Trojaner TR/Drop.Agent.AAY und TR/Drop.Agent.age.2 auf PC

#0
13.06.2007, 18:29
...neu hier

Beiträge: 5
#1 Hi,

Hab die Trojaner TR/Drop.Agent.AAY und TR/Drop.Agent.age.2 auf meinem PC. Hab sie durch Avira AntiVir gefunden. Wie kann ich sie wieder loswerden?

Information für TR/Drop.Agent.AAY :
http://www.avira.com/de/Thread/section/fulldetails/id_vir/3596/tr_drop.agent.aay.html

Danke. Bin am Verzweifeln.

mfg cereb
Seitenanfang Seitenende
13.06.2007, 19:41
Moderator

Beiträge: 7805
#2 Arbeite bitte die Punkte 1-3 aus diesem Thread ab: http://board.protecus.de/t23188.htm
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
13.06.2007, 19:53
...neu hier

Themenstarter

Beiträge: 5
#3 datfind.exe

13.06.2007 13:58 7.275 nvapps.xml
13.06.2007 13:54 2.206 wpa.dbl
05.06.2007 23:38 15.747.032 MRT.exe
30.05.2007 20:35 445.312 FNTCACHE.DAT
11.04.2007 11:21 39.668 PUXPPLAT.UND
06.04.2007 14:09 210 BOOTBAK.INI
02.04.2007 14:21 428.032 swreg.exe
01.04.2007 12:26 5.100 NULL
25.03.2007 10:46 54.076 perfc009.dat
25.03.2007 10:46 382.716 perfh009.dat
25.03.2007 10:46 394.198 perfh007.dat
25.03.2007 10:46 65.286 perfc007.dat
25.03.2007 10:46 905.972 PerfStringBackup.INI

Edit: reichen die Infos aus?

Anhang: ComboFix.txt
Dieser Beitrag wurde am 13.06.2007 um 20:15 Uhr von cereb editiert.
Seitenanfang Seitenende
14.06.2007, 05:48
Moderator

Beiträge: 7805
#4 Ein Hijackthis log waere hilfreich und die Infos, wo diese Viren gefunden wurden.
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
14.06.2007, 13:47
...neu hier

Themenstarter

Beiträge: 5
#5 sorry bin neu hier.

Logfile of HijackThis v1.99.1
Scan saved at 13:40:48, on 14.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\PROGRA~1\T-Online\T-ONLI~1\Notifier\Notifier.exe
C:\Programme\Filzip\Filzip.exe
C:\DOKUME~1\user\LOKALE~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Programme\ONSPEED\components\NOWImaging.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [InfoCockpit] C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://de8.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096728815609
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe

gefunden wurden die Trojaner auf:

C:\Programme\Outlook Express\awimi.exe (TR/Drop.Agent.AAY)
C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temp\z11wini.exe (TR/Drop.Agent.age.2)

mfg cereb
Seitenanfang Seitenende
14.06.2007, 13:55
Moderator

Beiträge: 7805
#6 Die Dateien wurden geloescht und du hast ATF Cleaner genutzt?

DAs einzige, was auffaellt ist
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Programme\ONSPEED\components\NOWImaging.dll (file missing)

Diese kannst du in Hijackthis anhaken und fix checked druecken.


Ansonsten mache einige Kontrolscans mit Drweb:
http://freedrweb.com/
und Ewido: http://downloads.ewido.net/ewido_micro.exe

Dein Antivir stelle ein, wie hier beschrieben: http://board.protecus.de/t23979.htm
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
14.06.2007, 13:59
...neu hier

Themenstarter

Beiträge: 5
#7 Vielen vielen Dank raman für den tollen support.

ATV Cleaner hab ich benutzt.

Gruß cereb
Seitenanfang Seitenende
28.06.2007, 17:02
...neu hier

Themenstarter

Beiträge: 5
#8 hi könntet ihr nochmal schauen, ob alles passt? Bei cureit.exe findet er nix.

Danke für die Bemühungen.

datfind.exe

8.06.2007 15:29 7.275 nvapps.xml
24.06.2007 17:11 2.206 wpa.dbl
14.06.2007 13:32 445.312 FNTCACHE.DAT
13.06.2007 23:13 122.142 TZLog.log
05.06.2007 23:38 15.747.032 MRT.exe
16.05.2007 17:11 683.520 inetcomm.dll
08.05.2007 10:59 3.583.488 mshtml.dll
25.04.2007 16:22 144.896 schannel.dll

Logfile of HijackThis v1.99.1
Scan saved at 16:57:33, on 28.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ps2.exe
C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\INFOCOCKPIT.EXE
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\T-Online\T-ONLI~1\Notifier\Notifier.exe
C:\Programme\ICQ6\ICQ.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Dokumente und Einstellungen\user\Desktop\Virusbekämpfung\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=DE_DE&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKCU\..\Run: [InfoCockpit] C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE /nosplash
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://de8.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096728815609
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe

ComboFix 07-06-13.3 - C:\Dokumente und Einstellungen\user\Desktop\Virusbek„mpfung\ComboFix.exe
"user" - 2007-06-28 16:50:10 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-25 12:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-24 17:04 <DIR> d-------- C:\Programme\SiSoftware
2007-06-24 17:00 <DIR> d-------- C:\Programme\JAP
2007-06-14 14:11 <DIR> d-------- C:\DOKUME~1\user\DoctorWeb
2007-06-13 19:37 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 14:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-13 13:55 <DIR> d-------- C:\WINDOWS\system32\de-de
2007-06-13 13:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-13 13:42 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Windows Genuine Advantage
2007-05-31 16:50 5,242,880 --a------ C:\DOKUME~1\user\ntuser.dat
2007-05-31 16:50 <DIR> d-------- C:\Programme\HEAD
2007-05-28 19:50 <DIR> d-------- C:\DOKUME~1\user\ANWEND~1\Skype
2007-05-28 19:49 <DIR> d-------- C:\Programme\Skype
2007-05-28 19:49 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Skype
2007-05-28 19:49 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Skype


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 15:33:37 -------- d-----w C:\Programme\ICQToolbar
2007-06-26 13:19:01 -------- d-----w C:\Programme\TrackMania Nations ESWC
2007-06-14 13:49:27 -------- d-----w C:\Programme\Everest Poker
2007-06-01 19:29:37 -------- d-----w C:\DOKUME~1\user\ANWEND~1\Avant Browser
2007-06-01 11:38:56 -------- d-----w C:\Programme\PokerStars
2007-05-31 14:50:12 -------- d--h--w C:\Programme\InstallShield Installation Information
2007-05-30 18:04:38 -------- d-----w C:\Programme\The Westerner
2007-05-30 18:00:46 -------- d-----w C:\Programme\Pacz
2007-05-30 17:55:33 -------- d-----w C:\Programme\Picasa
2007-05-30 17:54:00 -------- d-----w C:\Programme\Oberon Media
2007-05-27 08:55:18 -------- d-----w C:\Programme\PHP
2007-05-17 16:07:01 -------- d-----w C:\DOKUME~1\user\ANWEND~1\SlipStream
2007-05-16 15:11:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 17:14:20 -------- d-----w C:\Programme\ICQ6
2007-05-15 17:14:17 -------- d-----w C:\DOKUME~1\user\ANWEND~1\ICQ
2007-05-15 17:14:07 -------- d-----w C:\Programme\ICQLite
2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:13:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 07:24:34 12,275 -c--a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{055FD26D-3A88-4e15-963D-DC8493744B1D}=C:\PROGRA~1\ICQTOO~1\toolbaru.dll [2006-12-25 10:40]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programme\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-07-12 16:50 C:\WINDOWS\system32\nwiz.exe]
"FLMK08KB"="C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe" [2006-11-30 19:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InfoCockpit"="C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.exe" [2007-01-16 11:56]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"InfoCockpit"=C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE /nosplash

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Programme\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BusinessOnline Log]
"C:\Programme\T-DSL Business\bolog.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]
C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeScape Media Detector]
C:\Programme\Picasa\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspwr]
C:\WINDOWS\system32\PuXpMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PwrUpTweakMe]
C:\WINDOWS\system32\PUXPTWKS.EXE /TWEAK

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programme\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"D:\Programme\Valve\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\T-DSL SpeedMgr]
"C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=3 (0x3)
"TSMService"=3 (0x3)
"SymWSC"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"NVSvc"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"AVM WLAN Connection Service"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" /background
"Mozilla Quick Launch"="C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
"TuneUp MemOptimizer"="D:\Programme\TuneUp Utilities 2004\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" -minimize
"CloneDVDElbyDelay"="D:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
"iTunesHelper"=C:\Programme\iTunes\iTunesHelper.exe
"ElbyCheckAnyDVD"="C:\Programme\AnyDVD\ElbyCheck.exe" /L AnyDVD
"Easy-PrintToolBox"=C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
"BusinessOnline Log"="C:\Programme\T-DSL Business\bolog.exe"
"BearShare"="C:\Programme\BearShare\BearShare.exe" /pause
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
"UpdateManager"="C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
"Dit"=Dit.exe
"KBD"=C:\HP\KBD\KBD.EXE
"nwiz"=nwiz.exe /install
"WinampAgent"="C:\Programme\Winamp\Winampa.exe"
"AVMWlanClient"=C:\Programme\avmwlanstick\wlangui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


Contents of the 'Scheduled Tasks' folder
2006-05-26 15:15:00 C:\WINDOWS\tasks\1-Klick-Wartung.job
2006-05-28 17:09:00 C:\WINDOWS\tasks\Einfache Internetanmeldung.job
2006-05-28 17:09:00 C:\WINDOWS\tasks\Symantec NetDetect.job

((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 15:33:37 -------- d-----w C:\Programme\ICQToolbar
2007-06-26 13:19:01 -------- d-----w C:\Programme\TrackMania Nations ESWC
2007-06-14 13:49:27 -------- d-----w C:\Programme\Everest Poker
2007-06-01 19:29:37 -------- d-----w C:\DOKUME~1\user\ANWEND~1\Avant Browser
2007-06-01 11:38:56 -------- d-----w C:\Programme\PokerStars
2007-05-31 14:50:12 -------- d--h--w C:\Programme\InstallShield Installation Information
2007-05-30 18:04:38 -------- d-----w C:\Programme\The Westerner
2007-05-30 18:00:46 -------- d-----w C:\Programme\Pacz
2007-05-30 17:55:33 -------- d-----w C:\Programme\Picasa
2007-05-30 17:54:00 -------- d-----w C:\Programme\Oberon Media
2007-05-27 08:55:18 -------- d-----w C:\Programme\PHP
2007-05-17 16:07:01 -------- d-----w C:\DOKUME~1\user\ANWEND~1\SlipStream
2007-05-16 15:11:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 17:14:20 -------- d-----w C:\Programme\ICQ6
2007-05-15 17:14:17 -------- d-----w C:\DOKUME~1\user\ANWEND~1\ICQ
2007-05-15 17:14:07 -------- d-----w C:\Programme\ICQLite
2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:13:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 07:24:34 12,275 -c--a-w C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{055FD26D-3A88-4e15-963D-DC8493744B1D}=C:\PROGRA~1\ICQTOO~1\toolbaru.dll [2006-12-25 10:40]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programme\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-07-12 16:50 C:\WINDOWS\system32\nwiz.exe]
"FLMK08KB"="C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe" [2006-11-30 19:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InfoCockpit"="C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.exe" [2007-01-16 11:56]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"InfoCockpit"=C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE /nosplash

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Programme\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BusinessOnline Log]
"C:\Programme\T-DSL Business\bolog.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]
C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeScape Media Detector]
C:\Programme\Picasa\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspwr]
C:\WINDOWS\system32\PuXpMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PwrUpTweakMe]
C:\WINDOWS\system32\PUXPTWKS.EXE /TWEAK

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programme\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"D:\Programme\Valve\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\T-DSL SpeedMgr]
"C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=3 (0x3)
"TSMService"=3 (0x3)
"SymWSC"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"NVSvc"=2 (0x2)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"AVM WLAN Connection Service"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" /background
"Mozilla Quick Launch"="C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
"TuneUp MemOptimizer"="D:\Programme\TuneUp Utilities 2004\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" -minimize
"CloneDVDElbyDelay"="D:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
"iTunesHelper"=C:\Programme\iTunes\iTunesHelper.exe
"ElbyCheckAnyDVD"="C:\Programme\AnyDVD\ElbyCheck.exe" /L AnyDVD
"Easy-PrintToolBox"=C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
"BusinessOnline Log"="C:\Programme\T-DSL Business\bolog.exe"
"BearShare"="C:\Programme\BearShare\BearShare.exe" /pause
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
"UpdateManager"="C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
"Dit"=Dit.exe
"KBD"=C:\HP\KBD\KBD.EXE
"nwiz"=nwiz.exe /install
"WinampAgent"="C:\Programme\Winamp\Winampa.exe"
"AVMWlanClient"=C:\Programme\avmwlanstick\wlangui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc


Contents of the 'Scheduled Tasks' folder
2006-05-26 15:15:00 C:\WINDOWS\tasks\1-Klick-Wartung.job
2006-05-28 17:09:00 C:\WINDOWS\tasks\Einfache Internetanmeldung.job
2006-05-28 17:09:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 16:56:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [3972]


scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-28 16:56:18
C:\ComboFix-quarantined-files.txt ... 2007-06-28 16:56
C:\ComboFix2.txt ... 2007-06-13 19:46

--- E O F ---

MfG Cereb
Seitenanfang Seitenende
28.06.2007, 17:13
Moderator

Beiträge: 7805
#9 Sieht gut aus. Diesen Eintrag(Ueberbleibsel von Spybot) solltest du noch anhaken und fioxen. Der IE muss vor dem druecken von fix checked geschlossen sein!
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende