Problem mit hartnäckigem Trojaner Buddy.f

#1 Hi @ all!

Ich habe ein Problem mit einem ziemlich anhänglichen trojaner und hoffe das mir einer von euch helfen kann.

Also der Trojaner heißt buddy.f (behauptet zumindest AntiVir) und ich weiß beim besten Willen nicht wo ich den her haben soll. Ich weiß nur, dass AntiVir ständig aufpoppt und mich fragt wie ich mit der Datei verfahrten will, aber wenn ich auf löschen klicke ist sie 5 min später wieder da.

Ich hab hier mal das Logfile, falls da jemand was mit anfangen kann, ich als Viren-Laie (das ist gott sei dank mein erster) erlese da leider nicht all zu viel draus:

Logfile of HijackThis v1.99.1
Scan saved at 16:18:34, on 19.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\AntiVir\AVGUARD.EXE
F:\AntiVir\AVWUPSRV.EXE
D:\WINDOWS\System32\CTSvcCDA.EXE
D:\WINDOWS\SYSTEM32\GEARSEC.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\Explorer.exe
d:\windows\system32\ououpc.exe
D:\WINDOWS\System32\LVComS.exe
D:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
F:\AntiVir\AVGNT.EXE
D:\WINDOWS\system32\ctfmon.exe
F:\SmartSurfer\SmartSurfer.exe
F:\ICQLite\ICQLite.exe
D:\Programme\Internet Explorer\iexplore.exe
D:\Programme\Internet Explorer\iexplore.exe
D:\Programme\Outlook Express\msimn.exe
F:\___eric___\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - D:\WINDOWS\system32\vbrundll.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [LVCOMS] D:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "D:\Programme\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "D:\WINDOWS\System32\KDP0461.dll"
O4 - HKLM\..\Run: [TkBellExe] "D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "F:\AntiVir\AVGNT.EXE" /min
O4 - HKLM\..\Run: [PE2CKFNT SE] f:\PhotoExpress\ChkFont.exe
O4 - HKLM\..\Run: [regsync] D:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [egjuhv] d:\windows\system32\ououpc.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "D:\WINDOWS\System32\KDP0461.dll"
O4 - HKCU\..\Run: [XPClean-RegWarner] F:\XPcleanV7\RegWarner.exe /s
O4 - HKCU\..\RunOnce: [ICQ Lite] F:\ICQLite\ICQLite.exe -trayboot
O4 - Startup: SmartSurfer.lnk = F:\SmartSurfer\SmartSurfer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download with NetPumper - F:\NetPumper\AddUrl.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - D:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAF4771B-895A-4907-BA12-5D0CB4A68DC5}: NameServer = 195.129.111.49 195.129.111.50
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - F:\AntiVir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - F:\AntiVir\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - D:\PROGRAMME\FRITZ!\de_serv.exe
O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: hpdj - Unknown owner - D:\DOKUME~1\Eric\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - D:\WINDOWS\svcproc.exe

So, ich hoffe mal das reicht an Informationen. Ich wäre wirklich sehr dankbar, wenn sich jemand mal kurz die Zeit nehmen würde da mal rüber zu gucken und mir ein paar tipps geben könnte, wie ich den kleine SChweinehund wieder los werde. Vielen Dank im Voraus und wenn es noch fragen gibt, könnt ihr mir mailen: milchreisfan@gmx.net

Vielen Dank

P.S. AntiVir meldet immer eine ander Datei, aber meistens:

D:\WINDOWS\LLKUUSWWQSD.EXE

Ist das Trojanische Pferd TR/Buddy.F

(meine Systemfestplatte heißt D und nicht wie üblich C)

#2 Hallo@milchreisfan

Nail.exe/Software-aurora /Sahagent
http://bilder.informationsarchiv.net/Nikitas_Tools/Find_It__s.zip
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
Poste bitte das Log vom Scann

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - D:\WINDOWS\system32\vbrundll.dll
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "D:\WINDOWS\System32\KDP0461.dll"
O4 - HKLM\..\Run: [regsync] D:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [egjuhv] d:\windows\system32\ououpc.exe r
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "D:\WINDOWS\System32\KDP0461.dll"
O23 - Service: hpdj - Unknown owner - D:\DOKUME~1\Eric\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - D:\WINDOWS\svcproc.exe

PC neustarten

•Download Registry Search Tool :
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Doppelklick:regsrch.vbs

reinkopieren:

SvcProc

hpdj

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

•KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

D:\WINDOWS\Nail.exe
D:\WINDOWS\svcproc.exe
d:\windows\system32\ououpc.exe
D:\DOKUME~1\Eric\LOKALE~1\Temp\hpdj.exe
D:\WINDOWS\netsync.exe
D:\WINDOWS\rsyncmon.dll
D:\WINDOWS\ISSM0064.DAT
D:\WINDOWS\system32\\COMMCOS2.DLL
D:\WINDOWS\system32\regsync.exe
D:\WINDOWS\system32\vbrundll.dll
D:\WINDOWS\system32\VBUninstall.exe

PC neustarten

arbeite das ab:
http://virus-protect.org/escan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hab mir auch den Trojaner Buddy/F. eingefangen und bekomme ihn nicht weg...hab mehrere Sicherheitsprogramme und Scanner ausprobiert, aber der taucht immer wieder auf....hier meine hijackthis auswertung :

Logfile of HijackThis v1.99.1
Scan saved at 17:09:44, on 20.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\0190 Warner\w0svc.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Winamp\winampa.exe
C:\PROGRA~1\0190WA~1\WARN0190.EXE
C:\Programme\Trojancheck 6\tcguard.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Q-Tec\Q-Tec_USB2.0_Adapter Wireless_54G\WlanUtil.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: (no nime) - {7A36A2BA-08F6-FFF3-2661-8766103DCCA0} - 321102.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - C:\Programme\TVgenial\IEButtonTVGenialEBayInterfac e.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Programme\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [NsCplTray] 34763.exe
O4 - HKLM\..\Run: [xxtoolbar] runload32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\Trojancheck 6\tcguard.exe
O4 - HKLM\..\Run: [gijjnvq] c:\windows\system32\vbnyfz.exe r
O4 - HKCU\..\Run: [WareOut] "C:\Programme\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [SysEntry] WinInitDll.exe
O4 - HKCU\..\Run: [ms-its] zxc.exe
O4 - HKCU\..\Run: [cnftips] Dest068.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Q-Tec_USB2.0_Adapter Wireless_54G.lnk = C:\Programme\Q-Tec\Q-Tec_USB2.0_Adapter Wireless_54G\WlanUtil.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Alles mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Herunterladen mit Net Transport - C:\Programme\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: h**p://V5.Windowsupdate.microsoft.com und https
O15 - Trusted Zone: h**p://Download.Windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1118501975296
O17 - HKLM\System\CCS\Services\Tcpip\..\{63246B13-78C5-4301-8EEE-AECB6B5EA465}: NameServer = 68*.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{8100294A-44DD-47B5-87C7-28B19387E40E}: NameServer = 68*.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1B15116-6BA0-4E72-A08F-7411F69FC0F6}: NameServer = 68*.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{63246B13-78C5-4301-8EEE-AECB6B5EA465}: NameServer = 68*.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{63246B13-78C5-4301-8EEE-AECB6B5EA465}: NameServer = 68*.50.184.84,195.225.176.37
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - C:\Programme\0190 Warner\w0svc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\ImapiRox.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Kann mir jemand weiterhelfen ? Wäre super !

#4 Hi @ Sabina,

erst mal vielen Dank für die (ich hoffe) nützlichen Tipps!

Also ich habe Schritt für Schritt das getan, was du mir aufgetragen hast.

1. Hab mit Find It's ein Logfile erstellt und zwar dieses hier:


Microsoft Windows XP [Version 5.1.2600]
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! D:\WINDOWS\System32\ELTTTIK.EXE
* UPX! D:\WINDOWS\System32\SAVERB~1.EXE
* UPX! D:\WINDOWS\System32\SCENICCS.EXE
* UPX! D:\WINDOWS\System32\SCENICWU.EXE
* UPX! D:\WINDOWS\System32\UHARC.EXE
* UPX! D:\WINDOWS\SVCPROC.EXE
* UPX! D:\WINDOWS\WCMAIN.EXE

* Sniffed D:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

* UPX! D:\WINDOWS\DAEMON.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* _rtneg3 D:\WINDOWS\System32\NSF1F.DLL
* _rtneg3 D:\WINDOWS\System32\NSN19.DLL
* _rtneg3 D:\WINDOWS\System32\NSO25.DLL

»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Datentr„ger in Laufwerk D: ist SystemXP
Volumeseriennummer: 3841-4A00

Verzeichnis von D:\WINDOWS\SYSTEM32

13.06.2005 20:47 <DIR> cache32_rtneg3
0 Datei(en) 0 Bytes
1 Verzeichnis(se), 800.841.728 Bytes frei
»»»»» Checking for SAHAgent ico files.
Datentr„ger in Laufwerk D: ist SystemXP
Volumeseriennummer: 3841-4A00

Verzeichnis von D:\WINDOWS\system32

13.06.2005 20:46 3.262 body33331.ico
13.06.2005 20:45 3.262 creditcard32123123123asdsa1.ico
13.06.2005 20:45 3.262 dice21.ico
13.06.2005 20:46 4.286 greenmovie2313asaadsasfad112341231adsfa11.ico
13.06.2005 20:45 3.262 kill all spyware4512.ico
13.06.2005 20:46 3.262 ps31.ico
13.06.2005 20:45 3.262 vh e2331.ico
7 Datei(en) 23.858 Bytes
0 Verzeichnis(se), 800.841.728 Bytes frei

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\_rtneg3


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\trfdsk.amo
<NO NAME> REG_SZ amo Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\trfdsk.iiittt
<NO NAME> REG_SZ iiittt Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\trfdsk.momo
<NO NAME> REG_SZ momo Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\trfdsk.ohb
<NO NAME> REG_SZ ohb Class


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

2. habe ich ein Logfile mit Hijackthis erstellt und alle datein gefixed die du genannt hattest, bis auf O4 - HKLM\..\Run: [egjuhv] d:\windows\system32\ououpc.exe r, da diese bei mir nicht vorhanden war.

3. PC neu gestartet.

4. habe ich mit RegSearch gearbeitet und folgendes Ergebnis erzielt:

4.1. RegSearch auf der Suche nach SvcProc:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "SvcProc" 20.06.2005 19:29:55

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC\0000]
"Service"="SvcProc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC\0000\Control]
"ActiveService"="SvcProc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc\Enum]
"0"="Root\\LEGACY_SVCPROC\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SVCPROC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SVCPROC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SVCPROC\0000]
"Service"="SvcProc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SvcProc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SvcProc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCPROC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCPROC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCPROC\0000]
"Service"="SvcProc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCPROC\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCPROC\0000\Control]
"ActiveService"="SvcProc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc\Enum]
"0"="Root\\LEGACY_SVCPROC\\0000"

4.2. RegSearch auf der Suche nach hpdj:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "hpdj" 20.06.2005 19:32:17

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\HPDJ Printing System Config]

[HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series]

[HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\HU3651R1P47O]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="D:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\hp deskjet 3500 series\PrinterDriverData]
"HPDJPenNumber"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers\hp deskjet 3500 series\PrinterDriverData]
"HPDJPenNumber"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDJ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDJ\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDJ\0000]
"Service"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HPDJ\0000]
"DeviceDesc"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hpdj]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hpdj]
"DisplayName"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hpdj\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hpdj\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hpdj\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hpdj\Enum]
"0"="Root\\LEGACY_HPDJ\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HPDJ]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HPDJ\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HPDJ\0000]
"Service"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HPDJ\0000]
"DeviceDesc"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hpdj]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hpdj]
"DisplayName"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hpdj\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hpdj\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\hp deskjet 3500 series\PrinterDriverData]
"HPDJPenNumber"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDJ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDJ\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDJ\0000]
"Service"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HPDJ\0000]
"DeviceDesc"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpdj]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpdj]
"DisplayName"="hpdj"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpdj\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpdj\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpdj\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpdj\Enum]
"0"="Root\\LEGACY_HPDJ\\0000"

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\CustomPaper]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\Quicksets]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\Quicksets\Entwurfstext oder Text mit Farbdruck]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\Quicksets\Foto 10 x 15 cm mit weißem Rand]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\Quicksets\Foto A4 mit weißem Rand]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\Quicksets\Professioneller Fotodruck]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\Quicksets\Professioneller Text oder Text mit Farbdruck]

[HKEY_USERS\S-1-5-21-1482476501-602609370-725345543-1003\Software\Hewlett-Packard\HPDJ Printing System Config\hp deskjet 3500 series\Quicksets\Standard-Druckeinstellungen]

5. MIt Killbox die angegebenen Datein gelöscht und PC neu gestartet! und

6. Im abgesicherten Modus mit eScann alles gescannt.
Nach 2 1/2 Stunden war eScann endlich mit der Systemfestplatte fertig und ich habe dann den Scann abgebrochen, weil ich den Unheilherd auf eben dieser vermute und mir ein Komplettscann zu lange gedauert hätte. Falls ich doch noch mal einen machen soll, sag bescheid, dann mach ich es sofort.

Jedenfalls ist das das Ergebnis von eScann:


--------------------------------------------------
-------------------- INFECTED --------------------
--------------------------------------------------

1: Mon Jun 20 20:51:47 2005 => File d:\windows\system32\wheekrs.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken.
2: Mon Jun 20 20:52:04 2005 => File d:\windows\system32\wheekrs.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken.
3: Mon Jun 20 20:52:21 2005 => File D:\WINDOWS\svcproc.exe infected by "Trojan.Win32.Stervis.c" Virus! Action Taken: No Action Taken.
4: Mon Jun 20 20:52:24 2005 => System found infected with BearShare Spyware/Adware ({905d0df2-3a0a-4d94-853c-54a12a745905})! Action taken: No Action Taken.
5: Mon Jun 20 20:52:24 2005 => System found infected with BearShare Spyware/Adware ({9f95f736-0f62-4214-a4b4-caa6738d4c07})! Action taken: No Action Taken.
6: Mon Jun 20 20:52:24 2005 => System found infected with BearShare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken.
7: Mon Jun 20 20:52:26 2005 => System found infected with AltnetBDE Spyware/Adware (adm4.adm4)! Action taken: No Action Taken.
8: Mon Jun 20 20:52:26 2005 => System found infected with AltnetBDE Spyware/Adware (adm25.adm25)! Action taken: No Action Taken.
9: Mon Jun 20 20:55:45 2005 => System found infected with altnet Spyware/Adware (smdat32a.sys)! Action taken: No Action Taken.
10: Mon Jun 20 20:56:02 2005 => System found infected with AltnetBDE Spyware/Adware (altnet signing module.exe)! Action taken: No Action Taken.
11: Mon Jun 20 20:56:02 2005 => System found infected with AltnetBDE Spyware/Adware (adm.exe)! Action taken: No Action Taken.
12: Mon Jun 20 20:57:35 2005 => File D:\WINDOWS\kernel32.bat infected by "Backdoor.Win32.MoSucker.30.a" Virus! Action Taken: No Action Taken.
13: Mon Jun 20 20:58:21 2005 => File D:\WINDOWS\system32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus! Action Taken: No Action Taken.
14: Mon Jun 20 21:33:34 2005 => File C:\WINNT\system32\L70000008.dll infected by "Trojan-Downloader.Win32.Swizzor.cy" Virus! Action Taken: No Action Taken.
15: Mon Jun 20 21:33:34 2005 => File C:\WINNT\system32\L70000008.exe infected by "Trojan-Downloader.Win32.Swizzor.cy" Virus! Action Taken: No Action Taken.
16: Mon Jun 20 21:36:53 2005 => File C:\WINNT\Temp\Adware\Setup_PerfectNav.exe infected by "Trojan-Downloader.Win32.Keenval.f" Virus! Action Taken: No Action Taken.
17: Mon Jun 20 21:44:57 2005 => File D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\I9INYFIT\svcproc[1].exe infected by "Trojan.Win32.Stervis.c" Virus! Action Taken: No Action Taken.
18: Mon Jun 20 21:45:07 2005 => File D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KFOZKJSF\Poller[1].exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken.
19: Mon Jun 20 21:57:31 2005 => File D:\System Volume Information\_restore{6676B30B-637D-4C84-B2D6-E64E2FF92023}\RP367\A0199029.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken.


67: Mon Jun 20 22:12:13 2005 => File D:\WINDOWS\kernel32.bat infected by "Backdoor.Win32.MoSucker.30.a" Virus! Action Taken: No Action Taken.
68: Mon Jun 20 22:25:21 2005 => File D:\WINDOWS\system32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus! Action Taken: No Action Taken.
69: Mon Jun 20 22:33:46 2005 => Scanning Folder: F:\AntiVir\INFECTED\*.*
70: Mon Jun 20 22:33:46 2005 => Scanning File F:\AntiVir\INFECTED\DRPMON.DLL.VIR
71: Mon Jun 20 22:33:46 2005 => File F:\AntiVir\INFECTED\DRPMON.DLL.VIR infected by "Trojan.Win32.Agent.db" Virus! Action Taken: No Action Taken.

--------------------------------------------------
--------------------- TAGGED ---------------------
--------------------------------------------------

1: Mon Jun 20 20:57:35 2005 => File D:\WINDOWS\iwzdkab.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
2: Mon Jun 20 20:57:36 2005 => File D:\WINDOWS\Nail.exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
3: Mon Jun 20 20:58:52 2005 => File D:\WINDOWS\system32\InstallerV3.exe tagged as "not-a-virus:AdWare.SafeSurfing.j". Action Taken: No Action Taken.
4: Mon Jun 20 21:00:09 2005 => File D:\WINDOWS\system32\nsf1F.dll tagged as "not-a-virus:AdWare.Beginto.c". Action Taken: No Action Taken.
5: Mon Jun 20 21:00:09 2005 => File D:\WINDOWS\system32\nsn19.dll tagged as "not-a-virus:AdWare.Beginto.c". Action Taken: No Action Taken.
6: Mon Jun 20 21:00:09 2005 => File D:\WINDOWS\system32\nso25.dll tagged as "not-a-virus:AdWare.Beginto.c". Action Taken: No Action Taken.
7: Mon Jun 20 21:01:12 2005 => File D:\WINDOWS\system32\sceniccs.exe tagged as not-a-virus:Server-Proxy.Win32.MarketScore.g. No Action Taken.
8: Mon Jun 20 21:01:13 2005 => File D:\WINDOWS\system32\scenicwu.exe tagged as "not-a-virus:AdWare.SaveNow.z". Action Taken: No Action Taken.
9: Mon Jun 20 21:02:13 2005 => File D:\DOKUME~1\Eric\LOKALE~1\Temp\D2844\aurora.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
10: Mon Jun 20 21:09:39 2005 => File C:\Dokumente und Einstellungen\Eric\Lokale Einstellungen\Temp\asmfiles.cab tagged as "not-a-virus:AdWare.Altnet.m". Action Taken: No Action Taken.
11: Mon Jun 20 21:10:04 2005 => File C:\Dokumente und Einstellungen\Eric\Lokale Einstellungen\Temp\__unin__.exe tagged as "not-a-virus:AdWare.Altnet.b". Action Taken: No Action Taken.
12: Mon Jun 20 21:15:37 2005 => File C:\RECYCLER\NPROTECT\00037823.INT tagged as "not-a-virus:AdWare.Gator.4203". Action Taken: No Action Taken.
13: Mon Jun 20 21:15:37 2005 => File C:\RECYCLER\NPROTECT\00037824.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
14: Mon Jun 20 21:15:37 2005 => File C:\RECYCLER\NPROTECT\00037825.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
15: Mon Jun 20 21:15:38 2005 => File C:\RECYCLER\NPROTECT\00037826.INT tagged as "not-a-virus:AdWare.Gator.5017". Action Taken: No Action Taken.
16: Mon Jun 20 21:15:38 2005 => File C:\RECYCLER\NPROTECT\00037827.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
17: Mon Jun 20 21:15:38 2005 => File C:\RECYCLER\NPROTECT\00037828.INT tagged as "not-a-virus:AdWare.Gator.5017". Action Taken: No Action Taken.
18: Mon Jun 20 21:15:38 2005 => File C:\RECYCLER\NPROTECT\00037829.INT tagged as "not-a-virus:AdWare.Gator.5017". Action Taken: No Action Taken.
19: Mon Jun 20 21:15:38 2005 => File C:\RECYCLER\NPROTECT\00037830.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
20: Mon Jun 20 21:15:38 2005 => File C:\RECYCLER\NPROTECT\00037834.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
21: Mon Jun 20 21:15:38 2005 => File C:\RECYCLER\NPROTECT\00037835.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
22: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037836.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
23: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037837.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
24: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037838.INT tagged as "not-a-virus:AdWare.Gator.3124". Action Taken: No Action Taken.
25: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037839.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
26: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037840.INT tagged as "not-a-virus:AdWare.Gator.6041". Action Taken: No Action Taken.
27: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037841.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
28: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037842.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
29: Mon Jun 20 21:15:39 2005 => File C:\RECYCLER\NPROTECT\00037843.INT tagged as "not-a-virus:AdWare.Gator.6051". Action Taken: No Action Taken.
30: Mon Jun 20 21:15:40 2005 => File C:\RECYCLER\NPROTECT\00037844.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
31: Mon Jun 20 21:15:40 2005 => File C:\RECYCLER\NPROTECT\00037845.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
32: Mon Jun 20 21:28:28 2005 => File C:\WINNT\system32\cd_clint.dll tagged as "not-a-virus:AdWare.Cydoor". Action Taken: No Action Taken.
33: Mon Jun 20 21:28:43 2005 => File C:\WINNT\system32\ctbv2.dll tagged as "not-a-virus:AdWare.Sahat.g". Action Taken: No Action Taken.
34: Mon Jun 20 21:28:43 2005 => File C:\WINNT\system32\ctb_s.exe tagged as "not-a-virus:AdWare.BrowsePal.a". Action Taken: No Action Taken.
35: Mon Jun 20 21:36:53 2005 => File C:\WINNT\Temp\Adware\cd_install_329.exe tagged as "not-a-virus:AdWare.Cydoor". Action Taken: No Action Taken.
36: Mon Jun 20 21:36:54 2005 => File C:\WINNT\Temp\Altnet\adm25.dll tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
37: Mon Jun 20 21:36:54 2005 => File C:\WINNT\Temp\Altnet\adm4.dll tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
38: Mon Jun 20 21:36:54 2005 => File C:\WINNT\Temp\Altnet\admdloader.dll tagged as "not-a-virus:AdWare.BrilliantDigital.3039". Action Taken: No Action Taken.
39: Mon Jun 20 21:36:54 2005 => File C:\WINNT\Temp\Altnet\admfdi.dll tagged as "not-a-virus:AdWare.Altnet.j". Action Taken: No Action Taken.
40: Mon Jun 20 21:36:54 2005 => File C:\WINNT\Temp\Altnet\admprog.dll tagged as "not-a-virus:AdWare.Altnet.i". Action Taken: No Action Taken.
41: Mon Jun 20 21:36:54 2005 => File C:\WINNT\Temp\Altnet\dmfiles.cab tagged as "not-a-virus:AdWare.Altnet.b". Action Taken: No Action Taken.
42: Mon Jun 20 21:36:56 2005 => File C:\WINNT\Temp\Altnet\pmfiles.cab tagged as "not-a-virus:AdWare.BrilliantDigital.1007". Action Taken: No Action Taken.
43: Mon Jun 20 21:36:56 2005 => File C:\WINNT\Temp\Altnet\Setup.exe tagged as "not-a-virus:AdWare.Altnet.b". Action Taken: No Action Taken.
44: Mon Jun 20 21:43:11 2005 => File D:\Dokumente und Einstellungen\Eric\Lokale Einstellungen\Temp\D2844\aurora.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
45: Mon Jun 20 21:44:44 2005 => File D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temp\-1.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
46: Mon Jun 20 21:45:02 2005 => File D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IJU1QN6N\Nail[1].exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
47: Mon Jun 20 21:45:03 2005 => File D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IJU1QN6N\thin_installerv3[1].exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
48: Mon Jun 20 21:56:38 2005 => File D:\Programme\Oberon Media\Luxor\game crack Seri*hier nicht!* luxor.exe tagged as "not-a-virus:AdWare.Beginto.c". Action Taken: No Action Taken.
49: Mon Jun 20 21:56:38 2005 => File D:\Programme\Oberon Media\Luxor\ltr230ck.exe tagged as not-a-virus:FalseAlarm.DrWeb.Backdoor.Theef.111. No Action Taken.
50: Mon Jun 20 21:57:32 2005 => File D:\System Volume Information\_restore{6676B30B-637D-4C84-B2D6-E64E2FF92023}\RP367\A0199034.exe tagged as "not-a-virus:AdWare.SafeSurfing.j". Action Taken: No Action Taken.

Information\_restore{6676B30B-637D-4C84-B2D6-E64E2FF92023}\RP374\A0212314.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
86: Mon Jun 20 22:12:10 2005 => File D:\WINDOWS\iwzdkab.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
87: Mon Jun 20 22:12:20 2005 => File D:\WINDOWS\Nail.exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
88: Mon Jun 20 22:25:54 2005 => File D:\WINDOWS\system32\InstallerV3.exe tagged as "not-a-virus:AdWare.SafeSurfing.j". Action Taken: No Action Taken.
89: Mon Jun 20 22:27:29 2005 => File D:\WINDOWS\system32\nsf1F.dll tagged as "not-a-virus:AdWare.Beginto.c". Action Taken: No Action Taken.
90: Mon Jun 20 22:27:29 2005 => File D:\WINDOWS\system32\nsn19.dll tagged as "not-a-virus:AdWare.Beginto.c". Action Taken: No Action Taken.
91: Mon Jun 20 22:27:30 2005 => File D:\WINDOWS\system32\nso25.dll tagged as "not-a-virus:AdWare.Beginto.c". Action Taken: No Action Taken.
92: Mon Jun 20 22:28:48 2005 => File D:\WINDOWS\system32\sceniccs.exe tagged as not-a-virus:Server-Proxy.Win32.MarketScore.g. No Action Taken.
93: Mon Jun 20 22:28:49 2005 => File D:\WINDOWS\system32\scenicwu.exe tagged as "not-a-virus:AdWare.SaveNow.z". Action Taken: No Action Taken.

--------------------------------------------------
--------------------- ERRORS ---------------------
--------------------------------------------------

1: Mon Jun 20 20:51:51 2005 => ERROR!!! Invalid Entry Location = C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll (in key SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.fpx). No Action Taken.
2: Mon Jun 20 20:51:51 2005 => ERROR!!! Invalid Entry Location = C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll (in key SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.ivr). No Action Taken.
3: Mon Jun 20 20:52:04 2005 => ERROR!!! Invalid Entry XPClean-RegWarner = F:\XPcleanV7\RegWarner.exe /s (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.
4: Mon Jun 20 20:52:14 2005 => ERROR!!! Invalid Entry D:\DOKUME~1\Eric\LOKALE~1\Temp\hpdj.exe -servicerunning=true -uninstall=hp deskjet 3500 series -product= in SYSTEM\CurrentControlSet\Services\hpdj...
5: Mon Jun 20 20:52:14 2005 => ERROR!!! Invalid Entry \??\D:\DOKUME~1\Jan\LOKALE~1\Temp\idrmkl.sys in SYSTEM\CurrentControlSet\Services\idrmkl...
6: Mon Jun 20 20:56:03 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "D:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
7: Mon Jun 20 20:56:03 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "D:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
8: Mon Jun 20 20:56:03 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
9: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\res\builtin\htmlbindings.xml". Action Taken: No Action Taken.
10: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\chrome\all-locales.rdf". Action Taken: No Action Taken.
11: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\all.xpt". Action Taken: No Action Taken.
12: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\res\fonts\fontencoding.properties". Action Taken: No Action Taken.
13: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\defaults\pref\all.js". Action Taken: No Action Taken.
14: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\res\language.properties". Action Taken: No Action Taken.
15: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\appshell.dll". Action Taken: No Action Taken.
16: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\archive.dll". Action Taken: No Action Taken.
17: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\browser.exe". Action Taken: No Action Taken.
18: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\caps.dll". Action Taken: No Action Taken.
19: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\chardet.dll". Action Taken: No Action Taken.
20: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\chrome.dll". Action Taken: No Action Taken.
21: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\dialup.dll". Action Taken: No Action Taken.
22: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\docshell.dll". Action Taken: No Action Taken.
23: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\dugprot.dll". Action Taken: No Action Taken.
24: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\editor.dll". Action Taken: No Action Taken.
25: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\embedcomponents.dll". Action Taken: No Action Taken.
26: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gfx2.dll". Action Taken: No Action Taken.
27: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gkcontent.dll". Action Taken: No Action Taken.
28: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\gkgfx.dll". Action Taken: No Action Taken.
29: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gkgfxwin.dll". Action Taken: No Action Taken.
30: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gklayout.dll". Action Taken: No Action Taken.
31: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gkparser.dll". Action Taken: No Action Taken.
32: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gkplugin.dll". Action Taken: No Action Taken.
33: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gkview.dll". Action Taken: No Action Taken.
34: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\gkwidget.dll". Action Taken: No Action Taken.
35: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\hlw.dll". Action Taken: No Action Taken.
36: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\hpfutility.dll". Action Taken: No Action Taken.
37: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\hpvcirt.dll". Action Taken: No Action Taken.
38: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\hpvcp60.dll". Action Taken: No Action Taken.
39: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\hpvcrt.dll". Action Taken: No Action Taken.
40: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\hpxmldispatch.dll". Action Taken: No Action Taken.
41: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\img3250.dll". Action Taken: No Action Taken.
42: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\imggif.dll". Action Taken: No Action Taken.
43: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\imgjpeg.dll". Action Taken: No Action Taken.
44: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\imglib2.dll". Action Taken: No Action Taken.
45: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\imgpng.dll". Action Taken: No Action Taken.
46: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\imgppm.dll". Action Taken: No Action Taken.
47: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\internetupdate.dll". Action Taken: No Action Taken.
48: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\iubroker.dll". Action Taken: No Action Taken.
49: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\jar50.dll". Action Taken: No Action Taken.
50: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\jpeg3250.dll". Action Taken: No Action Taken.
51: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\js3250.dll". Action Taken: No Action Taken.
52: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\jsdom.dll". Action Taken: No Action Taken.
53: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\jsurl.dll". Action Taken: No Action Taken.
54: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\lwbrk.dll". Action Taken: No Action Taken.
55: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\mozreg.dll". Action Taken: No Action Taken.
56: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\necko.dll". Action Taken: No Action Taken.
57: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\nkcache.dll". Action Taken: No Action Taken.
58: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\nphppui.dll". Action Taken: No Action Taken.
59: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\nsgif.dll". Action Taken: No Action Taken.
60: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\nsjpg.dll". Action Taken: No Action Taken.
61: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\nslocale.dll". Action Taken: No Action Taken.
62: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\nspng.dll". Action Taken: No Action Taken.
63: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\nspr4.dll". Action Taken: No Action Taken.
64: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\patchw32.dll". Action Taken: No Action Taken.
65: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\plc4.dll". Action Taken: No Action Taken.
66: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\plds4.dll". Action Taken: No Action Taken.
67: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\printpcl.exe". Action Taken: No Action Taken.
68: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\profile.dll". Action Taken: No Action Taken.
69: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\rdf.dll". Action Taken: No Action Taken.
70: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\search.dll". Action Taken: No Action Taken.
71: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\shistory.dll". Action Taken: No Action Taken.
72: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\strres.dll". Action Taken: No Action Taken.
73: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\u32.dll". Action Taken: No Action Taken.
74: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\ucharuti.dll". Action Taken: No Action Taken.
75: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\uconv.dll". Action Taken: No Action Taken.
76: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\ucvibm.dll". Action Taken: No Action Taken.
77: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\ucvlatin.dll". Action Taken: No Action Taken.
78: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\urildr.dll". Action Taken: No Action Taken.
79: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\utilitybroker.dll". Action Taken: No Action Taken.
80: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\webbrwsr.dll". Action Taken: No Action Taken.
81: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\xerces-c_1_3.dll". Action Taken: No Action Taken.
82: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\xpc3250.dll". Action Taken: No Action Taken.
83: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\xpcom.dll". Action Taken: No Action Taken.
84: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\components\xppref32.dll". Action Taken: No Action Taken.
85: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\z32.dll". Action Taken: No Action Taken.
86: Mon Jun 20 20:56:04 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Hewlett-Packard\hp deskjet assistant\bin\zlib.dll". Action Taken: No Action Taken.
87: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Programme\Gemeinsame Dateien\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll". Action Taken: No Action Taken.
88: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDAPI32.DLL". Action Taken: No Action Taken.
89: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDR20007.DLL". Action Taken: No Action Taken.
90: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDPDX32.DLL". Action Taken: No Action Taken.
91: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\BLW32.DLL". Action Taken: No Action Taken.
92: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\BDEADMIN.EXE". Action Taken: No Action Taken.
93: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\BDEADMIN.HLP". Action Taken: No Action Taken.
94: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDSQL32.DLL". Action Taken: No Action Taken.
95: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDBAT32.DLL". Action Taken: No Action Taken.
96: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDQBE32.DLL". Action Taken: No Action Taken.
97: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDDBAS32.DLL". Action Taken: No Action Taken.
98: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDASCI32.DLL". Action Taken: No Action Taken.
99: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\BDEADMIN.CNT". Action Taken: No Action Taken.
100: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\IDDAO32.DLL". Action Taken: No Action Taken.
101: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\BANTAM.DLL". Action Taken: No Action Taken.
102: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\CHARSET.CVB". Action Taken: No Action Taken.
103: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\USA.BLL". Action Taken: No Action Taken.
104: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\EUROPE.BLL". Action Taken: No Action Taken.
105: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\CEEUROPE.BLL". Action Taken: No Action Taken.
106: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\CHARSET.BLL". Action Taken: No Action Taken.
107: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\OTHER.BLL". Action Taken: No Action Taken.
108: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\FAREAST.BLL". Action Taken: No Action Taken.
109: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\JAPAN.BLL". Action Taken: No Action Taken.
110: Mon Jun 20 20:56:07 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "f:\Felix\CEEUROPE.BTL". Action Taken: No Action Taken.

File ist noch lange nicht zu ende, aber mehr passt auf einmal glaub ich nicht hier rein...

Trotzdem vielen Dank für deine Mühe! Vielen Dank!
MfG eric

#5 Gehe in die Registry

Start-->Ausfuehren--> regedit

loeschen:

HKEY_CURRENT_USER\Software\aurora
HKEY_CURRENT_USER\Software\_rtneg3
HKEY_CLASSES_ROOT\trfdsk.amo
HKEY_CLASSES_ROOT\trfdsk.iiittt
HKEY_CLASSES_ROOT\trfdsk.momo
HKEY_CLASSES_ROOT\trfdsk.ohb


Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVCPROC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SVCPROC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SvcProc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVCPROC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Print\Monitors\ZepMon]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"


Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken






•KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

d:\windows\system32\wheekrs.exe
D:\WINDOWS\kernel32.bat
D:\WINDOWS\system32\DrPMon.dll
C:\WINNT\system32\L70000008.dll
C:\WINNT\system32\L70000008.exe
C:\WINNT\Temp\Adware\Setup_PerfectNav.exe
D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\I9INYFIT\svcproc[1].exe
D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KFOZKJSF\Poller[1].exe
F:\AntiVir\INFECTED\DRPMON.DLL.VIR
F:\AntiVir\INFECTED\DRPMON.DLL.VIR

D:\Dokumente und Einstellungen\Eric\Lokale Einstellungen\Temp\D2844\aurora.exe
C:\Dokumente und Einstellungen\Eric\Lokale Einstellungen\Temp\asmfiles.cab
C:\Dokumente und Einstellungen\Eric\Lokale Einstellungen\Temp\__unin__.exe

C:\RECYCLER\NPROTECT\00037823.INT
C:\RECYCLER\NPROTECT\00037824.INT
C:\RECYCLER\NPROTECT\00037825.INT
C:\RECYCLER\NPROTECT\00037826.INT
C:\RECYCLER\NPROTECT\00037827.INT
C:\RECYCLER\NPROTECT\00037828.INT
C:\RECYCLER\NPROTECT\00037829.INT
C:\RECYCLER\NPROTECT\00037830.INT
C:\RECYCLER\NPROTECT\00037834.INT
C:\RECYCLER\NPROTECT\00037835.INT
C:\RECYCLER\NPROTECT\00037836.INT
C:\RECYCLER\NPROTECT\00037837.INT
C:\RECYCLER\NPROTECT\00037838.INT
C:\RECYCLER\NPROTECT\00037839.INT
C:\RECYCLER\NPROTECT\00037840.INT
C:\RECYCLER\NPROTECT\00037841.INT
C:\RECYCLER\NPROTECT\00037842.INT
C:\RECYCLER\NPROTECT\00037843.INT
C:\RECYCLER\NPROTECT\00037844.INT
C:\RECYCLER\NPROTECT\00037845.INT
C:\WINNT\system32\cd_clint.dll
C:\WINNT\system32\ctbv2.dll
C:\WINNT\system32\ctb_s.exe
C:\WINNT\Temp\Adware\cd_install_329.exe
C:\WINNT\Temp\Altnet\adm25.dll
C:\WINNT\Temp\Altnet\adm4.dll
C:\WINNT\Temp\Altnet\admdloader.dll
C:\WINNT\Temp\Altnet\admfdi.dll
C:\WINNT\Temp\Altnet\admprog.dll
C:\WINNT\Temp\Altnet\dmfiles.cab
C:\WINNT\Temp\Altnet\pmfiles.cab
C:\WINNT\Temp\Altnet\Setup.exe

D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temp\-1.exe
D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IJU1QN6N\Nail[1].exe
D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IJU1QN6N\thin_installerv3[1].exe
D:\Programme\Oberon Media\Luxor\game crack Seri*hier nicht!* luxor.exe
D:\WINDOWS\iwzdkab.exe
D:\WINDOWS\Nail.exe
D:\WINDOWS\system32\InstallerV3.exe
D:\WINDOWS\system32\nsf1F.dll
D:\WINDOWS\system32\nsn19.dll
D:\WINDOWS\system32\nso25.dll

D:\WINDOWS\System32\ELTTTIK.EXE
D:\WINDOWS\System32\SAVERB~1.EXE
D:\WINDOWS\System32\SCENICCS.EXE
D:\WINDOWS\System32\SCENICWU.EXE
D:\WINDOWS\System32\UHARC.EXE
D:\WINDOWS\SVCPROC.EXE
D:\WINDOWS\WCMAIN.EXE
D:\WINDOWS\System32\NSF1F.DLL
D:\WINDOWS\System32\NSN19.DLL
D:\WINDOWS\System32\NSO25.DLL
D:\WINDOWS\System32\body33331.ico
D:\WINDOWS\System32\creditcard32123123123asdsa1.ico
D:\WINDOWS\System32\dice21.ico
D:\WINDOWS\System32\greenmovie2313asaadsasfad112341231adsfa11.ico
D:\WINDOWS\System32\kill all spyware4512.ico
D:\WINDOWS\System32\ps31.ico
D:\WINDOWS\System32\vh e2331.ico

PC neustarten

D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\KFOZKJSF <--loeschen

D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\I9INYFIT <--loeschen

D:\Dokumente und Einstellungen\Jan\Lokale Einstellungen\Temporary Internet Files\Content.IE5\IJU1QN6N

C:\WINNT\Temp\Altnet <--loeschen

CCleaner--> loesche alle *temp-Datein
http://virus-protect.org/temp.html



Nail.exe/Software-aurora /Sahagent
http://bilder.informationsarchiv.net/Nikitas_Tools/Find_It__s.zip
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
Poste bitte das Log vom Scann


ABIremover.zip (57,2 KB)
http://forum.hijackthis.de/showthread.php?t=3172

Hier nun die Schritt für Schritt Anleitung:
1.
Downloade den Remover (angehängt) und speichere ihn auf deinem Desktop
2.
Downloade (wenn nicht schon passiert) die neueste Hijackthis Version und entpacke sie in ihren eigene Ordner
3.
Starte im abgesicherten Modus neu, starte dort keine anderen Programme, kein Internet Explorer oder ähnliches
4.
Starte den ABIRemover.exe, drücke install, warte (explorer fenster verschwindet kurz)

-----------------------------------------------

Deaktivieren Wiederherstellung
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

scanne noch mal mit escan + berichtre
__________
MfG Sabina

rund um die PC-Sicherheit

#6 Hi Sabina,

ich habe genau wie gestern Stück für Stück deine Anleitung abgearbeitet.

Hier ist die Log von Find It's:


Microsoft Windows XP [Version 5.1.2600]
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

* UPX! D:\WINDOWS\DAEMON.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Datentr„ger in Laufwerk D: ist SystemXP
Volumeseriennummer: 3841-4A00

Verzeichnis von D:\WINDOWS\SYSTEM32

13.06.2005 20:47 <DIR> cache32_rtneg3
0 Datei(en) 0 Bytes
1 Verzeichnis(se), 839.196.672 Bytes frei
»»»»» Checking for SAHAgent ico files.
Datentr„ger in Laufwerk D: ist SystemXP
Volumeseriennummer: 3841-4A00

Verzeichnis von D:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora



und dann habe ich hier noch nach 1 1/2 Stunden Scann das Ergebniss von eScann für dich:

"Es gibt keine zu löschenden Datein."

eScann lässt mich mwav.log nicht mal öffnen, heißt das, dass alles okay isz?

Nun gut, jedenfalls bist du jetzt wieder auf dem neusten Stand.

Nochmals Danke!

#7 Hi!
Ich habe beim Kollegen auch den buddy.f (antivir) gefunden und brauche ebenfalls hilfe:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\yqddtl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\HP\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\CyberLink\PowerDVD\PowerDVD.exe
C:\Programme\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\VIA\RAID\raid_tool.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\WINDOWS\ISW\alice\signup\Tray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\DOKUME~1\Nazmi\LOKALE~1\Temp\Temporäres Verzeichnis 1 für hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eureka-gmbh.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice-dsl.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice-dsl.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.alice-dsl.de/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E338841-2976-9300-6269-1275E0D29ABE} - C:\WINDOWS\cdmweb\sfscxqfjeb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Programme\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Seri*hier nicht!*] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PowerDVD] C:\Programme\CyberLink\PowerDVD\PowerDVD.exe /autostart
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Á³#L"h'þ9Óœð3rÅWC:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\hbnnieo.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Programme\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [Á²#L"h'þ9Óœð3rÅWC:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\hbnnieo.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ufsrzs] c:\windows\system32\yqddtl.exe r
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Programme\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programme\VIA\RAID\raid_tool.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eureka-gmbh.de
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c9.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105623998890
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5202CB70-45F7-4F2B-9E48-559AB55C31B1}: NameServer = 213.191.74.12 213.191.92.84
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

#8 Hallo@milchreisfan

Gehe in die Registry

Start-->Ausfuehren--> regedit

loesche:

HKEY_CURRENT_USER\Software\aurora

PC neustarten

poste bitte das neue Log vom HijackTHis
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Hallo@ibowned

Nail.exe/Software-aurora /Sahagent
http://bilder.informationsarchiv.net/Nikitas_Tools/Find_It__s.zip
1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
Poste bitte das Log vom Scann


Download pfind
http://www.bleepingcomputer.com/files/pfind.php
extract the files to a folder of there own, a good place would be C:\Pfind, open the folder and run pfind.bat

post the log Pfind produced C:\pfind.txt
__________
MfG Sabina

rund um die PC-Sicherheit

#10 Hi @ Sabina,

hatte HKEY_CURRENT_USER\Software\aurora gar nicht. Ich glaube die hatte ich schon mal gelöscht.

Hier das aktuelle Log von HiJackThis:


Logfile of HijackThis v1.99.1
Scan saved at 18:56:45, on 22.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
F:\AntiVir\AVGUARD.EXE
F:\AntiVir\AVWUPSRV.EXE
D:\WINDOWS\System32\CTSvcCDA.EXE
D:\WINDOWS\SYSTEM32\GEARSEC.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\LVComS.exe
D:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
F:\AntiVir\AVGNT.EXE
D:\WINDOWS\system32\ctfmon.exe
F:\SmartSurfer\SmartSurfer.exe
D:\Programme\Internet Explorer\iexplore.exe
F:\___eric___\Download\kill buddy.f\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [LVCOMS] D:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelliPoint] "D:\Programme\Microsoft Hardware\Mouse\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "F:\AntiVir\AVGNT.EXE" /min
O4 - HKLM\..\Run: [PE2CKFNT SE] f:\PhotoExpress\ChkFont.exe
O4 - HKLM\..\Run: [vbrpcvp] d:\windows\system32\wheekrs.exe r
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [XPClean-RegWarner] F:\XPcleanV7\RegWarner.exe /s
O4 - Startup: SmartSurfer.lnk = F:\SmartSurfer\SmartSurfer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download with NetPumper - F:\NetPumper\AddUrl.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - D:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAF4771B-895A-4907-BA12-5D0CB4A68DC5}: NameServer = 195.182.110.132 62.134.11.4
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - F:\AntiVir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - F:\AntiVir\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - D:\PROGRAMME\FRITZ!\de_serv.exe
O23 - Service: GEARSecurity - GEAR Software - D:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - D:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe



Und, is jetzt wieder alles okay?

Vielen Dank!
eric

#11 Hallo@milchreisfan

ABIremover.zip (57,2 KB)
http://forum.hijackthis.de/showthread.php?t=3172

Hier nun die Schritt für Schritt Anleitung:
1.
Downloade den Remover (angehängt) und speichere ihn auf deinem Desktop
2.
Downloade (wenn nicht schon passiert) die neueste Hijackthis Version und entpacke sie in ihren eigene Ordner
3.
Starte im abgesicherten Modus neu, starte dort keine anderen Programme, kein Internet Explorer oder ähnliches
4.
Starte den ABIRemover.exe, drücke install, warte (explorer fenster verschwindet kurz)
5.
starte direkt neu und erneut in den abgesicherten Modus
6.
Fixe den Zufallsschlüssel in der Registry mit Hijackthis

O4 - HKLM\..\Run: [vbrpcvp] d:\windows\system32\wheekrs.exe r

Notiere den Zufallsnamen (wheekrs.exe) und lösche die Datei in deinem System32 Ordner.

-----------------------------------------------
laden+ scannen Nailfix
http://www.noidea.us/easyfile/file.php?download=20050515010747824
__________
MfG Sabina

rund um die PC-Sicherheit

#12 Hi @ Sabina,

ich hab das soweit versucht, aber ich komm mit dem Zufallsnamen nich klar... wo soll ich den notieren? ich hab den doch nirgends?!

Und diese wheekrs.exe die ich aus system32 löschen soll ist da auch nich drin, komisch...

Mal was anderes, bei meinem Internetbanking waren vorhin auf einmal alle TAN Nummern unbrauchbar, weil ich angeblich dreimal die falsche eingegeben hab, kann das in irgend einem Zusammenhang mit buddy.f stehen?

Wäre nett, wenn du das mit dem Zufallsnamen nochmal ein wenig verständlicher schreiben könntest.

Vielen Dank und
MfG

eric

#13 Hallo@milchreisfan

hast du mit dem Tool ABIremover.zip gescannt ? (auch ohne was manuell zu loeschen)

Lade+ scanne bitte das und poste das Log vom Scan
Testversion(Trial) von a² Personal (Originalseite)
Emsisoft/de/software/free

a-squared Free
Version 1.6 für Windows 98, ME, NT4, 2000, 2000 Server, XP und 2003 Server (1,24 MB)


http://virus-protect.org/antivirenfree.html
----------------

setze dich schnellstens mit deiner bank in Verbindung (nicht ueber das Internet !!!!!!!!)
__________
MfG Sabina

rund um die PC-Sicherheit

#14 Hab mit abi remover gescannt, gibt aber kein logfile aus, oder ich seh zumindestens keins...

Bei a2 kam das hier raus:

http://www.hijackfree.com/analyze/?id=7fe34964-b3de-4bf3-b844-772170792c34">Link zur analyseseite

was muss ich denn eigentlich noch alles machen um das Schei... wieder los zu werden???

mfg
eric

#15 milchreisfan:

fixe mit dem HijackThis:
O4 - HKLM\..\Run: [vbrpcvp] d:\windows\system32\wheekrs.exe r

neustarten, in den abges.Modus.

#mit ABIremover scannen
#D:\DOKUME~1\Eric\LOKALE~1\Temp\D2844\aurora.exe <--loeschen
#D:\WINDOWS\iwzdkab.exe <--loeschen

dann:

Start -- Ausführen -- cmd -- kopiere nur die Einträge der letzten 50 Tage aus dem sich öffnenden Editor raus

einzeln reinkopierendann öffnet sich der Editor)

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

cd\
cd %temp%\
dir /a:-d /o:-d > %systemdrive%\systemtemp.txt
start %systemdrive%\systemtemp.txt
cls
exit

cd\
cd %windir%
dir /a:-d /o:-d > %systemdrive%\system.txt
start %systemdrive%\system.txt
cls
exit

cd\
dir /a:-d /o:-d > %systemdrive%\sys.txt
start %systemdrive%\sys.txt
cls
exit
__________
MfG Sabina

rund um die PC-Sicherheit