKeyA, RegEnumValueA, RegEnumKeyA, RegEnumValueW, RegSetValueExW, RegEnumKeyW, RegDeleteValueA, RegDeleteValueW, RegQueryValueExW, RegOpenKeyExA, RegCreateKeyExW, RegDeleteKeyA, RegDeleteKeyW, RegEnumKeyExA, SetFileSecurityW, GetFileSecurityW, RegCloseKey, RegSetValueExA, RegCreateKeyExA, RegQueryValueExA
kernel32.dll: GetLocalTime, WriteProfileSectionA, GetPrivateProfileStringA, WriteFile, GetSystemTime, VirtualAlloc, VirtualFree, FlushFileBuffers, CreateDirectoryA, GetLogicalDrives, ReadFile, DeleteFileW, GetFileType, MoveFileW, GetDriveTypeW, GetCommandLineA, GetCurrentProcessId, GetCPInfo, GetOEMCP, GetACP, GetTimeZoneInformation, GetStartupInfoA, GlobalFree, GlobalAlloc, MulDiv, GetVersion, FreeLibrary, GetDriveTypeA, GetProcAddress, LoadLibraryA, SetEndOfFile, SetFilePointer, CloseHandle, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileSize, CreateFileA, GetWindowsDirectoryA, GetShortPathNameA, GetFullPathNameA, MoveFileExW, MoveFileExA, CopyFileA, GetFileAttributesA, GetModuleFileNameA, MoveFileA, SetEnvironmentVariableA, GetTempPathA, SetErrorMode, CreateMutexA, SetFileApisToANSI, ReleaseMutex, AreFileApisANSI, WaitForSingleObject, GetVolumeInformationA, GetDiskFreeSpaceA, GetSystemDirectoryA, WideCharToMultiByte, GetProfileSectionA, GetPrivateProfileSectionA, GetProfileStringA, FindFirstFileW, SetStdHandle, DeleteFileA, SetFileAttributesA, WriteProfileStringA, FileTimeToSystemTime, WritePrivateProfileStringA, WritePrivateProfileSectionA, WriteProfileStringW, WritePrivateProfileStringW, CopyFileW, GetExitCodeProcess, CreateProcessA, lstrcmpiA, GetLastError, CreateFileW, GetSystemInfo, LockResource, LoadResource, FindResourceA, SetFileApisToOEM, MultiByteToWideChar, GetFullPathNameW, FindClose, FindNextFileW, RaiseException, FindFirstFileA, FindNextFileA, GetModuleHandleA, FileTimeToLocalFileTime, LocalFileTimeToFileTime, SystemTimeToFileTime, SetFileAttributesW, SetFileTime, GetFileAttributesW, GetShortPathNameW, SetCurrentDirectoryA, GetStdHandle, CreateDirectoryW, RtlUnwind, RemoveDirectoryW, RemoveDirectoryA, GetCurrentDirectoryA, ExitProcess, SetCurrentDirectoryW, SetEnvironmentVariableW, GetCurrentDirectoryW, GetEnvironmentStrings
ole32.dll: CoUninitialize, CoInitialize
user32.dll: LoadStringA, OemToCharA, wsprintfA, TranslateMessage, PeekMessageA, DispatchMessageA, DdeDisconnect, CharToOemA, DdeUninitialize, DdeFreeStringHandle, DdeClientTransaction, DdeCreateDataHandle, DdeInitializeA, DdeConnect, DdeCreateStringHandleA, wvsprintfA
version.dll: GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW, GetFileVersionInfoSizeA, VerQueryValueA

[[ 13 export(s) ]]
RTPBatSvr, RTPRegSvr, RTPRenSvr, RTPatchApply32@12, RTPatchApply32NoCall, RTPatchEnumPatches@12, RTPatchSetAttribGet@8, RTPatchSetAttribSet@8, RTPatchSetCreate@8, RTPatchSetDelete@8, RTPatchSetDirWalk@8, RTPatchSetOpen@8, RTPatchSetRename@8
ThreatExpert:
ThreatExpert Report
ExifTool:
file metadata
CharacterSet: Windows, Latin1
CodeSize: 159232
CompanyName: Pocket Soft, Inc.
EntryPoint: 0x20528
FileDescription: RTPatch Executable
FileFlagsMask: 0x0000
FileOS: Win32
FileSize: 192 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 6.5
FileVersionNumber: 6.50.0.0
ImageVersion: 0.0
InitializedDataSize: 36864
InternalName:
LanguageCode: English (U.S.)
LegalCopyright: (C) Copyright Pocket Soft, Inc., 2002. All Rights Reserved.
LinkerVersion: 2.55
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 1.0
ObjectFileType: Dynamic link library
PEType: PE32
ProductName: RTPatch
ProductVersion: 6.5
ProductVersionNumber: 6.50.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2002:02:27 18:04:53+01:00
UninitializedDataSize: 18944
RDS: NSRL Reference Data Set

Intuit Inc.
QuickBooks Pro 2008, 2008: patchw32.dll
QuickBooks Premier 2008, 2008: patchw32.dll
QuickBooks Simple Start 2008, 2008: patchw32.dll
QuickBooks Standard Payroll, 2007: patchw32.dll
QuickBooks Contractor 2008, 2008: patchw32.dll
QuickBooks Invoice Manager, 2007: patchw32.dll
QuickBooks Premier Edition 2006, 2006: patchw32.dll
Quickbooks Pro 2007, 2007: patchw32.dll
QuickBooks Accountant 2008, 2008: patchw32.dll
QuickBook Premier Edition 2006, 2006: patchw32.dll
QuickBooks Premier Professional Services Edition, 2005: patchw32.dll
QuickBooks Simple Start Edition 2006, 2006: patchw32.dll
QuickBooks Manufacturing & Wholesale 2008, 2008: patchw32.dll
QuickBooks Nonprofit 2008, 2008: patchw32.dll
QuickBooks Professional Services 2008, 2008: patchw32.dll
QuickBooks Pro Edition 2006, 2006: patchw32.dll

Microsoft
Age of Empires 3, na: patchw32.dll
Age of Mythology, NA: PATCHW32.DLL

Microsoft Game Studios
Age of Mythology, 2007: PATCHW32.DLL
Age of Empires III, 3: patchw32.dll



Die Site zeigt übrigens an dass von der Datei schon ein Log aus dem Jahr 2009 vorhanden ist. Ich hab die Site aber noch nie vorher benutzt...

Leonixx

Ok, um nochmal sicher zu gehen, Online Scan mit Eset durchführen.

Kostenlose Online Scanner

Poste das Logfile.

1886

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=0e5c1122577f3649814c0c82a010fc72
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-03 10:51:45
# local_time=2011-05-03 12:51:45 (+0100, Mitteleuropäische Sommerzeit)
# country="Switzerland"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 177118 177118 0 0
# compatibility_mode=1797 16775165 100 94 1153 79930497 0 0
# compatibility_mode=5893 16776573 100 94 89585 56046381 0 0
# compatibility_mode=8192 67108863 100 0 245 245 0 0
# scanned=271166
# found=1
# cleaned=1
# scan_time=4715
C:\Users\Reton\Saved Games\PC\F.E.A.R\Keygen\Keygen for F.E.A.R.exe probably a variant of Win32/Agent.ECGGPHP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

stockcarpilot

Hallo

Du weißt schon, das Keygeneratoren oft Schädlinge mit sich bringen

Gruß stockcarpilot