Trojaner TR/Proxy.Bary.FL und vermutlich noch mehr

#0
18.08.2006, 13:16
Member

Beiträge: 12
#1 Ich hab seit einigen Tagen massive Probleme mit einem Win 2000 Server. Mein AntiVir meldet mir den Trojaner TR/Proxy.Bary.FL, ich kann ihn aber nicht entfernen da er sich tief ins System eingenistet hat.

Habt ihr eine Lösung? Bitte Logs durchschauen, evtl. ist ja noch was im Argen.

Logfile of HijackThis v1.99.1
Scan saved at 13:12:37, on 18.08.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\mscnslskrnl.exe
D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\6.tmp
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
D:\Voiceserver\TeamSpeak2\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Voiceserver\TeamSpeak2\server_windows.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\taskmgr.exe
D:\Programme\Gene6 FTP Server\G6FTPTray.exe
C:\Programme\Uptime Project\client.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\6.tmp
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\6.tmp

O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\4\Rar$EX02.139\msconfig_w2k\msconfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Security Management Service] C:\WINNT\system32\6.tmp
O4 - HKCU\..\Run: [Steam] "d:\martin\csserver\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mini-Relay] "D:\Programme\miniRelay\miniRelay.exe"
O4 - HKCU\..\Run: [ServerMonitor] "d:\Programme\RanaInside\ServerMonitor\ServerMonitor.exe" -s
O4 - HKCU\..\Run: [G6FTP Server Tray Monitor] "d:\Programme\Gene6 FTP Server\G6FTPTray.exe"
O4 - HKCU\..\Run: [Uptime-Project] C:\Programme\Uptime Project\client.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA258F7B-545B-4ACF-94D9-0980CBAF2C90}: NameServer = 213.202.193.165,213.202.250.188
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - D:\Webserver\xampp\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Webserver\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - d:\Programme\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: Identd - Unknown owner - d:\IdentD\Identd.exe (file missing)
O23 - Service: Microsoft Console (mscnls) - Cat Soft - C:\WINNT\system32\mscnslskrnl.exe
O23 - Service: mysql - Unknown owner - D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\6.tmp
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: TSService - Unknown owner - d:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: TSWinServer - Unknown owner - D:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

«
Dieser Beitrag wurde am 18.08.2006 um 13:24 Uhr von Godzilla13 editiert.
Seitenanfang Seitenende
18.08.2006, 15:02
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Godzilla13

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.08.2006, 16:30
Member

Themenstarter

Beiträge: 12
#3 Den CleanUp habe ich vor dem obigen Log bereits so gemacht, bis auf "Delete Prefecht files" das war nicht anklickbar.

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT\system32

18.08.2006 16:22 72 requests.dat
18.08.2006 16:07 72 requests.dat.bak
18.08.2006 15:56 44.544 .exe
18.08.2006 12:52 618 perfdiskprocmon.dat
18.08.2006 12:51 55.035 spcmdntidos.sys
18.08.2006 12:43 16.384 Perflib_Perfdata_5a4.dat
18.08.2006 12:13 16.384 Perflib_Perfdata_348.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b8.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b0.dat
17.08.2006 18:02 186.368 rkxa.exe
16.08.2006 21:08 186.368 qfnodobv.exe
15.08.2006 09:39 24.665 C.tmp
15.08.2006 09:08 24.665 B.tmp
15.08.2006 05:20 24.665 8.tmp
15.08.2006 04:30 24.665 7.tmp
15.08.2006 01:18 24.665 6.tmp
14.08.2006 19:00 16.384 Perflib_Perfdata_354.dat
14.08.2006 01:13 13.132 msibot.cfg
14.08.2006 01:06 16.384 Perflib_Perfdata_4d4.dat
14.08.2006 01:02 1.343.147 nt.exe
02.06.2006 11:04 57.384 avsda.dll
09.04.2006 04:33 176 start.bat



Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\2

18.08.2006 14:37 6.595.543 psplist.txt
18.08.2006 14:37 1.985.392 ranges65504.zip
18.08.2006 14:36 171.549 webui_1.6.7.zip
18.08.2006 14:35 683 AZU34104.tmp
18.08.2006 14:35 5.233 AZU34103.tmp
18.08.2006 14:34 1.985.392 ranges34084.zip
6 Datei(en) 10.743.792 Bytes
0 Verzeichnis(se), 5.006.460.928 Bytes frei

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT

18.08.2006 12:54 2.063.161 WindowsUpdate.log
18.08.2006 12:49 32.482 SchedLgU.Txt
17.08.2006 18:06 309.714 setupapi.log
17.08.2006 17:49 199.346 ShellIconCache
16.08.2006 20:09 227 system.ini
16.08.2006 20:09 321 win.ini
14.08.2006 01:32 786 KB921883.log

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\

18.08.2006 16:33 0 sys.txt
18.08.2006 16:33 9.425 system.txt
18.08.2006 16:33 567 systemtemp.txt
18.08.2006 16:32 97.502 system32.txt
18.08.2006 12:51 792.723.456 pagefile.sys
16.08.2006 20:09 186 boot.ini
Seitenanfang Seitenende
18.08.2006, 21:46
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 1.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

spcmdntidos


in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

gleiches mit:

Windows Network Security Management Service

Microsoft Console
Windows Genuine Advantage Registration Service
mscnslskrnl.exe
6.tmp

2.
ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

3.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Files to delete:
C:\WINNT\system32\requests.dat
C:\WINNT\system32\requests.dat.bak
C:\WINNT\system32\.exe
C:\WINNT\system32\perfdiskprocmon.dat
C:\WINNT\system32\spcmdntidos.sys
C:\WINNT\system32\rkxa.exe
C:\WINNT\system32\qfnodobv.exe
C:\WINNT\system32\C.tmp
C:\WINNT\system32\B.tmp
C:\WINNT\system32\8.tmp
C:\WINNT\system32\7.tmp
C:\WINNT\system32\6.tmp
C:\WINNT\system32\nt.exe


Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

4.
poste das log vom avenger, was nach neustart erscheint

5
öffne das HijackThis -- Button "scan" -- vor die Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\6.tmp
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\6.tmp

O4 - HKLM\..\Run: [MSConfig] C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\4\Rar$EX02.139\msconfig_w2k\msconfig.exe /auto

O4 - HKLM\..\Run: [Microsoft (R) Windows Network Security Management Service] C:\WINNT\system32\6.tmp
PC neustarten
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.08.2006, 22:34
Member

Themenstarter

Beiträge: 12
#5 Ich habe durch einen weiteren Virenscanner einen neuen Namen erhalten:
Trojan-Proxy.Win32.Ranky.gen

Entfernen konnte dieser den Trojaner aber nicht. Hier mal die Logs:

1. Download Registry Search by Bobbi Flekman

Zitat

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.08.2006 22:03:58 for strings:
; 'spcmdntidos'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.08.2006 22:05:23 for strings:
; 'windows network security management service'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft (R) Windows Network Security Management Service]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft (R) Windows Network Security Management Service"="C:\\WINNT\\system32\\6.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSMS\0000]
"DeviceDesc"="Windows Network Security Management Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nsms]
"DisplayName"="Windows Network Security Management Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NSMS\0000]
"DeviceDesc"="Windows Network Security Management Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nsms]
"DisplayName"="Windows Network Security Management Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000]
"DeviceDesc"="Windows Network Security Management Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsms]
"DisplayName"="Windows Network Security Management Service"

; End Of The Log...

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.08.2006 22:06:55 for strings:
; 'microsoft console'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSCNLS\0000]
"DeviceDesc"="Microsoft Console"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mscnls]
"DisplayName"="Microsoft Console"
"Description"="The Microsoft Console opens a secure connection to remote control this computer"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSCNLS\0000]
"DeviceDesc"="Microsoft Console"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mscnls]
"DisplayName"="Microsoft Console"
"Description"="The Microsoft Console opens a secure connection to remote control this computer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000]
"DeviceDesc"="Microsoft Console"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mscnls]
"DisplayName"="Microsoft Console"
"Description"="The Microsoft Console opens a secure connection to remote control this computer"

; End Of The Log...

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.08.2006 22:07:51 for strings:
; 'windows genuine advantage registration service'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WGAREG\0000]
"DeviceDesc"="Windows Genuine Advantage Registration Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wgareg]
"DisplayName"="Windows Genuine Advantage Registration Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WGAREG\0000]
"DeviceDesc"="Windows Genuine Advantage Registration Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wgareg]
"DisplayName"="Windows Genuine Advantage Registration Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG\0000]
"DeviceDesc"="Windows Genuine Advantage Registration Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgareg]
"DisplayName"="Windows Genuine Advantage Registration Service"

; End Of The Log...

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.08.2006 22:09:02 for strings:
; 'mscnslskrnl.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mscnls]
; Contents of value:
; c:\winnt\system32\mscnslskrnl.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,6d,73,\
63,6e,73,6c,73,6b,72,6e,6c,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mscnls]
; Contents of value:
; c:\winnt\system32\mscnslskrnl.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,6d,73,\
63,6e,73,6c,73,6b,72,6e,6c,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mscnls]
; Contents of value:
; c:\winnt\system32\mscnslskrnl.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,6d,73,\
63,6e,73,6c,73,6b,72,6e,6c,2e,65,78,65,00

; End Of The Log...

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.08.2006 22:10:38 for strings:
; '6.tmp'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.Controls]
"InstallINFFile"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\1\\RGI6.tmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\OutlookExpress]
"InstallINFFile"="C:\\WINNT\\msdownld.tmp\\AS072726.tmp\\oeexcep.inf"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft (R) Windows Network Security Management Service]
"command"="C:\\WINNT\\system32\\6.tmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft (R) Windows Network Security Management Service"="C:\\WINNT\\system32\\6.tmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe C:\\WINNT\\system32\\6.tmp"
"Userinit"="C:\\WINNT\\system32\\userinit.exe,C:\\WINNT\\system32\\6.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nsms]
; Contents of value:
; c:\winnt\system32\6.tmp
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,36,2e,\
74,6d,70,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nsms]
; Contents of value:
; c:\winnt\system32\6.tmp
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,36,2e,\
74,6d,70,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsms]
; Contents of value:
; c:\winnt\system32\6.tmp
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,36,2e,\
74,6d,70,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="C:\\WINNT\\system32\\6.tmp"

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\ej-technologies\exe4j\temp]
"delete_file"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\2\\e4j6.tmp_dir21220\\exe4jlib.jar;"
"delete_dir"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\2\\e4j6.tmp_dir21220;"

; End Of The Log...
2. ServiceFilter.zip

Zitat

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Server
Version: 5.0.2195 Service Pack 4
Aug 18, 2006 22:13:25


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AnGeL-59935597
Display Name: AnGeL-59935597
Start Mode: Auto
Start Name: LocalSystem
Description: AnGeL-59935597 - ...
Service Type: Own Process
Path: d:\angelbot\angel.exe serv
State: Running
Process ID: 556
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 2
Service Name: AnGeL-68129770
Display Name: AnGeL-68129770
Start Mode: Auto
Start Name: LocalSystem
Description: AnGeL-68129770 - ...
Service Type: Own Process
Path: d:\angelbot2\angel.exe serv
State: Running
Process ID: 576
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 3
Service Name: AnGeL-82509427
Display Name: AnGeL-82509427
Start Mode: Auto
Start Name: LocalSystem
Description: AnGeL-82509427 - ...
Service Type: Own Process
Path: d:\angelbot6\angel.exe serv
State: Running
Process ID: 592
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 4
Service Name: AnGeL-87668793
Display Name: AnGeL-87668793
Start Mode: Auto
Start Name: LocalSystem
Description: AnGeL-87668793 - ...
Service Type: Own Process
Path: d:\angelbot5\angel.exe serv
State: Running
Process ID: 612
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 5
Service Name: AntiVirScheduler
Display Name: AntiVir PersonalEdition Classic Planer
Start Mode: Auto
Start Name: LocalSystem
Description: AntiVir PersonalEdition Classic ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\sched.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1067
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 6
Service Name: AntiVirService
Display Name: AntiVir PersonalEdition Classic Guard
Start Mode: Auto
Start Name: LocalSystem
Description: AntiVir PersonalEdition Classic ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\avguard.exe
State: Running
Process ID: 712
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 7
Service Name: Apache2
Display Name: Apache2
Start Mode: Auto
Start Name: LocalSystem
Description: Apache2...
Service Type: Own Process
Path: "d:\webserver\xampp\apache\bin\apache.exe" -k runservice
State: Running
Process ID: 724
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #8
Service Name: Avg7Alrt
Display Name: AVG7 Alert Manager Server
Start Mode: Auto
Start Name: LocalSystem
Description: AVG7 Alert Manager ...
Service Type: Own Process
Path: c:\progra~1\grisoft\avgfre~1\avgamsvr.exe
State: Running
Process ID: 748
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #9
Service Name: Avg7UpdSvc
Display Name: AVG7 Update Service
Start Mode: Auto
Start Name: LocalSystem
Description: AVG7 Update ...
Service Type: Own Process
Path: c:\progra~1\grisoft\avgfre~1\avgupsvc.exe
State: Running
Process ID: 788
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 10
Service Name: DidentD
Display Name: DidentD
Start Mode: Disabled
Start Name: LocalSystem
Description: DidentD...
Service Type: Own Process
Path: d:\identd\didentd.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 11
Service Name: FileZilla Server
Display Name: FileZilla Server FTP server
Start Mode: Manual
Start Name: LocalSystem
Description: FileZilla Server FTP ...
Service Type: Own Process
Path: d:\webserver\xampp\filezillaftp\filezilla server.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 12
Service Name: G6FTPServer
Display Name: Gene6 FTP Server
Start Mode: Manual
Start Name: LocalSystem
Description: Gene6 FTP ...
Service Type: Own Process
Path: "d:\programme\gene6 ftp server\g6ftpserver.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 13
Service Name: Identd
Display Name: Identd
Start Mode: Auto
Start Name: LocalSystem
Description: Identd...
Service Type: Own Process
Path: d:\identd\identd.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 14
Service Name: mscnls
Display Name: Microsoft Console
Start Mode: Auto
Start Name: LocalSystem
Description: Microsoft ...
Service Type: Own Process
Path: c:\winnt\system32\mscnslskrnl.exe
State: Running
Process ID: 972
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service #15
Service Name: mysql
Display Name: mysql
Start Mode: Auto
Start Name: LocalSystem
Description: mysql...
Service Type: Own Process
Path: d:\webserver\xampp\mysql\bin\mysqld-nt --defaults-file=d:\webserver\xampp\mysql\bin\my.cnf mysql
State: Running
Process ID: 1048
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 16
Service Name: nsms
Display Name: Windows Network Security Management Service
Start Mode: Auto
Start Name: LocalSystem
Description: Windows Network Security Management ...
Service Type: Own Process
Path: c:\winnt\system32\6.tmp
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 17
Service Name: PHPGeekUtil
Display Name: PHPGeekUtil
Start Mode: Auto
Start Name: LocalSystem
Description: PHPGeekUtil...
Service Type: Own Process
Path: "c:\apache\apache.exe" --ntservice
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 18
Service Name: RpcRemote
Display Name: Remote Procedure Call (RPC) Remote
Start Mode: Auto
Start Name: LocalSystem
Description: Remote Procedure Call (RPC) ...
Service Type: Own Process
Path: c:\winnt\system32\remote.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 19
Service Name: TSService
Display Name: TSService
Start Mode: Auto
Start Name: LocalSystem
Description: TSService...
Service Type: Own Process
Path: d:\voiceserver\teamspeak2\srvany.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 20
Service Name: TSWinServer
Display Name: TSWinServer
Start Mode: Auto
Start Name: LocalSystem
Description: TSWinServer...
Service Type: Own Process
Path: d:\voiceserver\teamspeak2\srvany.exe
State: Running
Process ID: 1220
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 21
Service Name: wgareg
Display Name: Windows Genuine Advantage Registration Service
Start Mode: Auto
Start Name: LocalSystem
Description: Windows Genuine Advantage Registration ...
Service Type: Own Process
Path: c:\winnt\system32\wgareg.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 87 Win32 services on this machine.
21 were unrecognized.

Script Execution Time: 7,421875 seconds.
4. Avengar Log

Zitat

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813


Error: could not initiate system shutdown.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\haddolnv

*******************

Script file located at: \??\C:\WINNT\ytwhvuwi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\requests.dat deleted successfully.
File C:\WINNT\system32\requests.dat.bak deleted successfully.


File C:\WINNT\system32\.exe not found!
Deletion of file C:\WINNT\system32\.exe failed!

Could not process line:
C:\WINNT\system32\.exe
Status: 0xc0000034

File C:\WINNT\system32\perfdiskprocmon.dat deleted successfully.
File C:\WINNT\system32\spcmdntidos.sys deleted successfully.


File C:\WINNT\system32\rkxa.exe not found!
Deletion of file C:\WINNT\system32\rkxa.exe failed!

Could not process line:
C:\WINNT\system32\rkxa.exe
Status: 0xc0000034



File C:\WINNT\system32\qfnodobv.exe not found!
Deletion of file C:\WINNT\system32\qfnodobv.exe failed!

Could not process line:
C:\WINNT\system32\qfnodobv.exe
Status: 0xc0000034



File C:\WINNT\system32\C.tmp not found!
Deletion of file C:\WINNT\system32\C.tmp failed!

Could not process line:
C:\WINNT\system32\C.tmp
Status: 0xc0000034



File C:\WINNT\system32\B.tmp not found!
Deletion of file C:\WINNT\system32\B.tmp failed!

Could not process line:
C:\WINNT\system32\B.tmp
Status: 0xc0000034



File C:\WINNT\system32\8.tmp not found!
Deletion of file C:\WINNT\system32\8.tmp failed!

Could not process line:
C:\WINNT\system32\8.tmp
Status: 0xc0000034



File C:\WINNT\system32\7.tmp not found!
Deletion of file C:\WINNT\system32\7.tmp failed!

Could not process line:
C:\WINNT\system32\7.tmp
Status: 0xc0000034



File C:\WINNT\system32\6.tmp not found!
Deletion of file C:\WINNT\system32\6.tmp failed!

Could not process line:
C:\WINNT\system32\6.tmp
Status: 0xc0000034



File C:\WINNT\system32\nt.exe not found!
Deletion of file C:\WINNT\system32\nt.exe failed!

Could not process line:
C:\WINNT\system32\nt.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vqydqdbn

*******************

Script file located at: \??\C:\WINNT\lpuguevm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINNT\system32\requests.dat not found!
Deletion of file C:\WINNT\system32\requests.dat failed!

Could not process line:
C:\WINNT\system32\requests.dat
Status: 0xc0000034



File C:\WINNT\system32\requests.dat.bak not found!
Deletion of file C:\WINNT\system32\requests.dat.bak failed!

Could not process line:
C:\WINNT\system32\requests.dat.bak
Status: 0xc0000034



File C:\WINNT\system32\.exe not found!
Deletion of file C:\WINNT\system32\.exe failed!

Could not process line:
C:\WINNT\system32\.exe
Status: 0xc0000034



File C:\WINNT\system32\perfdiskprocmon.dat not found!
Deletion of file C:\WINNT\system32\perfdiskprocmon.dat failed!

Could not process line:
C:\WINNT\system32\perfdiskprocmon.dat
Status: 0xc0000034



File C:\WINNT\system32\spcmdntidos.sys not found!
Deletion of file C:\WINNT\system32\spcmdntidos.sys failed!

Could not process line:
C:\WINNT\system32\spcmdntidos.sys
Status: 0xc0000034



File C:\WINNT\system32\rkxa.exe not found!
Deletion of file C:\WINNT\system32\rkxa.exe failed!

Could not process line:
C:\WINNT\system32\rkxa.exe
Status: 0xc0000034



File C:\WINNT\system32\qfnodobv.exe not found!
Deletion of file C:\WINNT\system32\qfnodobv.exe failed!

Could not process line:
C:\WINNT\system32\qfnodobv.exe
Status: 0xc0000034



File C:\WINNT\system32\C.tmp not found!
Deletion of file C:\WINNT\system32\C.tmp failed!

Could not process line:
C:\WINNT\system32\C.tmp
Status: 0xc0000034



File C:\WINNT\system32\B.tmp not found!
Deletion of file C:\WINNT\system32\B.tmp failed!

Could not process line:
C:\WINNT\system32\B.tmp
Status: 0xc0000034



File C:\WINNT\system32\8.tmp not found!
Deletion of file C:\WINNT\system32\8.tmp failed!

Could not process line:
C:\WINNT\system32\8.tmp
Status: 0xc0000034



File C:\WINNT\system32\7.tmp not found!
Deletion of file C:\WINNT\system32\7.tmp failed!

Could not process line:
C:\WINNT\system32\7.tmp
Status: 0xc0000034



File C:\WINNT\system32\6.tmp not found!
Deletion of file C:\WINNT\system32\6.tmp failed!

Could not process line:
C:\WINNT\system32\6.tmp
Status: 0xc0000034



File C:\WINNT\system32\nt.exe not found!
Deletion of file C:\WINNT\system32\nt.exe failed!

Could not process line:
C:\WINNT\system32\nt.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
Hier das neue hijackthis Log nach dem reboot:

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 22:45:32, on 18.08.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\llssrv.exe
D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
D:\Voiceserver\TeamSpeak2\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Voiceserver\TeamSpeak2\server_windows.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\FSI\F-Prot\F-Sched.exe
C:\Programme\FSI\F-Prot\F-StopW.EXE
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Gene6 FTP Server\G6FTPTray.exe
C:\Programme\Uptime Project\client.exe
C:\WINNT\system32\taskmgr.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programme\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Programme\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [Steam] "d:\martin\csserver\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mini-Relay] "D:\Programme\miniRelay\miniRelay.exe"
O4 - HKCU\..\Run: [ServerMonitor] "d:\Programme\RanaInside\ServerMonitor\ServerMonitor.exe" -s
O4 - HKCU\..\Run: [G6FTP Server Tray Monitor] "d:\Programme\Gene6 FTP Server\G6FTPTray.exe"
O4 - HKCU\..\Run: [Uptime-Project] C:\Programme\Uptime Project\client.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA258F7B-545B-4ACF-94D9-0980CBAF2C90}: NameServer = 213.202.193.165,213.202.250.188
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - D:\Webserver\xampp\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Webserver\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - d:\Programme\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: Identd - Unknown owner - d:\IdentD\Identd.exe (file missing)
O23 - Service: Microsoft Console (mscnls) - Unknown owner - C:\WINNT\system32\mscnslskrnl.exe (file missing)
O23 - Service: mysql - Unknown owner - D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\6.tmp (file missing)
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing)
O23 - Service: TSService - Unknown owner - d:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: TSWinServer - Unknown owner - D:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

Dieser Beitrag wurde am 18.08.2006 um 22:47 Uhr von Godzilla13 editiert.
Seitenanfang Seitenende
18.08.2006, 23:07
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 poste noch mal die 4 logs von datfindbat (bis 2005)
dann reinigen wir auch die registry............
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.08.2006, 12:06
Member

Themenstarter

Beiträge: 12
#7

Zitat

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT\system32

19.08.2006 12:05 1.079 tupss.dll
18.08.2006 23:31 0 .exe
18.08.2006 12:43 16.384 Perflib_Perfdata_5a4.dat
18.08.2006 12:13 16.384 Perflib_Perfdata_348.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b8.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b0.dat
17.08.2006 18:02 186.368 RKXA.0XE
16.08.2006 21:08 186.368 QFNODOBV.0XE
15.08.2006 09:39 24.665 C.0MP
15.08.2006 09:08 24.665 B.0MP
15.08.2006 05:20 24.665 8.0MP
15.08.2006 04:30 24.665 7.0MP
15.08.2006 01:18 24.665 6.0MP
14.08.2006 19:00 16.384 Perflib_Perfdata_354.dat
14.08.2006 01:13 13.132 msibot.cfg
14.08.2006 01:06 16.384 Perflib_Perfdata_4d4.dat
14.08.2006 01:02 1.343.147 nt.0xe
02.06.2006 11:04 57.384 avsda.dll
09.04.2006 04:33 176 start.bat

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\1
Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT

19.08.2006 12:09 1.123.292 WindowsUpdate.log
18.08.2006 22:37 32.482 SchedLgU.Txt
18.08.2006 22:37 229.264 ShellIconCache
18.08.2006 21:22 315.075 setupapi.log
16.08.2006 20:09 321 win.ini
16.08.2006 20:09 227 system.ini
14.08.2006 01:32 786 KB921883.log
03.02.2006 15:51 5.043 mozver.dat

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\

19.08.2006 12:10 0 sys.txt
19.08.2006 12:10 9.474 system.txt
19.08.2006 12:10 130 systemtemp.txt
19.08.2006 12:09 97.327 system32.txt
19.08.2006 11:59 792.723.456 pagefile.sys
18.08.2006 22:23 10.892 avenger.txt
16.08.2006 20:09 186 boot.ini
Seitenanfang Seitenende
19.08.2006, 12:40
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 ehrlich: du solltest formatieren.... der Rechner ist total kompromitiert..........
http://virus-protect.org/artikel/dienste/wgareg.html

Avenger

Zitat

registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mscnls
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mscnls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mscnls
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSCNLS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSCNLS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft (R) Windows Network Security Management Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nsms
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nsms
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsms
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSMS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NSMS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WGAREG\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wgareg
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WGAREG\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wgareg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wgareg


Files to delete:

C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\webui_1.6.7.zip
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\ranges34084.zip
C:\WINNT\system32\wgareg.exe
C:\WINNT\system32\remote.exe
C:\WINNT\system32\mscnslskrnl.exe
C:\WINNT\system32\tupss.dll
C:\WINNT\system32\.exe
C:\WINNT\system32\RKXA.0XE
C:\WINNT\system32\QFNODOBV.0XE
C:\WINNT\system32\nt.0xe
C:\WINNT\system32\C.0MP
C:\WINNT\system32\B.0MP
C:\WINNT\system32\8.0MP
C:\WINNT\system32\7.0MP
C:\WINNT\system32\6.0MP
C:\WINNT\system32\msibot.cfg

**
poste das log vom avenger

~~~~~~~~~~~~~~~~~~~~~~~~


gehe in die registry
Start - Ausfuehren - regedit

bearbeiten - suchen - 6.tmp -> nur das rot gekennzeichnete loeschen !!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft (R) Windows Network Security Management Service"="C:\\WINNT\\system32\\6.tmp" -> loeschen


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe C:\\WINNT\\system32\\6.tmp" -> loeschen
"Userinit"="C:\\WINNT\\system32\\userinit.exe,C:\\WINNT\\system32\\6.tmp" -> loeschen

PC neustarten

------------------------------------------------------------------------


in: "Enter search strings" (reinschreiben oder reinkopieren)

spcmdntidos

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.


Windows Genuine Advantage Registration Service
Remote Procedure Call (RPC) Remote
remote.exe
Windows Network Security Management Service
6.tmp
Microsoft Console
mscnslskrnl.exe
Identd
identd.exe
DidentD
AnGeL-59935597


+
poste das neue Log vom HijackThis + noch mal die 4 logs von datfindbat

«
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.08.2006, 14:47
Member

Themenstarter

Beiträge: 12
#9 Wenn sich eine Neuinstallation vermeiden lässt wäre ich sehr froh darüber, vielleicht bekommen wir das System doch noch sauber, ansonsten führt wohl kein Weg daran vorbei.

Logs im Anhang.


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCREMOTE\0000]
"DeviceDesc"="Remote Procedure Call (RPC) Remote"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote]
"DisplayName"="Remote Procedure Call (RPC) Remote"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCREMOTE\0000]
"DeviceDesc"="Remote Procedure Call (RPC) Remote"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote]
"DisplayName"="Remote Procedure Call (RPC) Remote"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCREMOTE\0000]
"DeviceDesc"="Remote Procedure Call (RPC) Remote"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote]
"DisplayName"="Remote Procedure Call (RPC) Remote"

---------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dmremote.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D}]
"LocalServer32"="dmremote.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D}\LocalServer32]
@="dmremote.exe"
"ThreadingModel"="dmremote.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote]
; Contents of value:
; c:\winnt\system32\remote.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,72,65,\
6d,6f,74,65,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote]
; Contents of value:
; c:\winnt\system32\remote.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,72,65,\
6d,6f,74,65,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote]
; Contents of value:
; c:\winnt\system32\remote.exe
"ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,72,65,\
6d,6f,74,65,2e,65,78,65,00

------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSMS\0000]
"DeviceDesc"="Windows Network Security Management Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NSMS\0000]
"DeviceDesc"="Windows Network Security Management Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000]
"DeviceDesc"="Windows Network Security Management Service"

---------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.Controls]
"InstallINFFile"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\1\\RGI6.tmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\OutlookExpress]
"InstallINFFile"="C:\\WINNT\\msdownld.tmp\\AS072726.tmp\\oeexcep.inf"

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\ej-technologies\exe4j\temp]
"delete_file"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\2\\e4j6.tmp_dir21220\\exe4jlib.jar;"
"delete_dir"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\2\\e4j6.tmp_dir21220;"

--------------------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSCNLS\0000]
"DeviceDesc"="Microsoft Console"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSCNLS\0000]
"DeviceDesc"="Microsoft Console"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000]
"DeviceDesc"="Microsoft Console"


--------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Identd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe]
"Path"="d:\\identd"
@="D:\\IdentD\\identalt\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000]
"Service"="DidentD"
"DeviceDesc"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD\0000]
"Service"="Identd"
"DeviceDesc"="Identd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi\Parameters]
; Contents of value:
; QUANTUM FIREBALL
;
"NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00
"DisplayName"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum]
"0"="Root\\LEGACY_DIDENTD\\0000"

------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Identd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Identd]
"EventMessageFile"="d:\\IdentD\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd]
; Contents of value:
; d:\identd\identd.exe
"ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\
00
"DisplayName"="Identd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd\Enum]
"0"="Root\\LEGACY_IDENTD\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD\0000]
"Service"="DidentD"
"DeviceDesc"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD\0000]
"Service"="Identd"
"DeviceDesc"="Identd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi\Parameters]
; Contents of value:
; QUANTUM FIREBALL
;
"NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00
"DisplayName"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD\Security]


--------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Identd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Identd]
"EventMessageFile"="d:\\IdentD\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd]
; Contents of value:
; d:\identd\identd.exe
"ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\
00
"DisplayName"="Identd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000]
"Service"="DidentD"
"DeviceDesc"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD\0000]
"Service"="Identd"
"DeviceDesc"="Identd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters]
; Contents of value:
; QUANTUM FIREBALL
;
"NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00
"DisplayName"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum]
"0"="Root\\LEGACY_DIDENTD\\0000"

--------------

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd]
"EventMessageFile"="d:\\IdentD\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd]
; Contents of value:
; d:\identd\identd.exe
"ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\
00
"DisplayName"="Identd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd\Enum]
"0"="Root\\LEGACY_IDENTD\\0000"

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\chm]
"a"="D:\\IdentD\\identd.chm"

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\log]
"a"="D:\\IdentD\\identdlog.log"

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList]
"b"="TinyIdentD.exe"

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Tiny IdentD]

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Tiny IdentD]
"Logfile"="D:\\IdentD\\identdlog.log"

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\WinRAR\DialogEditHistory\ExtrPath]
"12"="D:\\IdentD"

----------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe]
@="D:\\IdentD\\identalt\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Identd]
"EventMessageFile"="d:\\IdentD\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd]
; Contents of value:
; d:\identd\identd.exe
"ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Identd]
"EventMessageFile"="d:\\IdentD\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd]
; Contents of value:
; d:\identd\identd.exe
"ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd]
"EventMessageFile"="d:\\IdentD\\Identd.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd]
; Contents of value:
; d:\identd\identd.exe
"ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\
00

[HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList]
"b"="TinyIdentD.exe"


-----------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000]
"Service"="DidentD"
"DeviceDesc"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi\Parameters]
; Contents of value:
; QUANTUM FIREBALL
;
"NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00
"DisplayName"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum]
"0"="Root\\LEGACY_DIDENTD\\0000"


----------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000]
"Service"="DidentD"
"DeviceDesc"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters]
; Contents of value:
; QUANTUM FIREBALL
;
"NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\
65,00
"DisplayName"="DidentD"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum]
"0"="Root\\LEGACY_DIDENTD\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD]
; Contents of value:
; d:\identd\didentd.exe
"EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\
2e,65,78,65,00


----------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597\0000]
"Service"="AnGeL-59935597"
"DeviceDesc"="AnGeL-59935597"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597]
"DisplayName"="AnGeL-59935597"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597\Enum]
"0"="Root\\LEGACY_ANGEL-59935597\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597\0000]
"Service"="AnGeL-59935597"
"DeviceDesc"="AnGeL-59935597"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597]
"DisplayName"="AnGeL-59935597"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597\0000]
"Service"="AnGeL-59935597"
"DeviceDesc"="AnGeL-59935597"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597]
"DisplayName"="AnGeL-59935597"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597\Enum]
"0"="Root\\LEGACY_ANGEL-59935597\\0000"


-----------


O23 - Service: AnGeL-59935597 - (AnGeL-59935597) - - - D:\angelbot\AnGeL.exe
O23 - Service: AnGeL-68129770 - (AnGeL-68129770) - - - D:\angelbot2\AnGeL.exe
O23 - Service: AnGeL-82509427 - (AnGeL-82509427) - - - D:\angelbot6\AnGeL.exe
O23 - Service: AnGeL-87668793 - (AnGeL-87668793) - - - D:\angelbot5\AnGeL.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - D:\Webserver\xampp\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Webserver\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - d:\Programme\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: Identd - Unknown owner - d:\IdentD\Identd.exe (file missing)
O23 - Service: mysql - Unknown owner - D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing)
O23 - Service: TSService - Unknown owner - d:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: TSWinServer - Unknown owner - D:\Voiceserver\TeamSpeak2\srvany.exe

Verzeichnis von C:\WINNT\system32

19.08.2006 14:43 9.609 .exe
19.08.2006 14:32 1.079 tupss.dll
19.08.2006 12:13 44.544 net32a.exe


Verzeichnis von C:\

19.08.2006 14:49 0 sys.txt
19.08.2006 14:49 9.474 system.txt
19.08.2006 14:49 347 systemtemp.txt
19.08.2006 14:48 97.102 system32.txt
19.08.2006 14:47 197.120 idhds.exe


«

Anhang: logs.txt
Dieser Beitrag wurde am 19.08.2006 um 14:53 Uhr von Godzilla13 editiert.
Seitenanfang Seitenende
19.08.2006, 15:04
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 bevor wir weiterloeschen, weisst du, was das ist ??

Zitat

D:\angelbot

O23 - Service: AnGeL-59935597 - (AnGeL-59935597) - - - D:\angelbot\AnGeL.exe
O23 - Service: AnGeL-68129770 - (AnGeL-68129770) - - - D:\angelbot2\AnGeL.exe
O23 - Service: AnGeL-82509427 - (AnGeL-82509427) - - - D:\angelbot6\AnGeL.exe
O23 - Service: AnGeL-87668793 - (AnGeL-87668793) - - - D:\angelbot5\AnGeL.exe
ich weiss nicht, ob es malware ist oder etwas, was der Rechner benoetigt....
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.08.2006, 15:14
Member

Themenstarter

Beiträge: 12
#11 Das ist ein IRC Bot, harmlos und zur Sicherheit deaktiviert solange wir rumsuchen.
Seitenanfang Seitenende
19.08.2006, 15:24
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 ich lasse es mit loeschen - IRC Bot

Zitat

registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCREMOTE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCREMOTE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCREMOTE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dmremote.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSMS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NSMS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSCNLS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSCNLS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000

HKEY_LOCAL_MACHINE\SOFTWARE\Identd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597

Files to delete:

D:\angelbot\AnGeL.exe
D:\angelbot2\AnGeL.exe
D:\angelbot6\AnGeL.exe
D:\angelbot5\AnGeL.exe
C:\WINNT\system32\dmremote.exe
C:\WINNT\dmremote.exe
C:\dmremote.exe
C:\WINNT\system32\.exe
C:\WINNT\system32\remote.exe
C:\WINNT\system32\tupss.dll
C:\WINNT\system32\net32a.exe
C:\idhds.exe

poste das log vom avenger

+
noch mal das log vom hijackThis + die 4 logs von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.08.2006, 15:38
Member

Themenstarter

Beiträge: 12
#13 Ich habe nebenher noch ein Update-Pack installiert, daher wohl die neuen Logs und dlls. Das WinUpdate wird von irgendwas noch geblockt...

Zitat

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\brvsdhry

*******************

Script file located at: \??\C:\skackctk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCREMOTE\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCREMOTE\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCREMOTE\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCREMOTE\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCREMOTE\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSMS\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NSMS\0000 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSCNLS\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSCNLS\0000 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597 deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597
Status: 0xc0000034

File D:\angelbot\AnGeL.exe deleted successfully.
File D:\angelbot2\AnGeL.exe deleted successfully.
File D:\angelbot6\AnGeL.exe deleted successfully.
File D:\angelbot5\AnGeL.exe deleted successfully.
File C:\WINNT\system32\.exe deleted successfully.


File C:\WINNT\system32\remote.exe not found!
Deletion of file C:\WINNT\system32\remote.exe failed!

Could not process line:
C:\WINNT\system32\remote.exe
Status: 0xc0000034

File C:\WINNT\system32\tupss.dll deleted successfully.
File C:\WINNT\system32\net32a.exe deleted successfully.
File C:\idhds.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dmremote.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Identd deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.























Logfile of HijackThis v1.99.1
Scan saved at 15:39:33, on 19.08.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\llssrv.exe
D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
D:\Voiceserver\TeamSpeak2\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Voiceserver\TeamSpeak2\server_windows.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\Gene6 FTP Server\G6FTPTray.exe
C:\Programme\Uptime Project\client.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programme\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Programme\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [Steam] "d:\martin\csserver\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mini-Relay] "D:\Programme\miniRelay\miniRelay.exe"
O4 - HKCU\..\Run: [ServerMonitor] "d:\Programme\RanaInside\ServerMonitor\ServerMonitor.exe" -s
O4 - HKCU\..\Run: [G6FTP Server Tray Monitor] "d:\Programme\Gene6 FTP Server\G6FTPTray.exe"
O4 - HKCU\..\Run: [Uptime-Project] C:\Programme\Uptime Project\client.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA258F7B-545B-4ACF-94D9-0980CBAF2C90}: NameServer = 213.202.193.165,213.202.250.188
O23 - Service: AnGeL-68129770 - (AnGeL-68129770) - Unknown owner - D:\angelbot2\AnGeL.exe (file missing)
O23 - Service: AnGeL-82509427 - (AnGeL-82509427) - Unknown owner - D:\angelbot6\AnGeL.exe (file missing)
O23 - Service: AnGeL-87668793 - (AnGeL-87668793) - Unknown owner - D:\angelbot5\AnGeL.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - D:\Webserver\xampp\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Webserver\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - d:\Programme\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: mysql - Unknown owner - D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: TSService - Unknown owner - d:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: TSWinServer - Unknown owner - D:\Voiceserver\TeamSpeak2\srvany.exe




Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT\system32

19.08.2006 15:35 369 tupss.dll
18.08.2006 12:43 16.384 Perflib_Perfdata_5a4.dat
18.08.2006 12:13 16.384 Perflib_Perfdata_348.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b8.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b0.dat
14.08.2006 19:00 16.384 Perflib_Perfdata_354.dat
14.08.2006 01:06 16.384 Perflib_Perfdata_4d4.dat
25.07.2006 11:50 463.872 URLMON.DLL
24.07.2006 18:18 847.632 mmcndmgr.dll
24.07.2006 18:14 617.232 mmc.exe
21.07.2006 20:38 72.704 hlink.dll
14.07.2006 19:24 309.520 NETAPI32.DLL
14.07.2006 10:32 519.168 hhctrl.ocx
13.07.2006 12:39 2.387.216 SHELL32.DLL
06.07.2006 17:15 137.488 dnsapi.dll
06.07.2006 17:15 96.528 dnsrslvr.dll
06.07.2006 17:15 7.440 rasadhlp.dll
30.06.2006 10:51 2.703.872 MSHTML.DLL
23.06.2006 13:27 582.144 WININET.DLL
21.06.2006 17:47 161.040 rasmans.dll
21.06.2006 12:22 54.544 mpr.dll
21.06.2006 12:22 768.784 KERNEL32.DLL
16.06.2006 10:35 1.693.120 NTOSKRNL.EXE
16.06.2006 10:34 1.715.776 NTKRNLPA.EXE
09.06.2006 14:35 351.744 DXTMSFT.DLL
09.06.2006 14:35 192.512 DXTRANS.DLL
02.06.2006 11:04 57.384 avsda.dll
26.05.2006 15:49 1.339.904 SHDOCVW.DLL
19.05.2006 14:48 90.384 DHCPCSVC.DLL
19.05.2006 14:48 68.880 IPHLPAPI.DLL
17.05.2006 11:43 465.864 jscript.dll
03.05.2006 12:27 291.840 sp3res.dll
28.04.2006 10:58 12.288 JSPROXY.DLL
23.04.2006 10:00 52.496 mtxclu.dll
23.04.2006 10:00 20.240 xolehlp.dll
23.04.2006 10:00 153.872 msdtcui.dll
23.04.2006 10:00 1.202.448 msdtctm.dll
23.04.2006 10:00 740.112 msdtcprx.dll
23.04.2006 10:00 96.016 msdtclog.dll
23.04.2006 10:00 123.152 mtxoci.dll
13.04.2006 10:46 437.008 rpcrt4.dll
09.04.2006 04:33 176 start.bat
18.03.2006 15:21 21.264 verclsid.exe
03.03.2006 16:46 498.176 MSTIME.DLL
27.02.2006 14:25 44.032 MSIDENT.DLL
27.02.2006 14:25 50.688 INETRES.DLL
27.02.2006 14:25 229.376 MSOEACCT.DLL
27.02.2006 13:31 596.480 INETCOMM.DLL
27.02.2006 13:31 91.136 MSOERT2.DLL
24.02.2006 16:20 236.032 IEPEERS.DLL
22.02.2006 11:12 1.838.576 dtcsetup.exe

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\1

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT

19.08.2006 15:35 1.339.472 WindowsUpdate.log
19.08.2006 15:32 32.482 SchedLgU.Txt
19.08.2006 15:13 320.205 comsetup.log
19.08.2006 15:13 1.004.037 iis5.log
19.08.2006 15:13 209.628 tsoc.log
19.08.2006 15:13 2.714 imsins.log
19.08.2006 15:13 30.205 KB917422.log
19.08.2006 15:13 297.431 ocgen.log
19.08.2006 15:13 116.335 certocm.log
19.08.2006 15:13 59.219 LicenOc.log
19.08.2006 15:13 23.745 ockodak.log
19.08.2006 15:13 65.095 updspapi.log
19.08.2006 15:13 2.680 imsins.BAK
19.08.2006 15:13 27.971 KB920670.log
19.08.2006 15:13 28.500 KB920958.log
19.08.2006 15:12 24.830 KB922616.log
19.08.2006 15:12 24.788 KB921398.log
19.08.2006 15:12 24.231 KB917008.log
19.08.2006 15:12 283 setup.rpt
19.08.2006 15:12 957 setup.inf
19.08.2006 15:12 23.633 KB918899-IE6SP1-20060725.123917.log
19.08.2006 15:12 21.344 KB920683.log
19.08.2006 15:12 20.574 KB921883.log
19.08.2006 15:12 19.287 KB917537.log
19.08.2006 15:12 18.771 KB917159.log
19.08.2006 15:11 18.854 KB914388.log
19.08.2006 15:11 17.168 KB917344.log
19.08.2006 15:11 17.383 KB917736.log
19.08.2006 15:11 16.908 KB917953.log
19.08.2006 15:11 18.236 KB914389.log
19.08.2006 15:11 1.023 KB917734.log
19.08.2006 15:11 16.424 KB911280.log
19.08.2006 15:11 8.596 KB918439-IE6SP1-20060530.145346.log
19.08.2006 15:11 11.788 KB913580.log
19.08.2006 15:10 13.308 MDAC28SP1-KB911562-x86-DEU.log
19.08.2006 15:10 17.824 MDAC28-KB911562-x86-DEU.log
19.08.2006 15:10 20.710 MDAC27SP1-KB911562-x86-DEU.log
19.08.2006 15:10 15.069 MDAC25SP3-KB911562-x86-DEU.log
19.08.2006 15:10 7.824 KB908531.log
19.08.2006 15:10 7.620 KB911567-OE6SP1-20060316.165634.log
19.08.2006 15:10 6.052 KB911564.log
19.08.2006 15:10 7.025 KB908519.log
19.08.2006 15:10 7.445 KB912919.log
19.08.2006 15:10 8.984 KB905495-IE6SP1-20050805.184113.log
19.08.2006 15:10 16.305 dahotfix.log
19.08.2006 15:10 983 vminst.log
19.08.2006 15:09 3.090 KB887811.log
19.08.2006 15:09 2.780 KB829558.log
19.08.2006 15:09 5.813 KB897715-OE6SP1-20050503.210336.log
19.08.2006 15:09 3.705 KB898458.log
19.08.2006 15:09 323.152 setupapi.log
18.08.2006 22:37 229.264 ShellIconCache
16.08.2006 20:09 227 system.ini
16.08.2006 20:09 321 win.ini
03.02.2006 15:51 5.043 mozver.dat

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\

19.08.2006 15:41 0 sys.txt
19.08.2006 15:41 11.406 system.txt
19.08.2006 15:41 130 systemtemp.txt
19.08.2006 15:40 97.059 system32.txt
19.08.2006 15:34 17.280 avenger.txt
19.08.2006 15:34 792.723.456 pagefile.sys
19.08.2006 15:00 197.120 igdhds.exe
16.08.2006 20:09 186 boot.ini
Seitenanfang Seitenende
19.08.2006, 15:42
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINNT\system32\tupss.dll
C:\igdhds.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\URLMON.DLL
C:\WINNT\system32\mmcndmgr.dll
C:\WINNT\system32\mmc.exe

poste die reporte hier

--------------------------------------------------------------------

C:\WINNT\system32\tupss.dll
C:\igdhds.exe


-> benenne die dll und die exe um, in .old und starte den Rechner neu.
dann poste noch mal die 4 logs von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.08.2006, 16:59
Member

Themenstarter

Beiträge: 12
#15 C:\WINNT\system32\tupss.dll

Antivirus Version Update Result
AntiVir 6.35.1.3 08.18.2006 no virus found
Authentium 4.93.8 08.19.2006 no virus found
Avast 4.7.844.0 08.18.2006 no virus found
AVG 386 08.18.2006 no virus found
BitDefender 7.2 08.19.2006 no virus found
CAT-QuickHeal 8.00 08.18.2006 no virus found
ClamAV devel-20060426 08.19.2006 no virus found
DrWeb 4.33 08.19.2006 no virus found
eTrust-InoculateIT 23.72.101 08.18.2006 no virus found
eTrust-Vet 30.3.3026 08.18.2006 no virus found
Ewido 4.0 08.19.2006 no virus found
Fortinet 2.77.0.0 08.18.2006 no virus found
F-Prot 3.16f 08.18.2006 no virus found
F-Prot4 4.2.1.29 08.19.2006 no virus found
Ikarus 0.2.65.0 08.18.2006 no virus found
Kaspersky 4.0.2.24 08.19.2006 no virus found
McAfee 4832 08.18.2006 no virus found
Microsoft 1.1560 08.17.2006 no virus found
NOD32v2 1.1715 08.18.2006 no virus found
Norman 5.90.23 08.18.2006 no virus found
Panda 9.0.0.4 08.19.2006 no virus found
Sophos 4.08.0 08.19.2006 no virus found
Symantec 8.0 08.19.2006 no virus found
TheHacker 5.9.8.195 08.18.2006 no virus found
UNA 1.83 08.18.2006 no virus found
VBA32 3.11.0 08.18.2006 no virus found
VirusBuster 4.3.7:9 08.18.2006 no virus found


Aditional Information
File size: 369 bytes
MD5: 2831066ab749c540cf1bc445ea1f80ec
SHA1: a4e8292ba9a9e96019a0a93c0dc60650e3f2493d


C:\igdhds.exe

Antivirus Version Update Result
AntiVir 6.35.1.3 08.18.2006 Worm/Rbot.aem
Authentium 4.93.8 08.19.2006 W32/Sdbot.MDJ
Avast 4.7.844.0 08.18.2006 Win32:Rbot-AMU
AVG 386 08.18.2006 IRC/BackDoor.SdBot.LTE
BitDefender 7.2 08.19.2006 Backdoor.Rbot.AEM
CAT-QuickHeal 8.00 08.18.2006 Backdoor.Rbot.aem
ClamAV devel-20060426 08.19.2006 Trojan.Mybot-5151
DrWeb 4.33 08.19.2006 Win32.IRC.Bot
eTrust-InoculateIT 23.72.101 08.18.2006 Win32/SdBot.197120!Trojan
eTrust-Vet 30.3.3026 08.18.2006 Win32/Rbot.DSV
Ewido 4.0 08.19.2006 Backdoor.Rbot.aem
Fortinet 2.77.0.0 08.18.2006 W32/RBot.AEM!worm
F-Prot 3.16f 08.18.2006 security risk named W32/Sdbot.MDJ
F-Prot4 4.2.1.29 08.19.2006 W32/Sdbot.MDJ
Ikarus 0.2.65.0 08.18.2006 Backdoor.Win32.Rbot.aem
Kaspersky 4.0.2.24 08.19.2006 Backdoor.Win32.Rbot.aem
McAfee 4832 08.18.2006 W32/Sdbot.worm.gen.n
Microsoft 1.1560 08.17.2006 Backdoor:Win32/Rbot!C998
NOD32v2 1.1715 08.18.2006 Win32/Poebot
Norman 5.90.23 08.18.2006 W32/Spybot.WHC
Panda 9.0.0.4 08.19.2006 W32/Gaobot.MCA.worm
Sophos 4.08.0 08.19.2006 W32/Poebot-O
Symantec 8.0 08.19.2006 W32.Linkbot.A
TheHacker 5.9.8.195 08.18.2006 Backdoor/Rbot.aem
UNA 1.83 08.18.2006 Backdoor.Rbot.B48C
VBA32 3.11.0 08.18.2006 Backdoor.Win32.Rbot.aem
VirusBuster 4.3.7:9 08.18.2006 Worm.RBot.DUK


Aditional Information
File size: 197120 bytes
MD5: 98c9d4aa693a38a40468571479676299
SHA1: 1c8a3d4fe8b6997ace807d8ff36829ab5584c2b5


C:\WINNT\system32\Dfssvc.exe

Antivirus Version Update Result
AntiVir 6.35.1.3 08.18.2006 no virus found
Authentium 4.93.8 08.19.2006 no virus found
Avast 4.7.844.0 08.18.2006 no virus found
AVG 386 08.18.2006 no virus found
BitDefender 7.2 08.19.2006 no virus found
CAT-QuickHeal 8.00 08.18.2006 no virus found
ClamAV devel-20060426 08.19.2006 no virus found
DrWeb 4.33 08.19.2006 no virus found
eTrust-InoculateIT 23.72.101 08.18.2006 no virus found
eTrust-Vet 30.3.3026 08.18.2006 no virus found
Ewido 4.0 08.19.2006 no virus found
Fortinet 2.77.0.0 08.18.2006 no virus found
F-Prot 3.16f 08.18.2006 no virus found
F-Prot4 4.2.1.29 08.19.2006 no virus found
Ikarus 0.2.65.0 08.18.2006 no virus found
Kaspersky 4.0.2.24 08.19.2006 no virus found
McAfee 4832 08.18.2006 no virus found
Microsoft 1.1560 08.17.2006 no virus found
NOD32v2 1.1715 08.18.2006 no virus found
Norman 5.90.23 08.18.2006 no virus found
Panda 9.0.0.4 08.19.2006 no virus found
Sophos 4.08.0 08.19.2006 no virus found
Symantec 8.0 08.19.2006 no virus found
TheHacker 5.9.8.195 08.18.2006 no virus found
UNA 1.83 08.18.2006 no virus found
VBA32 3.11.0 08.18.2006 no virus found
VirusBuster 4.3.7:9 08.18.2006 no virus found

C:\WINNT\system32\URLMON.DLL

Antivirus Version Update Result
AntiVir 6.35.1.3 08.18.2006 no virus found
Authentium 4.93.8 08.19.2006 no virus found
Avast 4.7.844.0 08.18.2006 no virus found
AVG 386 08.18.2006 no virus found
BitDefender 7.2 08.19.2006 no virus found
CAT-QuickHeal 8.00 08.18.2006 no virus found
ClamAV devel-20060426 08.19.2006 no virus found
DrWeb 4.33 08.19.2006 no virus found
eTrust-InoculateIT 23.72.101 08.18.2006 no virus found
eTrust-Vet 30.3.3026 08.18.2006 no virus found
Ewido 4.0 08.19.2006 no virus found
Fortinet 2.77.0.0 08.18.2006 no virus found
F-Prot 3.16f 08.18.2006 no virus found
F-Prot4 4.2.1.29 08.19.2006 no virus found
Ikarus 0.2.65.0 08.18.2006 no virus found
Kaspersky 4.0.2.24 08.19.2006 no virus found
McAfee 4832 08.18.2006 no virus found
Microsoft 1.1560 08.17.2006 no virus found
NOD32v2 1.1715 08.18.2006 no virus found
Norman 5.90.23 08.18.2006 no virus found
Panda 9.0.0.4 08.19.2006 no virus found
Sophos 4.08.0 08.19.2006 no virus found
Symantec 8.0 08.19.2006 no virus found
TheHacker 5.9.8.195 08.18.2006 no virus found
UNA 1.83 08.18.2006 no virus found
VBA32 3.11.0 08.18.2006 no virus found
VirusBuster 4.3.7:9 08.18.2006 no virus found


Aditional Information
File size: 463872 bytes
MD5: e68c60bd3ccd5553378253ed35b37b25
SHA1: 5b2266642bf058f378b980a1cc5ad3da623ab98c


C:\WINNT\system32\mmcndmgr.dll

Antivirus Version Update Result
AntiVir 6.35.1.3 08.18.2006 no virus found
Authentium 4.93.8 08.19.2006 no virus found
Avast 4.7.844.0 08.18.2006 no virus found
AVG 386 08.18.2006 no virus found
BitDefender 7.2 08.19.2006 no virus found
CAT-QuickHeal 8.00 08.18.2006 no virus found
ClamAV devel-20060426 08.19.2006 no virus found
DrWeb 4.33 08.19.2006 no virus found
eTrust-InoculateIT 23.72.101 08.18.2006 no virus found
eTrust-Vet 30.3.3026 08.18.2006 no virus found
Ewido 4.0 08.19.2006 no virus found
Fortinet 2.77.0.0 08.18.2006 no virus found
F-Prot 3.16f 08.18.2006 no virus found
F-Prot4 4.2.1.29 08.19.2006 no virus found
Ikarus 0.2.65.0 08.18.2006 no virus found
Kaspersky 4.0.2.24 08.19.2006 no virus found
McAfee 4832 08.18.2006 no virus found
Microsoft 1.1560 08.17.2006 no virus found
NOD32v2 1.1715 08.18.2006 no virus found
Norman 5.90.23 08.18.2006 no virus found
Panda 9.0.0.4 08.19.2006 no virus found
Sophos 4.08.0 08.19.2006 no virus found
Symantec 8.0 08.19.2006 no virus found
TheHacker 5.9.8.195 08.18.2006 no virus found
UNA 1.83 08.18.2006 no virus found
VBA32 3.11.0 08.18.2006 no virus found
VirusBuster 4.3.7:9 08.18.2006 no virus found


Aditional Information
File size: 847632 bytes
MD5: 3d70a3bcfad4ed8b0b388a2ea1e604c3


C:\WINNT\system32\mmc.exe

Antivirus Version Update Result
AntiVir 6.35.1.3 08.18.2006 no virus found
Authentium 4.93.8 08.19.2006 no virus found
Avast 4.7.844.0 08.18.2006 no virus found
AVG 386 08.18.2006 no virus found
BitDefender 7.2 08.19.2006 no virus found
CAT-QuickHeal 8.00 08.18.2006 no virus found
ClamAV devel-20060426 08.19.2006 no virus found
DrWeb 4.33 08.19.2006 no virus found
eTrust-InoculateIT 23.72.101 08.18.2006 no virus found
eTrust-Vet 30.3.3026 08.18.2006 no virus found
Ewido 4.0 08.19.2006 no virus found
Fortinet 2.77.0.0 08.18.2006 no virus found
F-Prot 3.16f 08.18.2006 no virus found
F-Prot4 4.2.1.29 08.19.2006 no virus found
Ikarus 0.2.65.0 08.18.2006 no virus found
Kaspersky 4.0.2.24 08.19.2006 no virus found
McAfee 4832 08.18.2006 no virus found
Microsoft 1.1560 08.17.2006 no virus found
NOD32v2 1.1715 08.18.2006 no virus found
Norman 5.90.23 08.18.2006 no virus found
Panda 9.0.0.4 08.19.2006 no virus found
Sophos 4.08.0 08.19.2006 no virus found
Symantec 8.0 08.19.2006 no virus found
TheHacker 5.9.8.195 08.18.2006 no virus found
UNA 1.83 08.18.2006 no virus found
VBA32 3.11.0 08.18.2006 no virus found
VirusBuster 4.3.7:9 08.18.2006 no virus found


Aditional Information
File size: 617232 bytes
MD5: 08b9f18638996a6b11f4f11619f82378
SHA1: b686188ad5e138048f21c435ce8bec6d3b019f9c




Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT\system32

19.08.2006 15:51 369 tupss.dll
19.08.2006 15:35 369 tupss.dll.old
18.08.2006 12:43 16.384 Perflib_Perfdata_5a4.dat
18.08.2006 12:13 16.384 Perflib_Perfdata_348.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b8.dat
17.08.2006 20:28 16.384 Perflib_Perfdata_4b0.dat
14.08.2006 19:00 16.384 Perflib_Perfdata_354.dat
14.08.2006 01:06 16.384 Perflib_Perfdata_4d4.dat
25.07.2006 11:50 463.872 URLMON.DLL
24.07.2006 18:18 847.632 mmcndmgr.dll
24.07.2006 18:14 617.232 mmc.exe
21.07.2006 20:38 72.704 hlink.dll
14.07.2006 19:24 309.520 NETAPI32.DLL
14.07.2006 10:32 519.168 hhctrl.ocx
13.07.2006 12:39 2.387.216 SHELL32.DLL
06.07.2006 17:15 96.528 dnsrslvr.dll
06.07.2006 17:15 137.488 dnsapi.dll
06.07.2006 17:15 7.440 rasadhlp.dll
30.06.2006 10:51 2.703.872 MSHTML.DLL
23.06.2006 13:27 582.144 WININET.DLL
21.06.2006 17:47 161.040 rasmans.dll
21.06.2006 12:22 768.784 KERNEL32.DLL
21.06.2006 12:22 54.544 mpr.dll
16.06.2006 10:35 1.693.120 NTOSKRNL.EXE
16.06.2006 10:34 1.715.776 NTKRNLPA.EXE
09.06.2006 14:35 351.744 DXTMSFT.DLL
09.06.2006 14:35 192.512 DXTRANS.DLL
02.06.2006 11:04 57.384 avsda.dll
26.05.2006 15:49 1.339.904 SHDOCVW.DLL
19.05.2006 14:48 90.384 DHCPCSVC.DLL
19.05.2006 14:48 68.880 IPHLPAPI.DLL
17.05.2006 11:43 465.864 jscript.dll
03.05.2006 12:27 291.840 sp3res.dll

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\1

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\WINNT

19.08.2006 15:51 1.341.678 WindowsUpdate.log
19.08.2006 15:49 32.482 SchedLgU.Txt
19.08.2006 15:49 257.974 ShellIconCache
19.08.2006 15:13 320.205 comsetup.log
19.08.2006 15:13 1.004.037 iis5.log
19.08.2006 15:13 209.628 tsoc.log
19.08.2006 15:13 2.714 imsins.log
19.08.2006 15:13 30.205 KB917422.log
19.08.2006 15:13 297.431 ocgen.log
19.08.2006 15:13 23.745 ockodak.log
19.08.2006 15:13 116.335 certocm.log
19.08.2006 15:13 59.219 LicenOc.log
19.08.2006 15:13 65.095 updspapi.log
19.08.2006 15:13 2.680 imsins.BAK
19.08.2006 15:13 27.971 KB920670.log
19.08.2006 15:13 28.500 KB920958.log
19.08.2006 15:12 24.830 KB922616.log
19.08.2006 15:12 24.788 KB921398.log
19.08.2006 15:12 24.231 KB917008.log
19.08.2006 15:12 283 setup.rpt
19.08.2006 15:12 957 setup.inf
19.08.2006 15:12 23.633 KB918899-IE6SP1-20060725.123917.log
19.08.2006 15:12 21.344 KB920683.log
19.08.2006 15:12 20.574 KB921883.log
19.08.2006 15:12 19.287 KB917537.log
19.08.2006 15:12 18.771 KB917159.log
19.08.2006 15:11 18.854 KB914388.log
19.08.2006 15:11 17.168 KB917344.log
19.08.2006 15:11 17.383 KB917736.log
19.08.2006 15:11 16.908 KB917953.log
19.08.2006 15:11 18.236 KB914389.log
19.08.2006 15:11 1.023 KB917734.log
19.08.2006 15:11 16.424 KB911280.log
19.08.2006 15:11 8.596 KB918439-IE6SP1-20060530.145346.log
19.08.2006 15:11 11.788 KB913580.log
19.08.2006 15:10 13.308 MDAC28SP1-KB911562-x86-DEU.log
19.08.2006 15:10 17.824 MDAC28-KB911562-x86-DEU.log
19.08.2006 15:10 20.710 MDAC27SP1-KB911562-x86-DEU.log
19.08.2006 15:10 15.069 MDAC25SP3-KB911562-x86-DEU.log
19.08.2006 15:10 7.824 KB908531.log
19.08.2006 15:10 7.620 KB911567-OE6SP1-20060316.165634.log
19.08.2006 15:10 6.052 KB911564.log
19.08.2006 15:10 7.025 KB908519.log
19.08.2006 15:10 7.445 KB912919.log
19.08.2006 15:10 8.984 KB905495-IE6SP1-20050805.184113.log
19.08.2006 15:10 16.305 dahotfix.log
19.08.2006 15:10 983 vminst.log
19.08.2006 15:09 3.090 KB887811.log
19.08.2006 15:09 2.780 KB829558.log
19.08.2006 15:09 5.813 KB897715-OE6SP1-20050503.210336.log
19.08.2006 15:09 3.705 KB898458.log
19.08.2006 15:09 323.152 setupapi.log
16.08.2006 20:09 227 system.ini
16.08.2006 20:09 321 win.ini
03.02.2006 15:51 5.043 mozver.dat

Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: DC3C-4F67

Verzeichnis von C:\

19.08.2006 17:03 0 sys.txt
19.08.2006 17:03 11.406 system.txt
19.08.2006 17:03 130 systemtemp.txt
19.08.2006 17:02 97.113 system32.txt
19.08.2006 15:50 792.723.456 pagefile.sys
19.08.2006 15:34 17.280 avenger.txt
19.08.2006 15:00 197.120 igdhds.exe.old
16.08.2006 20:09 186 boot.ini
30.10.2005 09:41 17.807.826 AVG7DB_F.DAT
06.09.2005 08:00 5.320.817 AVG7QT.DAT
05.09.2005 08:05 952.320 AVG6DB_F.DAT
28.10.2004 04:35 19 READY.TXT
28.10.2004 04:27 512 BOOTSECT.DOS
28.10.2004 03:46 0 IO.SYS
28.10.2004 03:46 0 CONFIG.SYS
28.10.2004 03:46 0 AUTOEXEC.BAT
28.10.2004 03:46 0 MSDOS.SYS
16.02.2004 19:44 43 clean.bat
19.06.2003 12:05 216.096 ntldr
19.06.2003 12:05 34.724 NTDETECT.COM
19.06.2003 11:05 15.690 ftp.exe
08.05.2001 13:00 29.986 dupa.exe
22 Datei(en) 817.424.724 Bytes
0 Verzeichnis(se), 4.666.315.776 Bytes frei
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: