Virenbefall/Spysheriff?

#16 ««
Avenger

Zitat

Files to delete:
C:\Programme\Internet Explorer\win32hp.dat
C:\WINDOWS\system32\win32hp.dll
C:\Programme\Internet Explorer\winbrume.dat

««
scanne mit counterspy, stelle nach dem scan alles auf remove und poste den report
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit

#17 Hallo,

hier poste ich den Avenger.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ikdhqqxe

*******************

Script file located at: \??\C:\Program Files\royqrjhj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Programme\Internet Explorer\win32hp.dat deleted successfully.


File C:\WINDOWS\system32\win32hp.dll not found!
Deletion of file C:\WINDOWS\system32\win32hp.dll failed!

Could not process line:
C:\WINDOWS\system32\win32hp.dll
Status: 0xc0000034

File C:\Programme\Internet Explorer\winbrume.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Spyware Scan Details
Start Date: 30.09.2006 16:30:30
End Date: 30.09.2006 17:10:58
Total Time: 40 mins 28 secs

Detected spyware

Topconverting Crazywinnings Adware (General) more information...
Details: Topconverting installs via online games through ActiveX drive by download.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\TPUSN
HKEY_CLASSES_ROOT\TPUSN TPUSN_smni 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_bundle 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_optimize 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_ucmore 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_id 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_once 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting DisplayName arkanoid Game
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting UninstallString C:\Programme\TopConverting\arkanoid\arkanoid.exe /uninstall
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4}
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4}\InprocServer32 C:\WINDOWS\DOWNLO~1\CONFLICT.1\loader2.ocx
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4} Loader2 Property Page


Unclassified.Trojan.E Trojan more information...
Status: Deleted

Infected files detected
c:\windows\system32\tmp.exe


MediaTickets CDT Adware (General) more information...
Details: MediaTickets CDT is an adware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Status: Deleted

Infected files detected
c:\windows\system32\winttr.exe

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 ppcimdnnnjbeahepfabjipfginloedkg egckak
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo ejemdn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo bihgbp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx .Owner {9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx {9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo bihgbp Integrated Search Technologies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo ejemdn MediaTickets
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 ppcimdnnnjbeahepfabjipfginloedkg egckak CDT inc.


Trojan-Downloader.Win32.Small.dkt Trojan Downloader more information...
Status: Deleted

Infected files detected
c:\windows\system32\ansi.cfg


IESearchToolbar Toolbar more information...
Details: IESearchToolbar is an Internet Explorer toolbar that hijacks the web browser search settings.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907}
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 C:\Programme\IESearchToolbar\IESearchToolbar.dll
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907} IE Search Toolbar
HKEY_LOCAL_MACHINE\Software\Perezzz Software
HKEY_LOCAL_MACHINE\Software\Perezzz Software\IESearchToolbar first
HKEY_LOCAL_MACHINE\Software\Perezzz Software\IESearchToolbar first_start 0


BrowserVillage Toolbar Toolbar more information...
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/loader2.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/loader2.ocx .Owner {79849612-A98F-45B8-95E9-4D13C7B6B35C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/loader2.ocx {79849612-A98F-45B8-95E9-4D13C7B6B35C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\loader2.ocx


WindUpdates Browser Plug-in more information...
Details: WindUpdates is an adware application that installs as a browser plug-in and displays advertising on the desktop.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\WindUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\WindUpdates param 07698e4871739912c5b8c330ba0bc6ada80041adfc2142:3062383939323536303166336639343032386335336535636538386664346433


MegaSearch Hijacker more information...
Details: MegaSearch is a browser helper object for Internet Explorer that modifies search behavior and changes the default SearchAssistant. MegaSearch also displays popup ads.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\MegaHost
HKEY_CURRENT_USER\Software\MegaHost page 0
HKEY_CURRENT_USER\Software\MegaHost Use Search Asst yes
HKEY_CURRENT_USER\Software\MegaHost SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\MegaHost Start Page http://find-on-the-net.com
HKEY_CURRENT_USER\Software\MegaHost cid 0d950a54-28a5-4510-9637-db647440e388
HKEY_CURRENT_USER\Software\MegaHost Version 6
HKEY_CURRENT_USER\Software\MegaHost day 25
HKEY_CURRENT_USER\Software\MegaHost url http://69.50.164.11/v1/mh.php?pid=devil01&cid=0d950a54-28a5-4510-9637-db647440e388&p=no&t=yes&vh=6&vt=1


SpySheriff Rogue Security Program more information...
Details: SpySheriff is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\SNO2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceActiveDesktopOn


Trojan-Proxy.Atiup Backdoor more information...
Details: Trojan-Proxy.Atiup is a trojan that runs as a proxy on the infected machine.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft ATI_VER


Backdoor.Agent.ACT Backdoor more information...
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks tibs2 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks overp1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks yousiteb1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks loud1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks topconver1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS Temporary Loader File Name C:\Dokumente und Einstellungen\Andreas\Startmenü\Programme\Autostart\WindowsUpdate46968[1].exe
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS Last Update 2004/11/27 11:24:04
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS Id E7C2C2E0CF7E4A1EBB5911C85B28D028


PWS-Banker Password Cracker/Stealer more information...
Details: PWS-Banker is trojan that steals passwords and sensitive data from the infected computer.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\AppID\{73364D99-1240-4dff-B11A-67E448373048}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}\iexplore Type 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}\iexplore Count 125
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}\iexplore Time


Daosearch Toolbar Toolbar more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907}
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 C:\Programme\IESearchToolbar\IESearchToolbar.dll
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907} IE Search Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{69753829-779C-45e7-9D8C-C79CE0989246}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{69753829-779C-45e7-9D8C-C79CE0989246} UninstallString C:\Programme\IESearchToolbar\iesearchtoolbar_uninstall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{69753829-779C-45e7-9D8C-C79CE0989246} DisplayName IE Search Toolbar plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Perezzz Software\IESearchToolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Perezzz Software\IESearchToolbar first
HKEY_LOCAL_MACHINE\SOFTWARE\Perezzz Software\IESearchToolbar first_start 0


Cookie: ABetterInternet.Aurora Cookie Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@a[1].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@doubleclick[1].txt


Cookie: QuestionMarket.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@questionmarket[2].txt


Cookie: BS.Serving-Sys Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@serving-sys[2].txt

MFG Zaubermaus

#18 scanne mit counterspy, stelle nach dem scan alles auf remove und poste den report
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Hallo, habe mit Counterspy gearbeitet.

Spyware Scan Details
Start Date: 30.09.2006 16:30:30
End Date: 30.09.2006 17:10:58
Total Time: 40 mins 28 secs

Detected spyware

Topconverting Crazywinnings Adware (General) more information...
Details: Topconverting installs via online games through ActiveX drive by download.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\TPUSN
HKEY_CLASSES_ROOT\TPUSN TPUSN_smni 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_bundle 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_optimize 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_ucmore 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_id 1
HKEY_CLASSES_ROOT\TPUSN TPUSN_once 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting DisplayName arkanoid Game
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting UninstallString C:\Programme\TopConverting\arkanoid\arkanoid.exe /uninstall
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4}
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4}\InprocServer32 C:\WINDOWS\DOWNLO~1\CONFLICT.1\loader2.ocx
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4} Loader2 Property Page


Unclassified.Trojan.E Trojan more information...
Status: Deleted

Infected files detected
c:\windows\system32\tmp.exe


MediaTickets CDT Adware (General) more information...
Details: MediaTickets CDT is an adware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Status: Deleted

Infected files detected
c:\windows\system32\winttr.exe

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 ppcimdnnnjbeahepfabjipfginloedkg egckak
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo ejemdn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo bihgbp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx .Owner {9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx {9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo bihgbp Integrated Search Technologies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 goicfboogidikkejccmclpieicihhlpo ejemdn MediaTickets
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 ppcimdnnnjbeahepfabjipfginloedkg egckak CDT inc.


Trojan-Downloader.Win32.Small.dkt Trojan Downloader more information...
Status: Deleted

Infected files detected
c:\windows\system32\ansi.cfg


IESearchToolbar Toolbar more information...
Details: IESearchToolbar is an Internet Explorer toolbar that hijacks the web browser search settings.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907}
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 C:\Programme\IESearchToolbar\IESearchToolbar.dll
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{EB381422-F797-4A98-A266-9DC490821907} IE Search Toolbar
HKEY_LOCAL_MACHINE\Software\Perezzz Software
HKEY_LOCAL_MACHINE\Software\Perezzz Software\IESearchToolbar first
HKEY_LOCAL_MACHINE\Software\Perezzz Software\IESearchToolbar first_start 0


BrowserVillage Toolbar Toolbar more information...
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/loader2.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/loader2.ocx .Owner {79849612-A98F-45B8-95E9-4D13C7B6B35C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/loader2.ocx {79849612-A98F-45B8-95E9-4D13C7B6B35C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\loader2.ocx


WindUpdates Browser Plug-in more information...
Details: WindUpdates is an adware application that installs as a browser plug-in and displays advertising on the desktop.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\WindUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\WindUpdates param 07698e4871739912c5b8c330ba0bc6ada80041adfc2142:3062383939323536303166336639343032386335336535636538386664346433


MegaSearch Hijacker more information...
Details: MegaSearch is a browser helper object for Internet Explorer that modifies search behavior and changes the default SearchAssistant. MegaSearch also displays popup ads.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\MegaHost
HKEY_CURRENT_USER\Software\MegaHost page 0
HKEY_CURRENT_USER\Software\MegaHost Use Search Asst yes
HKEY_CURRENT_USER\Software\MegaHost SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\MegaHost Start Page http://find-on-the-net.com
HKEY_CURRENT_USER\Software\MegaHost cid 0d950a54-28a5-4510-9637-db647440e388
HKEY_CURRENT_USER\Software\MegaHost Version 6
HKEY_CURRENT_USER\Software\MegaHost day 25
HKEY_CURRENT_USER\Software\MegaHost url http://69.50.164.11/v1/mh.php?pid=devil01&cid=0d950a54-28a5-4510-9637-db647440e388&p=no&t=yes&vh=6&vt=1


SpySheriff Rogue Security Program more information...
Details: SpySheriff is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\SNO2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceActiveDesktopOn


Trojan-Proxy.Atiup Backdoor more information...
Details: Trojan-Proxy.Atiup is a trojan that runs as a proxy on the infected machine.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft ATI_VER


Backdoor.Agent.ACT Backdoor more information...
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks tibs2 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks overp1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks yousiteb1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks loud1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS\Tasks topconver1 3
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS Temporary Loader File Name C:\Dokumente und Einstellungen\Andreas\Startmenü\Programme\Autostart\WindowsUpdate46968[1].exe
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS Last Update 2004/11/27 11:24:04
HKEY_CURRENT_USER\Software\Microsoft\DMSDOS Id E7C2C2E0CF7E4A1EBB5911C85B28D028


PWS-Banker Password Cracker/Stealer more information...
Details: PWS-Banker is trojan that steals passwords and sensitive data from the infected computer.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\AppID\{73364D99-1240-4dff-B11A-67E448373048}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}\iexplore Type 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}\iexplore Count 125
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{73364D99-1240-4DFF-B11A-67E448373048}\iexplore Time


Daosearch Toolbar Toolbar more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907}
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 C:\Programme\IESearchToolbar\IESearchToolbar.dll
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{EB381422-F797-4A98-A266-9DC490821907} IE Search Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{69753829-779C-45e7-9D8C-C79CE0989246}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{69753829-779C-45e7-9D8C-C79CE0989246} UninstallString C:\Programme\IESearchToolbar\iesearchtoolbar_uninstall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{69753829-779C-45e7-9D8C-C79CE0989246} DisplayName IE Search Toolbar plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Perezzz Software\IESearchToolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Perezzz Software\IESearchToolbar first
HKEY_LOCAL_MACHINE\SOFTWARE\Perezzz Software\IESearchToolbar first_start 0


Cookie: ABetterInternet.Aurora Cookie Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@a[1].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@doubleclick[1].txt


Cookie: QuestionMarket.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@questionmarket[2].txt


Cookie: BS.Serving-Sys Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\andreas\cookies\andreas@serving-sys[2].txt

MFG Zaubermaus

#20 oh je...was fuer ein muell du im laufe der Zeit so geladen hast.
wenn du mal ans Formatieren denkst, so zoegere nicht
bis jetzt muesste wieder alles notduerftig o.k. sein

nur ein Tip: die Windowsupdates von microsoft kommen NIE ueber mail, ..... !!
Sei also misstrauischer, klicke nicht auf alles was blinkt, denn oft verbergen sich Backdoors und Trojaner dahinter.

----
Avenger

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\ENUM\ROOT\LEGACY_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SERVICE

__________
MfG Sabina

rund um die PC-Sicherheit

#21 Hallo, super-herzlichen Dank für die viele Zeit, die Du damit verbracht hast, unserem PC wieder auf die Sprünge zu helfen. Wenn ich das richtig gesehen habe, kann man sich per PayPal erkenntlich zeigen. Das werden wir gerne tun.
Ich habe auch den letzten Schritt durchgeführt und gepostet.
Wir werden den PC dann wohl mal formatieren.
Danke jedenfalls für alles.
War ein super Tipp von audipower, sich an Dich zu wenden.
MFG zaubermaus


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kioecoqs

*******************

Script file located at: \??\C:\bxawatix.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Service not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Service failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Service
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Service not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Service failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Service
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Service not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Service failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Service
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_SERVICE not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_SERVICE failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ENUM\ROOT\LEGACY_SERVICE
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_SERVICE not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_SERVICE failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ENUM\ROOT\LEGACY_SERVICE
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\ENUM\ROOT\LEGACY_SERVICE not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\ENUM\ROOT\LEGACY_SERVICE failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\ENUM\ROOT\LEGACY_SERVICE
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SERVICE not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SERVICE failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_SERVICE
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.