Backdoor IRCbot - Hilfe, Abhilfe und Informationen gesucht

#1 Hi Leute,

ich habe ein Problem, inzwischen habe ich in den letzten Monaten 3 mal meinen PC und Notebook wegen dem Backdoor IRCBOT Adware/Spyware (Fund durch ESCAN) neu aufgesetzt. ( Trueimage von Acronis)

System found infected with backdoor (ircbot) trojans Spyware/Adware (hklm\software\microsoft\windows\currentversion\run//msconfig)! Action taken: Keine Maßnahme ergriffen

heute stelle ich fest , dass erneut der PC von dieser Plage befallen ist.
ich suche zunächst Informationen wodurch dieser Plagegeist auf meinem PC auftaucht.

da es sich um einen Backdoor handelt, vermute ich mal, dass ich erneut das System neu aufsetzen kann oder gibt es eine Möglichkeit diese Plage zu entfernen.


zu meiner Überraschung ich habe gerade cleanup wie in der FAQ ausgeführt, um Temp daten etc. zu entfernen, danach im Anschluss habe ich einen neuen Scan mit Escan begonnen. Komischerweise taucht diesmal der Backdoor IRCBOT Adware/Spyware nicht mehr auf.



Anbei mein HJT

Logfile of HijackThis v1.99.1
Scan saved at 21:05, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\eigene\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Programme\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
C:\Programme\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Programme\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Programme\eigene\Mozilla Firefox\firefox.exe
C:\Programme\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\programme\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Programme\Panda Security\Panda Internet Security 2008\psimsvc.exe
C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Programme\eigene\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Programme\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Programme\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Programme\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Programme\eigene\totalcmd\TOTALCMD.EXE
C:\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\eigene\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\eigene\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Programme\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\eigene\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON Stylus DX5000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_S90.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus DX5000 Series auf MWORX-BASE (von MWORX_NOTE2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "C:\WINDOWS\TEMP\E_SA.tmp" /EF "HKCU"
O8 - Extra context menu item: Download with GetRight Pro - C:\Programme\eigene\GetRight\GRdownload.htm
O8 - Extra context menu item: Mit GetRight downloaden - C:\Programme\eigene\GetRight\GRdownload.htm
O8 - Extra context menu item: Mit Getright-Browser öffnen - C:\Programme\eigene\GetRight\GRbrowse.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\eigene\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Programme\eigene\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\eigene\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\eigene\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\eigene\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\eigene\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\eigene\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - h**p://w*w.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - h**p://w*w.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - h**p://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programme\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programme\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programme\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Programme\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programme\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programme\Panda Security\Panda Internet Security 2008\psimsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\eigene\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programme\Panda Security\Panda Internet Security 2008\TPSrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe

-------------------------------------------------------------

Datenträger in Laufwerk C: ist Main
Volumeseriennummer: 7481-473F

Verzeichnis von c:\

2008-04-16 20:58 0 dirdat.txt
2008-04-16 20:55 2,145,386,496 pagefile.sys
2008-04-16 18:12 294 boot.ini
2008-04-09 15:46 2,868 voxFcoldrv.log
2008-03-20 00:46 0 23990098.$$$
2008-02-19 13:25 0 AUTOEXEC.BAT
2008-02-13 01:28 5,608 vlcf.xml
2008-02-06 12:05 211 BOOT.BAK
2008-01-03 00:53 0 IO.SYS
2008-01-03 00:53 0 CONFIG.SYS
2008-01-03 00:53 0 MSDOS.SYS
17 Datei(en) 2,154,406,041 Bytes
0 Verzeichnis(se), 11,963,817,984 Bytes frei
Datenträger in Laufwerk C: ist Main
Volumeseriennummer: 7481-473F

Verzeichnis von C:\WINDOWS\system32

2008-04-16 20:07 8,627 PAV_FOG.OPC
2008-04-12 15:26 13,646 wpa.dbl
2008-04-11 13:29 11,594 iklog.log
2008-04-09 20:37 1,627,816 FNTCACHE.DAT
2008-04-06 07:56 19,836,024 MRT.exe
2008-03-30 13:40 490,796 perfh009.dat
2008-03-30 13:40 519,404 perfh007.dat
2008-03-30 13:40 89,736 perfc009.dat
2008-03-30 13:40 109,528 perfc007.dat
2008-03-30 13:40 1,227,294 PerfStringBackup.INI
2008-03-20 10:03 1,845,376 win32k.sys
2008-03-12 23:05 664 d3d9caps.dat
2008-03-09 22:31 1,868,944 RSA32_16.DLL
2008-03-01 18:24 3,591,680 mshtml.dll
2008-03-01 14:54 826,368 wininet.dll
2008-03-01 14:54 233,472 webcheck.dll
2008-03-01 14:54 1,159,680 urlmon.dll
2008-03-01 14:54 105,984 url.dll
2008-03-01 14:54 44,544 pngfilt.dll
2008-03-01 14:54 102,912 occache.dll
2008-03-01 14:54 671,232 mstime.dll
2008-03-01 14:54 193,024 msrating.dll
2008-03-01 14:54 478,208 mshtmled.dll
2008-03-01 14:53 52,224 msfeedsbs.dll
2008-03-01 14:53 459,264 msfeeds.dll
2008-03-01 14:53 27,648 jsproxy.dll
2008-03-01 14:53 1,831,424 inetcpl.cpl
2008-03-01 14:53 267,776 iertutil.dll
2008-03-01 14:53 44,544 iernonce.dll
2008-03-01 14:53 6,066,176 ieframe.dll
2008-03-01 14:53 384,512 iedkcs32.dll
2008-03-01 14:53 63,488 icardie.dll
2008-03-01 14:53 383,488 ieapfltr.dll
2008-03-01 14:53 230,400 ieaksie.dll
2008-03-01 14:53 214,528 dxtrans.dll
2008-03-01 14:53 133,120 extmgr.dll
2008-03-01 14:53 153,088 ieakeng.dll
2008-03-01 14:53 124,928 advpack.dll
2008-03-01 14:53 347,136 dxtmsft.dll
2008-02-29 10:54 70,656 ie4uinit.exe
2008-02-22 13:30 334,792 _AxShlEx.dll
2008-02-22 12:00 13,824 ieudinit.exe
2008-02-21 04:11 3,136 dtu_de.qm
2008-02-21 04:05 4,816 divxsm.tlb
2008-02-21 04:05 10,152 dsm_de.qm
2008-02-21 04:05 524,288 DivXsm.exe
2008-02-21 04:05 3,596,288 qt-dx331.dll
2008-02-21 04:05 200,704 ssldivx.dll
2008-02-21 04:05 1,044,480 libdivx.dll
2008-02-21 04:04 196,608 dtu100.dll
2008-02-21 04:04 416 dpl100.dll.manifest
2008-02-21 04:04 81,920 dpl100.dll
2008-02-21 04:04 416 dtu100.dll.manifest
2008-02-21 04:04 53,248 dpuGUI10.dll
2008-02-21 04:04 593,920 dpuGUI11.dll
2008-02-21 04:04 57,344 dpv11.dll
2008-02-21 04:04 294,912 dpu11.dll
2008-02-21 04:04 294,912 dpu10.dll
2008-02-21 04:04 344,064 dpus11.dll
2008-02-21 04:04 682,496 DivX.dll
2008-02-21 04:04 823,296 divx_xx07.dll
2008-02-21 04:04 823,296 divx_xx0c.dll
2008-02-21 04:04 802,816 divx_xx11.dll
2008-02-21 04:03 630,784 divxdec.ax
2008-02-21 04:03 352,401 DivXMedia.ax
2008-02-21 04:03 156,992 DivXCodecVersionChecker.exe
2008-02-21 04:03 12,288 DivXWMPExtType.dll
2008-02-21 04:03 8,523 dpude.qm
2008-02-21 01:48 5,686 jupdate-1.6.0_03-b05.log
2008-02-20 23:26 253 PavCPL.dat
2008-02-20 08:50 282,624 gdi32.dll
2008-02-20 07:33 45,568 dnsrslvr.dll
2008-02-20 07:33 148,992 dnsapi.dll
2008-02-19 00:08 1,024 default_user_class.dat.LOG
2008-02-17 23:42 0 tmp.txt
2008-02-17 23:42 2,118 tmp.reg
2008-02-16 20:46 85,504 VACFix.exe
2008-02-15 07:44 161,792 ieakui.dll
2008-02-13 17:44 262,144 default_user_class.dat
2008-02-08 11:37 82,432 IEDFix.exe
2008-02-01 22:14 23,552 ctfmon.exe
2008-01-28 22:19 13,312 BASSMOD.dll
2008-01-21 12:05 487 oeminfo.ini`
2008-01-21 12:05 23,638 oemlogo.bmp
2008-01-13 11:53 16,832 amcompat.tlb
2008-01-13 11:53 23,392 nscompat.tlb
2008-01-04 23:06 13,646 wpa.bak
2008-01-03 03:12 940,794 LoopyMusic.wav
2008-01-03 03:12 146,650 BuzzingBee.wav
2008-01-03 01:33 138,558 TZLog.log
2008-01-03 01:13 163,353 nvapps.xml
2008-01-03 00:55 261 $winnt$.inf
2008-01-03 00:53 2,951 CONFIG.NT
2008-01-03 00:53 2,951 config.bak
2008-01-03 00:52 488 WindowsLogon.manifest
2008-01-03 00:52 488 logonui.exe.manifest
2008-01-03 00:52 749 nwc.cpl.manifest
2008-01-03 00:52 749 wuaucpl.cpl.manifest
2008-01-03 00:52 749 ncpa.cpl.manifest
2008-01-03 00:52 749 sapi.cpl.manifest
2008-01-03 00:52 749 cdplayer.exe.manifest
2008-01-03 00:50 21,740 emptyregdb.dat
2008-01-03 00:45 0 h323log.txt

2352 Datei(en) 606,929,867 Bytes
0 Verzeichnis(se), 11,963,691,008 Bytes frei
Datenträger in Laufwerk C: ist Main
Volumeseriennummer: 7481-473F

Verzeichnis von C:\WINDOWS

2008-04-16 20:58 4,577 wincmd.ini
2008-04-16 20:56 158,364 WindowsUpdate.log
2008-04-16 20:56 157 wiadebug.log
2008-04-16 20:56 50 wiaservc.log
2008-04-16 20:55 0 0.log
2008-04-16 20:55 2,048 bootstat.dat
2008-04-16 20:54 2,908 COM+.log
2008-04-16 20:54 3,260 SchedLgU.Txt
2008-04-16 20:40 50 Lic.xxx
2008-04-16 18:12 227 system.ini
2008-04-16 18:12 817 win.ini
2008-04-16 02:41 742 setupapi.log
2008-04-15 21:20 976 wcx_ftp.ini
2008-04-12 19:24 1,197 wmsetup.log
2008-04-11 13:39 0 Sti_Trace.log
2008-04-05 03:27 847 tobit.ini
2008-03-16 23:48 294 ktel.ini
2008-03-16 23:42 282 TOBITADD.INI
2008-03-15 00:52 49 NeroDigital.ini
2008-03-11 20:08 23 AVFD.INI
2008-02-22 00:34 1,425 mozver.dat
2008-02-19 18:09 53,248 PSEXESVC.EXE
2008-02-19 14:33 250 gmer.ini
2008-02-19 14:33 80 gmer_uninstall.cmd
2008-02-19 14:33 819,200 gmer.dll
2008-02-19 13:22 95,988 pavclean2006_lsp_backup.reg
2008-02-19 11:33 254 UPGRADE.TXT
2008-01-30 04:15 434 ODBC.INI
2008-01-18 21:31 757,760 gmer.exe
2008-01-12 19:17 316,640 WMSysPr9.prx
2008-01-08 23:07 1,025,544 setupapi.log.0.old
2008-01-04 23:17 0 nsreg.dat
2008-01-03 02:43 315,392 HideWin.exe
2008-01-03 02:40 3,956 Ascd_tmp.ini
2008-01-03 00:56 8,192 REGLOCS.OLD
2008-01-03 00:53 0 control.ini
2008-01-03 00:53 4,161 ODBCINST.INI
2008-01-03 00:52 749 WindowsShell.Manifest
2008-01-03 00:49 37 vbaddin.ini
2008-01-03 00:49 36 vb.ini

98 Datei(en) 48,731,789 Bytes
0 Verzeichnis(se), 11,963,699,200 Bytes frei
Datenträger in Laufwerk C: ist Main
Volumeseriennummer: 7481-473F

Verzeichnis von C:\DOKUME~1\Donny\LOKALE~1\Temp

2008-04-16 20:56 22,253 Turkish.bin
2008-04-16 20:56 21,964 Norwegian.bin
2008-04-16 20:56 19,553 Hebrew.bin
2008-04-16 20:56 26,080 Hungarian.bin
2008-04-16 20:56 24,312 Czech.bin
2008-04-16 20:56 22,857 Finnish.bin
2008-04-16 20:56 25,071 Portuguese(Brazil).bin
2008-04-16 20:56 24,221 Polish.bin
2008-04-16 20:56 25,082 Greek.bin
2008-04-16 20:56 21,976 Thai.bin
2008-04-16 20:56 20,972 Arabic.bin
2008-04-16 20:56 16,408 SimChin.bin
2008-04-16 20:56 21,914 English.bin
2008-04-16 20:56 26,260 Portuguese.bin
2008-04-16 20:56 24,082 SWEDISH.bin
2008-04-16 20:56 27,753 Spanish.bin
2008-04-16 20:56 26,126 Russian.bin
2008-04-16 20:56 27,410 Italian.bin
2008-04-16 20:56 25,753 German.bin
2008-04-16 20:56 27,235 French.bin
2008-04-16 20:56 16,949 TradChin.bin
2008-04-16 20:56 22,783 Danish.bin
2008-04-16 20:56 20,135 Korean.bin
2008-04-16 20:56 25,747 Dutch.bin
2008-04-16 20:56 24,297 Japanese.bin
25 Datei(en) 587,193 Bytes
0 Verzeichnis(se), 11,963,695,104 Bytes frei
---------------------------------------------------------------------
Escan Auswertung mit find.bat

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
find.bat Version 2007.06.16.01

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: NORMAL

eScan Version: 9.7.8
Sprache: German
C:\DOKUME~1\Donny\LOKALE~1\Temp\MWAV.LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
~~~~~~~~~~~
Registry
~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Diverses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Prozesse und Module
~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Scanfehler
~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Hosts-Datei
~~~~~~~~~~~~~~~~~~~~~~
DataBasePath: %SystemRoot%\System32\drivers\etc
Zeilen die nicht dem Standard entsprechen:
C:\WINDOWS\System32\drivers\etc\hosts :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan-Optionen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Batchstart: 21:46:21.26
Batchende: 21:47:18.51

#2 Hallo,

1.
scanne mit sdfix , muss im abgesicherte Modus sein - poste den report
http://virus-protect.org/artikel/tools/sdfix.html

2.
dann sdfix im Normalmodus:RunThis.bat doppelt klicken - 3 : wird Sophos geladen - wähle Option 6 - scanne + poste den report (ist im sdfix-Ordner)
__________
MfG Sabina

rund um die PC-Sicherheit

#3 @Sabina

Ich habe SDFIX nach deiner Anleitung laufen lassen, dabei wurde auch mein Panda Internet Security zerschossen.


REPORT

SDFix: Version 1.171
Run by Donny on 2008-04-17 at 23:15

Microsoft Windows XP [Version 5.1.2600]
Running From: c:\SDfix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 23:25:13
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Programme\eigene\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:63,05,8a,84,e3,aa,72,10,d1,2b,c0,26,0a,5a,37,1a,5e,b8,27,57,94,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\eigene\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:e5,88,9e,86,21,17,8e,d0,a9,98,1e,fa,a6,96,b2,9b,d3,ac,fa,3e,9e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,37,a7,de,c6,ec,2a,47,12,8b,24,60,1e,a9,e1,07,9a,29,..
"khjeh"=hex:39,58,de,1f,a9,06,7f,5e,3d,5b,c5,e4,69,4e,65,02,e3,1f,47,6d,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,30,8a,0a,2b,00,b2,6b,ea,91,6e,b9,cf,44,38,43,e4,97,56,9b,9d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Programme\eigene\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:63,05,8a,84,e3,aa,72,10,d1,2b,c0,26,0a,5a,37,1a,5e,b8,27,57,94,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\eigene\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:e5,88,9e,86,21,17,8e,d0,a9,98,1e,fa,a6,96,b2,9b,d3,ac,fa,3e,9e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,37,a7,de,c6,ec,2a,47,12,8b,24,60,1e,a9,e1,07,9a,29,..
"khjeh"=hex:39,58,de,1f,a9,06,7f,5e,3d,5b,c5,e4,69,4e,65,02,e3,1f,47,6d,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:bb,30,8a,0a,2b,00,b2,6b,ea,91,6e,b9,cf,44,38,43,e4,97,56,9b,9d,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Programme\\uTorrent\\uTorrent.exe"="C:\\Programme\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDfix\backups\backups.zip

Files with Hidden Attributes :

Wed 6 Feb 2008 211 A.SH. --- "C:\BOOT.BAK"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\eigene\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\eigene\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\eigene\Spybot - Search & Destroy\TeaTimer.exe"
Sat 12 Jan 2008 0 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\Cache\Indiv01.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT3.tmp"

Finished!

SOPHOS REPORT

Sophos Anti-Virus
Version 4.28.0 [Win32/Intel]
Virus data version 4.28E, April 2008
Includes detection for 381537 viruses, trojans and worms
Copyright (c) 1989-2008 Sophos Plc, www.sophos.com

System time 23:34:03, System date 17 April 2008
Command line qualifiers are: -f -remove -nc -nb --stop-scan

>>> Virus 'Mal/Behav-217' found in file C:\Programme\eigene\GetRight\GetRight2.exe
Removal successful
>>> Virus fragment 'W95/Whog-878b' found in file C:\Programme\Panda Security\Panda Internet Security 2008\Pskavs.dll
Removal failed
>>> Virus fragment 'W95/Whog-878b' found in file C:\Programme\Panda Security\TotalScan\pskavs.dll
Removal successful
Could not open C:\WINDOWS\system32\drivers\sptd.sys
Password protected file E:\Dokumente und Einstellungen\Eigene Dateien\[0001]--sonstiges--\Reseller-Artikel_2008_ab0208_.xls
>>> Virus 'Troj/Agent-GAU' found in file E:\Microsoft.Office.2007.Enterprise.Keygen.Only-MiCROSOFT\keygen.exe
Removal successful

8 boot sectors swept.
105040 files swept in 1 hour, 1 minute and 25 seconds.
3 errors were encountered.
4 viruses were discovered.
4 files out of 105040 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
1 encrypted file was not checked.
Ending Sophos Anti-Virus.

#4 Sophos hat den GetRight ausgelöscht, nehme an, dass es eine "false positive" ist, ebenso, wie ein gelöschtes Element vom Panda
wenn du den Manager nicht neu laden willst, so fixe ihn mit HijackThis: ist hier erklärt, wie man das macht:
http://virus-protect.org/hjtkurz.html

Zitat

O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\eigene\GetRight\xx2gr.dll

O8 - Extra context menu item: Download with GetRight Pro - C:\Programme\eigene\GetRight\GRdownload.htm
O8 - Extra context menu item: Mit GetRight downloaden - C:\Programme\eigene\GetRight\GRdownload.htm
O8 - Extra context menu item: Mit Getright-Browser öffnen - C:\Programme\eigene\GetRight\GRbrowse.htm

O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Programme\eigene\GetRight\GRbrowse.htm

----------

der von dir angesprochene Registry-Eintrag ist nicht sichtbar, sdfix hat auch nichts weiter gefunden.
Es müsste, da der keygen entfernt wurde, alles wieder i.o. sein
__________
MfG Sabina

rund um die PC-Sicherheit

#5 @Sabina,

Danke dir, auf den Getright kann ich verzichten , ich weiss gar nicht warum ich den mal installiert hatte.

Panda habe ich erneut installiert und alles wieder in Ordnung.

nochmals Danke für deine Hilfe.