alg.exe mehrmals vorhanden?

#1 Hallo, habe letztens ma bei TCPview nen bissl geguckt und gesehn, dass die alg.exe mehrmals da auftaucht (2 mal localhost) und einmal auf eine eine IP (51......ftp) ich weiß leider die IP nicht mehr so genau ging anch einiger zeit wieder weg.

was hat das mit dem ftp zu tun? vllt ein angriff über ftp server?

bei meinem Firefox tauchte diese übrigends auch wieder auf (vllt injected?)


danke für jede antwort

mfg
narziss

#2 Moeglich ist vielers. Versorge uns mit etwas mehr informationen:
http://board.protecus.de/t23188.htm
__________
MfG Ralf
SEO-Spam Hunter

#3 Hijackthis Logfile

Logfile of HijackThis v1.99.1
Scan saved at 16:22:09, on 27.05.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Winamp\winampa.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\WinPatrol\winpatrol.exe
F:\Program Files\QIP\qip.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\Programme\utorrent\uTorrent.exe
F:\Program Files\TOR\Vidalia\vidalia.exe
F:\Program Files\TOR\Privoxy\privoxy.exe
F:\Program Files\No-IP\DUC20.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\oodag.exe
F:\Program Files\TOR\Tor\tor.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\boOz\Desktop\Toolz\HijackThis.exe

O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinPatrol] F:\Program Files\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [QIP2005] F:\Program Files\QIP\qip.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [µTorrent] "D:\Programme\utorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Vidalia] "F:\Program Files\TOR\Vidalia\vidalia.exe"
O4 - Startup: No-IP DUC.lnk = F:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Privoxy.lnk = F:\Program Files\TOR\Privoxy\privoxy.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe


ComboFix Logfile


"boOz" - 2007-05-27 16:03:26 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\boOz\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-27 12:53 <DIR> d-------- C:\DOCUME~1\boOz\APPLIC~1\Acronis
2007-05-27 12:06 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-05-23 19:26 <DIR> d-------- C:\Documents and Settings\boOz\VSWebCache
2007-05-23 19:26 <DIR> d-------- C:\DOCUME~1\boOz\VSWebCache
2007-05-23 19:13 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-05-23 19:13 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-05-23 19:13 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-05-23 19:13 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-05-23 19:13 471,552 --a------ C:\WINDOWS\system32\Smab.dll
2007-05-23 19:13 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-05-23 19:13 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-05-23 19:13 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-05-23 19:13 217,073 --a------ C:\WINDOWS\meta4.exe
2007-05-23 19:13 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-05-23 19:11 31,744 -r-hs---- C:\WINDOWS\system32\msfDX.dll
2007-05-23 19:11 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-05-23 19:10 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2007-05-22 23:09 <DIR> d-------- C:\TC
2007-05-22 22:43 6,553,600 --a------ C:\Documents and Settings\boOz\ntuser.dat
2007-05-22 22:43 6,553,600 --a------ C:\DOCUME~1\boOz\ntuser.dat
2007-04-29 23:10 2,320,000 --a------ C:\WINDOWS\system32\TUKernel.exe
2007-04-29 16:21 <DIR> d-------- C:\WINDOWS\hsperfdata_boOz
2007-04-27 16:28 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-04-27 16:27 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-04-27 16:27 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-27 16:24 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-27 16:24 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 14:09:00 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Tor
2007-05-27 14:08:46 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\uTorrent
2007-05-27 14:08:33 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Vidalia
2007-05-27 13:33:44 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-26 19:32:45 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\ICQ
2007-05-23 17:11:52 -------- d-----w C:\Program Files\Microsoft Visual Studio .NET 2003
2007-05-23 17:10:28 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-16 18:52:16 -------- d-----w C:\Program Files\ICQToolbar
2007-04-25 16:37:09 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Apple Computer
2007-04-22 16:53:32 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-18 19:39:37 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 18:37:33 -------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-04-18 18:36:17 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-14 20:38:58 -------- d-----w C:\Program Files\Apple Software Update
2007-04-14 19:33:37 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Dev-Cpp
2007-04-13 11:31:57 392,320 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-04-13 11:31:57 32,768 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-04-13 11:31:50 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-04-13 11:31:41 -------- d-----w C:\Program Files\Common Files\Acronis
2007-04-11 01:55:26 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\ICQLite
2007-04-11 01:54:06 -------- d-----w C:\Program Files\ICQLite
2007-04-10 13:39:46 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-04-10 13:05:58 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Xfire
2007-04-10 11:48:29 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\vlc
2007-04-10 11:38:36 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Ipswitch
2007-04-10 11:12:58 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\teamspeak2
2007-04-09 18:46:31 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\WinPatrol
2007-04-09 16:55:32 90,624 ----a-w C:\WINDOWS\VSUNINST.EXE
2007-04-09 14:14:24 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Hamachi
2007-04-09 14:11:18 26,056 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-09 12:15:51 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Media Player Classic
2007-04-09 12:14:57 -------- d-----w C:\Program Files\K-Lite Codec Pack
2007-04-09 10:36:18 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\ATI
2007-04-09 10:30:58 -------- d-----w C:\Program Files\ATI Technologies
2007-04-09 09:03:44 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\TuneUp Software
2007-04-08 16:11:52 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-04-08 15:30:47 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Ahead
2007-04-08 15:28:52 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-08 11:58:16 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\GetRightToGo
2007-04-08 11:35:55 -------- d-----w C:\Program Files\DAEMON Tools
2007-04-08 11:21:49 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-07 22:01:04 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Talkback
2007-04-07 22:00:48 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Thunderbird
2007-04-07 22:00:42 4,117 ----a-w C:\WINDOWS\mozver.dat
2007-04-07 19:32:40 -------- d-----w C:\Program Files\Winamp
2007-04-07 19:26:43 -------- d-----w C:\Program Files\VIA Technologies, Inc
2007-04-07 19:15:08 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Help
2007-04-07 19:15:00 -------- d-----w C:\DOCUME~1\boOz\APPLIC~1\Logitech
2007-04-07 19:07:43 -------- d-----w C:\Program Files\Common Files\Logitech
2007-04-07 19:07:30 -------- d-----w C:\Program Files\Logitech
2007-04-07 19:07:22 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-07 18:17:17 -------- d-----w C:\Program Files\Messenger
2007-04-07 16:12:39 -------- d-----w C:\Program Files\Common Files\ODBC
2007-04-07 16:12:36 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-04-07 15:02:47 0 ----a-w C:\WINDOWS\nsreg.dat
2007-04-07 14:59:51 -------- d-----w C:\Program Files\Kaspersky Lab
2007-04-07 14:27:39 -------- d-----w C:\Program Files\microsoft frontpage
2007-04-07 14:27:16 0 --sha-r C:\MSDOS.SYS
2007-04-07 14:27:16 0 --sha-r C:\IO.SYS
2007-04-07 14:27:16 0 ----a-w C:\CONFIG.SYS
2007-04-07 14:27:16 0 ----a-w C:\AUTOEXEC.BAT
2007-04-07 14:25:54 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-07 14:25:50 -------- d-----w C:\Program Files\Online Services
2007-04-07 14:25:11 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-04-07 14:25:04 -------- d-----w C:\Program Files\Movie Maker
2007-04-07 14:24:18 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-07 14:23:46 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-04-07 14:23:40 -------- d-----w C:\Program Files\Windows NT
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 17:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-02 20:54:35 307,200 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-03-02 20:29:08 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="F:\Program Files\Winamp\winampa.exe" [2007-02-13 20:29]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-22 13:21]
"WinPatrol"="F:\Program Files\WinPatrol\winpatrol.exe" [2007-04-19 19:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QIP2005"="F:\Program Files\QIP\qip.exe" [2007-04-21 21:35]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48]
"µTorrent"="D:\Programme\utorrent\uTorrent.exe" [2007-02-15 22:17]
"@"="" []
"Vidalia"="F:\Program Files\TOR\Vidalia\vidalia.exe" [2007-02-08 03:38]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE
"TrueImageMonitor.exe"=F:\Program Files\True Image 10\TrueImageMonitor.exe
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
"AcronisTimounterMonitor"=F:\Program Files\True Image 10\TimounterMonitor.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
UxTuneUp



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070527-154522-884
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

backup-20070527-154521-749
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
Contents of the 'Scheduled Tasks' folder
2007-05-25 15:16:37 C:\WINDOWS\tasks\1-Klick-Wartung.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 16:08:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-27 16:10:09 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 16:10

--- E O F ---

#4 Das sieht so ganz sauber aus. Deinstallation von TOR koennte das Problem beseitigen.....
__________
MfG Ralf
SEO-Spam Hunter

#5 OK danke erstma für das checken

aber ich würd noch gern wissen was dieses :ftp hinter der ip bedeutet.
komischerweise kommt das jetzt garnicht mehr obwohl ich TOR laufen lasse.
sehr strange die ganze sache...

#6 FTP Bedeutet anscheinend, das traffic auf Port 21 anliegt. Es kann ja sein, das ueber tor auch FTP Verbindungen moeglich sind!?
__________
MfG Ralf
SEO-Spam Hunter