Trojaner TR/Proxy.Bary.FL und vermutlich noch mehr |
||
---|---|---|
#0
| ||
18.08.2006, 13:16
Member
Beiträge: 12 |
||
|
||
18.08.2006, 15:02
Ehrenmitglied
Beiträge: 29434 |
#2
Godzilla13
stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.08.2006, 16:30
Member
Themenstarter Beiträge: 12 |
#3
Den CleanUp habe ich vor dem obigen Log bereits so gemacht, bis auf "Delete Prefecht files" das war nicht anklickbar.
Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\WINNT\system32 18.08.2006 16:22 72 requests.dat 18.08.2006 16:07 72 requests.dat.bak 18.08.2006 15:56 44.544 .exe 18.08.2006 12:52 618 perfdiskprocmon.dat 18.08.2006 12:51 55.035 spcmdntidos.sys 18.08.2006 12:43 16.384 Perflib_Perfdata_5a4.dat 18.08.2006 12:13 16.384 Perflib_Perfdata_348.dat 17.08.2006 20:28 16.384 Perflib_Perfdata_4b8.dat 17.08.2006 20:28 16.384 Perflib_Perfdata_4b0.dat 17.08.2006 18:02 186.368 rkxa.exe 16.08.2006 21:08 186.368 qfnodobv.exe 15.08.2006 09:39 24.665 C.tmp 15.08.2006 09:08 24.665 B.tmp 15.08.2006 05:20 24.665 8.tmp 15.08.2006 04:30 24.665 7.tmp 15.08.2006 01:18 24.665 6.tmp 14.08.2006 19:00 16.384 Perflib_Perfdata_354.dat 14.08.2006 01:13 13.132 msibot.cfg 14.08.2006 01:06 16.384 Perflib_Perfdata_4d4.dat 14.08.2006 01:02 1.343.147 nt.exe 02.06.2006 11:04 57.384 avsda.dll 09.04.2006 04:33 176 start.bat Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\2 18.08.2006 14:37 6.595.543 psplist.txt 18.08.2006 14:37 1.985.392 ranges65504.zip 18.08.2006 14:36 171.549 webui_1.6.7.zip 18.08.2006 14:35 683 AZU34104.tmp 18.08.2006 14:35 5.233 AZU34103.tmp 18.08.2006 14:34 1.985.392 ranges34084.zip 6 Datei(en) 10.743.792 Bytes 0 Verzeichnis(se), 5.006.460.928 Bytes frei Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\WINNT 18.08.2006 12:54 2.063.161 WindowsUpdate.log 18.08.2006 12:49 32.482 SchedLgU.Txt 17.08.2006 18:06 309.714 setupapi.log 17.08.2006 17:49 199.346 ShellIconCache 16.08.2006 20:09 227 system.ini 16.08.2006 20:09 321 win.ini 14.08.2006 01:32 786 KB921883.log Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\ 18.08.2006 16:33 0 sys.txt 18.08.2006 16:33 9.425 system.txt 18.08.2006 16:33 567 systemtemp.txt 18.08.2006 16:32 97.502 system32.txt 18.08.2006 12:51 792.723.456 pagefile.sys 16.08.2006 20:09 186 boot.ini |
|
|
||
18.08.2006, 21:46
Ehrenmitglied
Beiträge: 29434 |
#4
1.
Download Registry Search by Bobbi Flekman http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) spcmdntidos in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. gleiches mit: Windows Network Security Management Service Microsoft Console Windows Genuine Advantage Registration Service mscnslskrnl.exe 6.tmp 2. ServiceFilter.zip http://virus-protect.org/artikel/tools/ServiceFilter.zip - entzippen - doppelklick auf die datei ServiceFilter.vbs - versions-nummer bestätigen - scannen - öffnen von wordpad oder editor erlauben - POST_THIS.TXT abkopieren 3. Avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat Files to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten 4. poste das log vom avenger, was nach neustart erscheint 5 öffne das HijackThis -- Button "scan" -- vor die Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Zitat F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\6.tmpPC neustarten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.08.2006, 22:34
Member
Themenstarter Beiträge: 12 |
#5
Ich habe durch einen weiteren Virenscanner einen neuen Namen erhalten:
Trojan-Proxy.Win32.Ranky.gen Entfernen konnte dieser den Trojaner aber nicht. Hier mal die Logs: 1. Download Registry Search by Bobbi Flekman Zitat REGEDIT42. ServiceFilter.zip Zitat The script did not recognize the services listed below.4. Avengar Log Zitat //////////////////////////////////////////Hier das neue hijackthis Log nach dem reboot: Zitat Logfile of HijackThis v1.99.1 Dieser Beitrag wurde am 18.08.2006 um 22:47 Uhr von Godzilla13 editiert.
|
|
|
||
18.08.2006, 23:07
Ehrenmitglied
Beiträge: 29434 |
#6
poste noch mal die 4 logs von datfindbat (bis 2005)
dann reinigen wir auch die registry............ __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.08.2006, 12:06
Member
Themenstarter Beiträge: 12 |
#7
Zitat Datentr„ger in Laufwerk C: ist SYSTEM |
|
|
||
19.08.2006, 12:40
Ehrenmitglied
Beiträge: 29434 |
#8
ehrlich: du solltest formatieren.... der Rechner ist total kompromitiert..........
http://virus-protect.org/artikel/dienste/wgareg.html Avenger Zitat registry keys to delete:** poste das log vom avenger ~~~~~~~~~~~~~~~~~~~~~~~~ gehe in die registry Start - Ausfuehren - regedit bearbeiten - suchen - 6.tmp -> nur das rot gekennzeichnete loeschen !!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft (R) Windows Network Security Management Service"="C:\\WINNT\\system32\\6.tmp" -> loeschen [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe C:\\WINNT\\system32\\6.tmp" -> loeschen "Userinit"="C:\\WINNT\\system32\\userinit.exe,C:\\WINNT\\system32\\6.tmp" -> loeschen PC neustarten ------------------------------------------------------------------------ in: "Enter search strings" (reinschreiben oder reinkopieren) spcmdntidos in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. Windows Genuine Advantage Registration Service Remote Procedure Call (RPC) Remote remote.exe Windows Network Security Management Service 6.tmp Microsoft Console mscnslskrnl.exe Identd identd.exe DidentD AnGeL-59935597 + poste das neue Log vom HijackThis + noch mal die 4 logs von datfindbat « __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.08.2006, 14:47
Member
Themenstarter Beiträge: 12 |
#9
Wenn sich eine Neuinstallation vermeiden lässt wäre ich sehr froh darüber, vielleicht bekommen wir das System doch noch sauber, ansonsten führt wohl kein Weg daran vorbei.
Logs im Anhang. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RPCREMOTE\0000] "DeviceDesc"="Remote Procedure Call (RPC) Remote" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote] "DisplayName"="Remote Procedure Call (RPC) Remote" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RPCREMOTE\0000] "DeviceDesc"="Remote Procedure Call (RPC) Remote" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote] "DisplayName"="Remote Procedure Call (RPC) Remote" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RPCREMOTE\0000] "DeviceDesc"="Remote Procedure Call (RPC) Remote" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote] "DisplayName"="Remote Procedure Call (RPC) Remote" --------------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dmremote.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D}] "LocalServer32"="dmremote.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D485DDC0-49C6-11d1-8E56-00A0C92C9D5D}\LocalServer32] @="dmremote.exe" "ThreadingModel"="dmremote.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcRemote] ; Contents of value: ; c:\winnt\system32\remote.exe "ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,72,65,\ 6d,6f,74,65,2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcRemote] ; Contents of value: ; c:\winnt\system32\remote.exe "ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,72,65,\ 6d,6f,74,65,2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcRemote] ; Contents of value: ; c:\winnt\system32\remote.exe "ImagePath"=hex(2):43,3a,5c,57,49,4e,4e,54,5c,73,79,73,74,65,6d,33,32,5c,72,65,\ 6d,6f,74,65,2e,65,78,65,00 ------------------ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSMS\0000] "DeviceDesc"="Windows Network Security Management Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NSMS\0000] "DeviceDesc"="Windows Network Security Management Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NSMS\0000] "DeviceDesc"="Windows Network Security Management Service" --------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\IE40.Controls] "InstallINFFile"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\1\\RGI6.tmp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup\OutlookExpress] "InstallINFFile"="C:\\WINNT\\msdownld.tmp\\AS072726.tmp\\oeexcep.inf" [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\ej-technologies\exe4j\temp] "delete_file"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\2\\e4j6.tmp_dir21220\\exe4jlib.jar;" "delete_dir"="C:\\DOKUME~1\\ADMINI~1\\LOKALE~1\\Temp\\2\\e4j6.tmp_dir21220;" -------------------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSCNLS\0000] "DeviceDesc"="Microsoft Console" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSCNLS\0000] "DeviceDesc"="Microsoft Console" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSCNLS\0000] "DeviceDesc"="Microsoft Console" -------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Identd] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe] "Path"="d:\\identd" @="D:\\IdentD\\identalt\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000] "Service"="DidentD" "DeviceDesc"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDENTD\0000] "Service"="Identd" "DeviceDesc"="Identd" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi\Parameters] ; Contents of value: ; QUANTUM FIREBALL ; "NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 "DisplayName"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Parameters] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum] "0"="Root\\LEGACY_DIDENTD\\0000" ------------------ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Identd] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Identd] "EventMessageFile"="d:\\IdentD\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd] ; Contents of value: ; d:\identd\identd.exe "ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\ 00 "DisplayName"="Identd" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd\Enum] "0"="Root\\LEGACY_IDENTD\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DIDENTD\0000] "Service"="DidentD" "DeviceDesc"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IDENTD\0000] "Service"="Identd" "DeviceDesc"="Identd" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi\Parameters] ; Contents of value: ; QUANTUM FIREBALL ; "NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 "DisplayName"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD\Parameters] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD\Security] -------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Identd] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Identd] "EventMessageFile"="d:\\IdentD\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd] ; Contents of value: ; d:\identd\identd.exe "ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\ 00 "DisplayName"="Identd" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000] "Service"="DidentD" "DeviceDesc"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDENTD\0000] "Service"="Identd" "DeviceDesc"="Identd" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters] ; Contents of value: ; QUANTUM FIREBALL ; "NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 "DisplayName"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Parameters] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum] "0"="Root\\LEGACY_DIDENTD\\0000" -------------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd] "EventMessageFile"="d:\\IdentD\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd] ; Contents of value: ; d:\identd\identd.exe "ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\ 00 "DisplayName"="Identd" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd\Enum] "0"="Root\\LEGACY_IDENTD\\0000" [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\chm] "a"="D:\\IdentD\\identd.chm" [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\log] "a"="D:\\IdentD\\identdlog.log" [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList] "b"="TinyIdentD.exe" [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Tiny IdentD] [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Tiny IdentD] "Logfile"="D:\\IdentD\\identdlog.log" [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\WinRAR\DialogEditHistory\ExtrPath] "12"="D:\\IdentD" ---------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Identd.exe] @="D:\\IdentD\\identalt\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Identd] "EventMessageFile"="d:\\IdentD\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Identd] ; Contents of value: ; d:\identd\identd.exe "ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\ 00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Identd] "EventMessageFile"="d:\\IdentD\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Identd] ; Contents of value: ; d:\identd\identd.exe "ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\ 00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Identd] "EventMessageFile"="d:\\IdentD\\Identd.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Identd] ; Contents of value: ; d:\identd\identd.exe "ImagePath"=hex(2):64,3a,5c,49,64,65,6e,74,44,5c,49,64,65,6e,74,64,2e,65,78,65,\ 00 [HKEY_USERS\S-1-5-21-1606980848-484763869-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList] "b"="TinyIdentD.exe" ----------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DIDENTD\0000] "Service"="DidentD" "DeviceDesc"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi\Parameters] ; Contents of value: ; QUANTUM FIREBALL ; "NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 "DisplayName"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Parameters] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DidentD\Enum] "0"="Root\\LEGACY_DIDENTD\\0000" ---------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DIDENTD\0000] "Service"="DidentD" "DeviceDesc"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters] ; Contents of value: ; QUANTUM FIREBALL ; "NeedIdentDevice"=hex(7):51,55,41,4e,54,55,4d,20,46,49,52,45,42,41,4c,4c,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD] ; Contents of value: ; d:\identd\didentd.exe "ImagePath"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,2e,65,78,\ 65,00 "DisplayName"="DidentD" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Parameters] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DidentD\Enum] "0"="Root\\LEGACY_DIDENTD\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DidentD] ; Contents of value: ; d:\identd\didentd.exe "EventMessageFile"=hex(2):44,3a,5c,49,64,65,6e,74,44,5c,64,69,64,65,6e,74,64,\ 2e,65,78,65,00 ---------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANGEL-59935597\0000] "Service"="AnGeL-59935597" "DeviceDesc"="AnGeL-59935597" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597] "DisplayName"="AnGeL-59935597" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AnGeL-59935597\Enum] "0"="Root\\LEGACY_ANGEL-59935597\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANGEL-59935597\0000] "Service"="AnGeL-59935597" "DeviceDesc"="AnGeL-59935597" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597] "DisplayName"="AnGeL-59935597" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AnGeL-59935597\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANGEL-59935597\0000] "Service"="AnGeL-59935597" "DeviceDesc"="AnGeL-59935597" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597] "DisplayName"="AnGeL-59935597" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnGeL-59935597\Enum] "0"="Root\\LEGACY_ANGEL-59935597\\0000" ----------- O23 - Service: AnGeL-59935597 - (AnGeL-59935597) - - - D:\angelbot\AnGeL.exe O23 - Service: AnGeL-68129770 - (AnGeL-68129770) - - - D:\angelbot2\AnGeL.exe O23 - Service: AnGeL-82509427 - (AnGeL-82509427) - - - D:\angelbot6\AnGeL.exe O23 - Service: AnGeL-87668793 - (AnGeL-87668793) - - - D:\angelbot5\AnGeL.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2 - Unknown owner - D:\Webserver\xampp\apache\bin\Apache.exe" -k runservice (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Webserver\xampp\FileZillaFTP\FileZilla Server.exe O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - d:\Programme\Gene6 FTP Server\G6FTPSERVER.EXE O23 - Service: Identd - Unknown owner - d:\IdentD\Identd.exe (file missing) O23 - Service: mysql - Unknown owner - D:\Webserver\xampp\mysql\bin\mysqld-nt.exe O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing) O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing) O23 - Service: TSService - Unknown owner - d:\Voiceserver\TeamSpeak2\srvany.exe O23 - Service: TSWinServer - Unknown owner - D:\Voiceserver\TeamSpeak2\srvany.exe Verzeichnis von C:\WINNT\system32 19.08.2006 14:43 9.609 .exe 19.08.2006 14:32 1.079 tupss.dll 19.08.2006 12:13 44.544 net32a.exe Verzeichnis von C:\ 19.08.2006 14:49 0 sys.txt 19.08.2006 14:49 9.474 system.txt 19.08.2006 14:49 347 systemtemp.txt 19.08.2006 14:48 97.102 system32.txt 19.08.2006 14:47 197.120 idhds.exe « Anhang: logs.txt Dieser Beitrag wurde am 19.08.2006 um 14:53 Uhr von Godzilla13 editiert.
|
|
|
||
19.08.2006, 15:04
Ehrenmitglied
Beiträge: 29434 |
#10
bevor wir weiterloeschen, weisst du, was das ist ??
Zitat D:\angelbotich weiss nicht, ob es malware ist oder etwas, was der Rechner benoetigt.... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.08.2006, 15:14
Member
Themenstarter Beiträge: 12 |
#11
Das ist ein IRC Bot, harmlos und zur Sicherheit deaktiviert solange wir rumsuchen.
|
|
|
||
19.08.2006, 15:24
Ehrenmitglied
Beiträge: 29434 |
#12
ich lasse es mit loeschen - IRC Bot
Zitat registry keys to delete:poste das log vom avenger + noch mal das log vom hijackThis + die 4 logs von datfindbat __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.08.2006, 15:38
Member
Themenstarter Beiträge: 12 |
#13
Ich habe nebenher noch ein Update-Pack installiert, daher wohl die neuen Logs und dlls. Das WinUpdate wird von irgendwas noch geblockt...
Zitat Logfile of The Avenger version 1, by Swandog46 |
|
|
||
19.08.2006, 15:42
Ehrenmitglied
Beiträge: 29434 |
#14
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten http://www.virustotal.com/flash/index_en.html C:\WINNT\system32\tupss.dll C:\igdhds.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\system32\URLMON.DLL C:\WINNT\system32\mmcndmgr.dll C:\WINNT\system32\mmc.exe poste die reporte hier -------------------------------------------------------------------- C:\WINNT\system32\tupss.dll C:\igdhds.exe -> benenne die dll und die exe um, in .old und starte den Rechner neu. dann poste noch mal die 4 logs von datfindbat __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.08.2006, 16:59
Member
Themenstarter Beiträge: 12 |
#15
C:\WINNT\system32\tupss.dll
Antivirus Version Update Result AntiVir 6.35.1.3 08.18.2006 no virus found Authentium 4.93.8 08.19.2006 no virus found Avast 4.7.844.0 08.18.2006 no virus found AVG 386 08.18.2006 no virus found BitDefender 7.2 08.19.2006 no virus found CAT-QuickHeal 8.00 08.18.2006 no virus found ClamAV devel-20060426 08.19.2006 no virus found DrWeb 4.33 08.19.2006 no virus found eTrust-InoculateIT 23.72.101 08.18.2006 no virus found eTrust-Vet 30.3.3026 08.18.2006 no virus found Ewido 4.0 08.19.2006 no virus found Fortinet 2.77.0.0 08.18.2006 no virus found F-Prot 3.16f 08.18.2006 no virus found F-Prot4 4.2.1.29 08.19.2006 no virus found Ikarus 0.2.65.0 08.18.2006 no virus found Kaspersky 4.0.2.24 08.19.2006 no virus found McAfee 4832 08.18.2006 no virus found Microsoft 1.1560 08.17.2006 no virus found NOD32v2 1.1715 08.18.2006 no virus found Norman 5.90.23 08.18.2006 no virus found Panda 9.0.0.4 08.19.2006 no virus found Sophos 4.08.0 08.19.2006 no virus found Symantec 8.0 08.19.2006 no virus found TheHacker 5.9.8.195 08.18.2006 no virus found UNA 1.83 08.18.2006 no virus found VBA32 3.11.0 08.18.2006 no virus found VirusBuster 4.3.7:9 08.18.2006 no virus found Aditional Information File size: 369 bytes MD5: 2831066ab749c540cf1bc445ea1f80ec SHA1: a4e8292ba9a9e96019a0a93c0dc60650e3f2493d C:\igdhds.exe Antivirus Version Update Result AntiVir 6.35.1.3 08.18.2006 Worm/Rbot.aem Authentium 4.93.8 08.19.2006 W32/Sdbot.MDJ Avast 4.7.844.0 08.18.2006 Win32:Rbot-AMU AVG 386 08.18.2006 IRC/BackDoor.SdBot.LTE BitDefender 7.2 08.19.2006 Backdoor.Rbot.AEM CAT-QuickHeal 8.00 08.18.2006 Backdoor.Rbot.aem ClamAV devel-20060426 08.19.2006 Trojan.Mybot-5151 DrWeb 4.33 08.19.2006 Win32.IRC.Bot eTrust-InoculateIT 23.72.101 08.18.2006 Win32/SdBot.197120!Trojan eTrust-Vet 30.3.3026 08.18.2006 Win32/Rbot.DSV Ewido 4.0 08.19.2006 Backdoor.Rbot.aem Fortinet 2.77.0.0 08.18.2006 W32/RBot.AEM!worm F-Prot 3.16f 08.18.2006 security risk named W32/Sdbot.MDJ F-Prot4 4.2.1.29 08.19.2006 W32/Sdbot.MDJ Ikarus 0.2.65.0 08.18.2006 Backdoor.Win32.Rbot.aem Kaspersky 4.0.2.24 08.19.2006 Backdoor.Win32.Rbot.aem McAfee 4832 08.18.2006 W32/Sdbot.worm.gen.n Microsoft 1.1560 08.17.2006 Backdoor:Win32/Rbot!C998 NOD32v2 1.1715 08.18.2006 Win32/Poebot Norman 5.90.23 08.18.2006 W32/Spybot.WHC Panda 9.0.0.4 08.19.2006 W32/Gaobot.MCA.worm Sophos 4.08.0 08.19.2006 W32/Poebot-O Symantec 8.0 08.19.2006 W32.Linkbot.A TheHacker 5.9.8.195 08.18.2006 Backdoor/Rbot.aem UNA 1.83 08.18.2006 Backdoor.Rbot.B48C VBA32 3.11.0 08.18.2006 Backdoor.Win32.Rbot.aem VirusBuster 4.3.7:9 08.18.2006 Worm.RBot.DUK Aditional Information File size: 197120 bytes MD5: 98c9d4aa693a38a40468571479676299 SHA1: 1c8a3d4fe8b6997ace807d8ff36829ab5584c2b5 C:\WINNT\system32\Dfssvc.exe Antivirus Version Update Result AntiVir 6.35.1.3 08.18.2006 no virus found Authentium 4.93.8 08.19.2006 no virus found Avast 4.7.844.0 08.18.2006 no virus found AVG 386 08.18.2006 no virus found BitDefender 7.2 08.19.2006 no virus found CAT-QuickHeal 8.00 08.18.2006 no virus found ClamAV devel-20060426 08.19.2006 no virus found DrWeb 4.33 08.19.2006 no virus found eTrust-InoculateIT 23.72.101 08.18.2006 no virus found eTrust-Vet 30.3.3026 08.18.2006 no virus found Ewido 4.0 08.19.2006 no virus found Fortinet 2.77.0.0 08.18.2006 no virus found F-Prot 3.16f 08.18.2006 no virus found F-Prot4 4.2.1.29 08.19.2006 no virus found Ikarus 0.2.65.0 08.18.2006 no virus found Kaspersky 4.0.2.24 08.19.2006 no virus found McAfee 4832 08.18.2006 no virus found Microsoft 1.1560 08.17.2006 no virus found NOD32v2 1.1715 08.18.2006 no virus found Norman 5.90.23 08.18.2006 no virus found Panda 9.0.0.4 08.19.2006 no virus found Sophos 4.08.0 08.19.2006 no virus found Symantec 8.0 08.19.2006 no virus found TheHacker 5.9.8.195 08.18.2006 no virus found UNA 1.83 08.18.2006 no virus found VBA32 3.11.0 08.18.2006 no virus found VirusBuster 4.3.7:9 08.18.2006 no virus found C:\WINNT\system32\URLMON.DLL Antivirus Version Update Result AntiVir 6.35.1.3 08.18.2006 no virus found Authentium 4.93.8 08.19.2006 no virus found Avast 4.7.844.0 08.18.2006 no virus found AVG 386 08.18.2006 no virus found BitDefender 7.2 08.19.2006 no virus found CAT-QuickHeal 8.00 08.18.2006 no virus found ClamAV devel-20060426 08.19.2006 no virus found DrWeb 4.33 08.19.2006 no virus found eTrust-InoculateIT 23.72.101 08.18.2006 no virus found eTrust-Vet 30.3.3026 08.18.2006 no virus found Ewido 4.0 08.19.2006 no virus found Fortinet 2.77.0.0 08.18.2006 no virus found F-Prot 3.16f 08.18.2006 no virus found F-Prot4 4.2.1.29 08.19.2006 no virus found Ikarus 0.2.65.0 08.18.2006 no virus found Kaspersky 4.0.2.24 08.19.2006 no virus found McAfee 4832 08.18.2006 no virus found Microsoft 1.1560 08.17.2006 no virus found NOD32v2 1.1715 08.18.2006 no virus found Norman 5.90.23 08.18.2006 no virus found Panda 9.0.0.4 08.19.2006 no virus found Sophos 4.08.0 08.19.2006 no virus found Symantec 8.0 08.19.2006 no virus found TheHacker 5.9.8.195 08.18.2006 no virus found UNA 1.83 08.18.2006 no virus found VBA32 3.11.0 08.18.2006 no virus found VirusBuster 4.3.7:9 08.18.2006 no virus found Aditional Information File size: 463872 bytes MD5: e68c60bd3ccd5553378253ed35b37b25 SHA1: 5b2266642bf058f378b980a1cc5ad3da623ab98c C:\WINNT\system32\mmcndmgr.dll Antivirus Version Update Result AntiVir 6.35.1.3 08.18.2006 no virus found Authentium 4.93.8 08.19.2006 no virus found Avast 4.7.844.0 08.18.2006 no virus found AVG 386 08.18.2006 no virus found BitDefender 7.2 08.19.2006 no virus found CAT-QuickHeal 8.00 08.18.2006 no virus found ClamAV devel-20060426 08.19.2006 no virus found DrWeb 4.33 08.19.2006 no virus found eTrust-InoculateIT 23.72.101 08.18.2006 no virus found eTrust-Vet 30.3.3026 08.18.2006 no virus found Ewido 4.0 08.19.2006 no virus found Fortinet 2.77.0.0 08.18.2006 no virus found F-Prot 3.16f 08.18.2006 no virus found F-Prot4 4.2.1.29 08.19.2006 no virus found Ikarus 0.2.65.0 08.18.2006 no virus found Kaspersky 4.0.2.24 08.19.2006 no virus found McAfee 4832 08.18.2006 no virus found Microsoft 1.1560 08.17.2006 no virus found NOD32v2 1.1715 08.18.2006 no virus found Norman 5.90.23 08.18.2006 no virus found Panda 9.0.0.4 08.19.2006 no virus found Sophos 4.08.0 08.19.2006 no virus found Symantec 8.0 08.19.2006 no virus found TheHacker 5.9.8.195 08.18.2006 no virus found UNA 1.83 08.18.2006 no virus found VBA32 3.11.0 08.18.2006 no virus found VirusBuster 4.3.7:9 08.18.2006 no virus found Aditional Information File size: 847632 bytes MD5: 3d70a3bcfad4ed8b0b388a2ea1e604c3 C:\WINNT\system32\mmc.exe Antivirus Version Update Result AntiVir 6.35.1.3 08.18.2006 no virus found Authentium 4.93.8 08.19.2006 no virus found Avast 4.7.844.0 08.18.2006 no virus found AVG 386 08.18.2006 no virus found BitDefender 7.2 08.19.2006 no virus found CAT-QuickHeal 8.00 08.18.2006 no virus found ClamAV devel-20060426 08.19.2006 no virus found DrWeb 4.33 08.19.2006 no virus found eTrust-InoculateIT 23.72.101 08.18.2006 no virus found eTrust-Vet 30.3.3026 08.18.2006 no virus found Ewido 4.0 08.19.2006 no virus found Fortinet 2.77.0.0 08.18.2006 no virus found F-Prot 3.16f 08.18.2006 no virus found F-Prot4 4.2.1.29 08.19.2006 no virus found Ikarus 0.2.65.0 08.18.2006 no virus found Kaspersky 4.0.2.24 08.19.2006 no virus found McAfee 4832 08.18.2006 no virus found Microsoft 1.1560 08.17.2006 no virus found NOD32v2 1.1715 08.18.2006 no virus found Norman 5.90.23 08.18.2006 no virus found Panda 9.0.0.4 08.19.2006 no virus found Sophos 4.08.0 08.19.2006 no virus found Symantec 8.0 08.19.2006 no virus found TheHacker 5.9.8.195 08.18.2006 no virus found UNA 1.83 08.18.2006 no virus found VBA32 3.11.0 08.18.2006 no virus found VirusBuster 4.3.7:9 08.18.2006 no virus found Aditional Information File size: 617232 bytes MD5: 08b9f18638996a6b11f4f11619f82378 SHA1: b686188ad5e138048f21c435ce8bec6d3b019f9c Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\WINNT\system32 19.08.2006 15:51 369 tupss.dll 19.08.2006 15:35 369 tupss.dll.old 18.08.2006 12:43 16.384 Perflib_Perfdata_5a4.dat 18.08.2006 12:13 16.384 Perflib_Perfdata_348.dat 17.08.2006 20:28 16.384 Perflib_Perfdata_4b8.dat 17.08.2006 20:28 16.384 Perflib_Perfdata_4b0.dat 14.08.2006 19:00 16.384 Perflib_Perfdata_354.dat 14.08.2006 01:06 16.384 Perflib_Perfdata_4d4.dat 25.07.2006 11:50 463.872 URLMON.DLL 24.07.2006 18:18 847.632 mmcndmgr.dll 24.07.2006 18:14 617.232 mmc.exe 21.07.2006 20:38 72.704 hlink.dll 14.07.2006 19:24 309.520 NETAPI32.DLL 14.07.2006 10:32 519.168 hhctrl.ocx 13.07.2006 12:39 2.387.216 SHELL32.DLL 06.07.2006 17:15 96.528 dnsrslvr.dll 06.07.2006 17:15 137.488 dnsapi.dll 06.07.2006 17:15 7.440 rasadhlp.dll 30.06.2006 10:51 2.703.872 MSHTML.DLL 23.06.2006 13:27 582.144 WININET.DLL 21.06.2006 17:47 161.040 rasmans.dll 21.06.2006 12:22 768.784 KERNEL32.DLL 21.06.2006 12:22 54.544 mpr.dll 16.06.2006 10:35 1.693.120 NTOSKRNL.EXE 16.06.2006 10:34 1.715.776 NTKRNLPA.EXE 09.06.2006 14:35 351.744 DXTMSFT.DLL 09.06.2006 14:35 192.512 DXTRANS.DLL 02.06.2006 11:04 57.384 avsda.dll 26.05.2006 15:49 1.339.904 SHDOCVW.DLL 19.05.2006 14:48 90.384 DHCPCSVC.DLL 19.05.2006 14:48 68.880 IPHLPAPI.DLL 17.05.2006 11:43 465.864 jscript.dll 03.05.2006 12:27 291.840 sp3res.dll Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\1 Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\WINNT 19.08.2006 15:51 1.341.678 WindowsUpdate.log 19.08.2006 15:49 32.482 SchedLgU.Txt 19.08.2006 15:49 257.974 ShellIconCache 19.08.2006 15:13 320.205 comsetup.log 19.08.2006 15:13 1.004.037 iis5.log 19.08.2006 15:13 209.628 tsoc.log 19.08.2006 15:13 2.714 imsins.log 19.08.2006 15:13 30.205 KB917422.log 19.08.2006 15:13 297.431 ocgen.log 19.08.2006 15:13 23.745 ockodak.log 19.08.2006 15:13 116.335 certocm.log 19.08.2006 15:13 59.219 LicenOc.log 19.08.2006 15:13 65.095 updspapi.log 19.08.2006 15:13 2.680 imsins.BAK 19.08.2006 15:13 27.971 KB920670.log 19.08.2006 15:13 28.500 KB920958.log 19.08.2006 15:12 24.830 KB922616.log 19.08.2006 15:12 24.788 KB921398.log 19.08.2006 15:12 24.231 KB917008.log 19.08.2006 15:12 283 setup.rpt 19.08.2006 15:12 957 setup.inf 19.08.2006 15:12 23.633 KB918899-IE6SP1-20060725.123917.log 19.08.2006 15:12 21.344 KB920683.log 19.08.2006 15:12 20.574 KB921883.log 19.08.2006 15:12 19.287 KB917537.log 19.08.2006 15:12 18.771 KB917159.log 19.08.2006 15:11 18.854 KB914388.log 19.08.2006 15:11 17.168 KB917344.log 19.08.2006 15:11 17.383 KB917736.log 19.08.2006 15:11 16.908 KB917953.log 19.08.2006 15:11 18.236 KB914389.log 19.08.2006 15:11 1.023 KB917734.log 19.08.2006 15:11 16.424 KB911280.log 19.08.2006 15:11 8.596 KB918439-IE6SP1-20060530.145346.log 19.08.2006 15:11 11.788 KB913580.log 19.08.2006 15:10 13.308 MDAC28SP1-KB911562-x86-DEU.log 19.08.2006 15:10 17.824 MDAC28-KB911562-x86-DEU.log 19.08.2006 15:10 20.710 MDAC27SP1-KB911562-x86-DEU.log 19.08.2006 15:10 15.069 MDAC25SP3-KB911562-x86-DEU.log 19.08.2006 15:10 7.824 KB908531.log 19.08.2006 15:10 7.620 KB911567-OE6SP1-20060316.165634.log 19.08.2006 15:10 6.052 KB911564.log 19.08.2006 15:10 7.025 KB908519.log 19.08.2006 15:10 7.445 KB912919.log 19.08.2006 15:10 8.984 KB905495-IE6SP1-20050805.184113.log 19.08.2006 15:10 16.305 dahotfix.log 19.08.2006 15:10 983 vminst.log 19.08.2006 15:09 3.090 KB887811.log 19.08.2006 15:09 2.780 KB829558.log 19.08.2006 15:09 5.813 KB897715-OE6SP1-20050503.210336.log 19.08.2006 15:09 3.705 KB898458.log 19.08.2006 15:09 323.152 setupapi.log 16.08.2006 20:09 227 system.ini 16.08.2006 20:09 321 win.ini 03.02.2006 15:51 5.043 mozver.dat Datentr„ger in Laufwerk C: ist SYSTEM Datentr„gernummer: DC3C-4F67 Verzeichnis von C:\ 19.08.2006 17:03 0 sys.txt 19.08.2006 17:03 11.406 system.txt 19.08.2006 17:03 130 systemtemp.txt 19.08.2006 17:02 97.113 system32.txt 19.08.2006 15:50 792.723.456 pagefile.sys 19.08.2006 15:34 17.280 avenger.txt 19.08.2006 15:00 197.120 igdhds.exe.old 16.08.2006 20:09 186 boot.ini 30.10.2005 09:41 17.807.826 AVG7DB_F.DAT 06.09.2005 08:00 5.320.817 AVG7QT.DAT 05.09.2005 08:05 952.320 AVG6DB_F.DAT 28.10.2004 04:35 19 READY.TXT 28.10.2004 04:27 512 BOOTSECT.DOS 28.10.2004 03:46 0 IO.SYS 28.10.2004 03:46 0 CONFIG.SYS 28.10.2004 03:46 0 AUTOEXEC.BAT 28.10.2004 03:46 0 MSDOS.SYS 16.02.2004 19:44 43 clean.bat 19.06.2003 12:05 216.096 ntldr 19.06.2003 12:05 34.724 NTDETECT.COM 19.06.2003 11:05 15.690 ftp.exe 08.05.2001 13:00 29.986 dupa.exe 22 Datei(en) 817.424.724 Bytes 0 Verzeichnis(se), 4.666.315.776 Bytes frei |
|
|
||
Habt ihr eine Lösung? Bitte Logs durchschauen, evtl. ist ja noch was im Argen.
Logfile of HijackThis v1.99.1
Scan saved at 13:12:37, on 18.08.2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\mscnslskrnl.exe
D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\6.tmp
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
D:\Voiceserver\TeamSpeak2\srvany.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Voiceserver\TeamSpeak2\server_windows.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
D:\Webserver\xampp\apache\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\taskmgr.exe
D:\Programme\Gene6 FTP Server\G6FTPTray.exe
C:\Programme\Uptime Project\client.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\6.tmp
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\6.tmp
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\4\Rar$EX02.139\msconfig_w2k\msconfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Security Management Service] C:\WINNT\system32\6.tmp
O4 - HKCU\..\Run: [Steam] "d:\martin\csserver\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mini-Relay] "D:\Programme\miniRelay\miniRelay.exe"
O4 - HKCU\..\Run: [ServerMonitor] "d:\Programme\RanaInside\ServerMonitor\ServerMonitor.exe" -s
O4 - HKCU\..\Run: [G6FTP Server Tray Monitor] "d:\Programme\Gene6 FTP Server\G6FTPTray.exe"
O4 - HKCU\..\Run: [Uptime-Project] C:\Programme\Uptime Project\client.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA258F7B-545B-4ACF-94D9-0980CBAF2C90}: NameServer = 213.202.193.165,213.202.250.188
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - D:\Webserver\xampp\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Webserver\xampp\FileZillaFTP\FileZilla Server.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - d:\Programme\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: Identd - Unknown owner - d:\IdentD\Identd.exe (file missing)
O23 - Service: Microsoft Console (mscnls) - Cat Soft - C:\WINNT\system32\mscnslskrnl.exe
O23 - Service: mysql - Unknown owner - D:\Webserver\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\6.tmp
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: TSService - Unknown owner - d:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: TSWinServer - Unknown owner - D:\Voiceserver\TeamSpeak2\srvany.exe
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)
«