Hi,
Nach dem Scannen mit E-scan im abgesichterten Modus und manuellem Löschen (infected), hier die
Logfile of HijackThis v1.99.0
Scan saved at 13:29:17, on 29.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Programme\WinZip\WINZIP32.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.1und1.com/b1redirect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von 1&1 Internet AG
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (o name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programme\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\Trojancheck 6\tcguard.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_SE.tmp"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [RoboForm] "C:\Programme\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Thumbs.db
O4 - Global Startup: Date Manager.lnk = C:\Programme\Date Manager\DateManager.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Programme\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &WEB.DE Toolbar Suche - res://C:\WINDOWS\Downloaded Program Files\webde.dll/SEARCH.HTML
O8 - Extra context menu item: Alle Bilder von gleichem Server filtern - C:\Programme\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Hervorheben - C:\Programme\Avant Browser\Highlight.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: RF - &Formular speichern - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: RF - &Menü anpassen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RF - Formular ausf&üllen - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RF - RoboForm-&Leiste - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Suchen - C:\Programme\Avant Browser\Search.htm
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Zur Werbebanner-Filterliste hinzufügen - C:\Programme\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Öffne alle Links auf dieser Seite... - C:\Programme\Avant Browser\OpenAllLinks.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Ausfüllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: RF - Formular ausf&üllen - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: RF - &Formular speichern - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF - RoboForm-&Leiste - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programme\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Programme\Agnitum\Outpost Firewall 1.0\trash.exe (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Programme\Agnitum\Outpost Firewall 1.0\trash.exe (HKCU)
O12 - Plugin for .pdf: C:\Programme\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.1und1.com/b1redirect
O15 - Trusted Zone: http://mailtausch.6to6.de
O15 - Trusted Zone: http://v4.windowsupdatemicrosoft.com
O18 - Filter: text/html - {FED57C32-58B4-4C32-81E4-D08C1CEE4915} - C:\Dokumente und Einstellungen\Schimpf\Lokale Einstellungen\Anwendungsdaten\microsoft\internet explorer\V0.26.dat
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP2.EXE
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Systemereignisbenachrichtigung - Unknown - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung - Unknown - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

Hallo,

Zitat:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe

Wie hast du dir diese Malware denn installiert?

Was wurde von eScan beanstandet und wie hast du es gelöscht?

Hallo,

Die Malware kenn ich auch nicht...
In letzter Zeit surf ich auf Hyip Seiten, und hab's mit vielen Passwörtern zu tun...
E-scan hat in letzter Zeit immer wieder 14 infected Dateien gefunden. Aber
sobald ich sie über die Logfiles löschte (im abges. Modus) sind sie auch wiedererschienen. (Löschen hat anscheinend keine Wirkung)

Soll ich F2 - REG fixieren?

Ja, aber hellsehen kann ich leider noch nicht.

Also poste doch mal zur Aufklärung meinerseits, die Funde (infected sowie tagged) von eScan.

@darquoy

guckst du hier
http://www.sophos.de/virusinfo/analyses/w32agobots.html

und hab's mit vielen Passwörtern zu tun...
E-scan hat in letzter Zeit immer wieder 14 infected Dateien gefunden

da kann man dich nur raten neu aufzusetzen
http://trojaner-board.de/showthread.php?t=12154


sry
chaosman

Zitat:

Zitat von Cidre

Ja, aber hellsehen kann ich leider noch nicht.

Also poste doch mal zur Aufklärung meinerseits, die Funde (infected sowie tagged) von eScan.

Hier nun die "infected" Funde (keine tagged vorhanden)

Sun Jan 30 22:40:06 2005 => File C:\WINDOWS\installer[sla-10026,de].exe infected by "not-a-virus:Porn-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:21 2005 => File C:\WINDOWS\system32\AlxRes.dll.bak infected by "not-a-virus:AdWare.ToolBar.AlexaBar.a" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:25 2005 => File C:\WINDOWS\system32\bdeinsta25.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:26 2005 => File C:\WINDOWS\system32\BDESac10.dll infected by "not-a-virus:AdWare.BrilliantDigital.3120" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:26 2005 => File C:\WINDOWS\system32\BDESac24.dll infected by "not-a-virus:AdWare.BrilliantDigital.3120" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:55 2005 => File C:\WINDOWS\system32\fzbvohju.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:57 2005 => File C:\WINDOWS\system32\hghfpxua.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:59 2005 => File C:\WINDOWS\system32\hrpihiri.exe infected by "TrojanDownloader.Win32.Dluca.gen" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:41:29 2005 => File C:\WINDOWS\system32\msdlupd.dll infected by "TrojanDownloader.Win32.Dyfuca.cu" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:00 2005 => File C:\WINDOWS\system32\paqkwavl.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:11 2005 => File C:\WINDOWS\system32\reyezhrv.exe infected by "TrojanDownloader.Win32.Dluca.gen" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:55 2005 => File C:\WINDOWS\system32\xheytpfc.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:43:08 2005 => File C:\DOKUME~1\\LOKALE~1\Temp\asmfiles.cab infected by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:43:39 2005 => File C:\DOKUME~1\\LOKALE~1\Temp\perfectnavUninstall.exe infected by "TrojanDownloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

~edit~ fehlposting ~edit~

Zitat:

Zitat von darquoy

Hier nun die "infected" Funde (keine tagged vorhanden)

Sun Jan 30 22:40:06 2005 => File C:\WINDOWS\installer[sla-10026,de].exe infected by "not-a-virus:Porn-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:21 2005 => File C:\WINDOWS\system32\AlxRes.dll.bak infected by "not-a-virus:AdWare.ToolBar.AlexaBar.a" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:25 2005 => File C:\WINDOWS\system32\bdeinsta25.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:26 2005 => File C:\WINDOWS\system32\BDESac10.dll infected by "not-a-virus:AdWare.BrilliantDigital.3120" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:26 2005 => File C:\WINDOWS\system32\BDESac24.dll infected by "not-a-virus:AdWare.BrilliantDigital.3120" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:55 2005 => File C:\WINDOWS\system32\fzbvohju.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:57 2005 => File C:\WINDOWS\system32\hghfpxua.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:59 2005 => File C:\WINDOWS\system32\hrpihiri.exe infected by "TrojanDownloader.Win32.Dluca.gen" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:41:29 2005 => File C:\WINDOWS\system32\msdlupd.dll infected by "TrojanDownloader.Win32.Dyfuca.cu" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:00 2005 => File C:\WINDOWS\system32\paqkwavl.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:11 2005 => File C:\WINDOWS\system32\reyezhrv.exe infected by "TrojanDownloader.Win32.Dluca.gen" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:55 2005 => File C:\WINDOWS\system32\xheytpfc.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:43:08 2005 => File C:\DOKUME~1\\LOKALE~1\Temp\asmfiles.cab infected by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:43:39 2005 => File C:\DOKUME~1\\LOKALE~1\Temp\perfectnavUninstall.exe infected by "TrojanDownloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.

Hallo Cidre!
Meinst auch Du, daß es da nichts mehr zu retten gibt?

Zitat:

Zitat von Cidre

Ja, aber hellsehen kann ich leider noch nicht.

Also poste doch mal zur Aufklärung meinerseits, die Funde (infected sowie tagged) von eScan.

Zitat von darquoy
Hier nun die "infected" Funde (keine tagged vorhanden)

Sun Jan 30 22:40:06 2005 => File C:\WINDOWS\installer[sla-10026,de].exe infected by "not-a-virus:Porn-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:21 2005 => File C:\WINDOWS\system32\AlxRes.dll.bak infected by "not-a-virus:AdWare.ToolBar.AlexaBar.a" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:25 2005 => File C:\WINDOWS\system32\bdeinsta25.dll infected by "not-a-virus:AdWare.Altnet.a" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:26 2005 => File C:\WINDOWS\system32\BDESac10.dll infected by "not-a-virus:AdWare.BrilliantDigital.3120" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:26 2005 => File C:\WINDOWS\system32\BDESac24.dll infected by "not-a-virus:AdWare.BrilliantDigital.3120" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:55 2005 => File C:\WINDOWS\system32\fzbvohju.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:57 2005 => File C:\WINDOWS\system32\hghfpxua.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:40:59 2005 => File C:\WINDOWS\system32\hrpihiri.exe infected by "TrojanDownloader.Win32.Dluca.gen" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:41:29 2005 => File C:\WINDOWS\system32\msdlupd.dll infected by "TrojanDownloader.Win32.Dyfuca.cu" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:00 2005 => File C:\WINDOWS\system32\paqkwavl.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:11 2005 => File C:\WINDOWS\system32\reyezhrv.exe infected by "TrojanDownloader.Win32.Dluca.gen" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:42:55 2005 => File C:\WINDOWS\system32\xheytpfc.exe infected by "TrojanDownloader.Win32.Dluca.ae" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:43:08 2005 => File C:\DOKUME~1\\LOKALE~1\Temp\asmfiles.cab infected by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.

Sun Jan 30 22:43:39 2005 => File C:\DOKUME~1\\LOKALE~1\Temp\perfectnavUninstall.exe infected by "TrojanDownloader.Win32.Keenval.f" Virus. Action Taken: No Action Taken.