TR/Agent.BI

sheyne · 17.05.2005, 15:13

Hallo Leute,

ich habe Probleme mit dem Trojaner TR/Agent.BI und schon diverse Anti-Viren und Anti-Trojaner Programme ausprobiert, um ihn zu eliminieren. Keines war erfolgreich, auch nicht nach diversen Durchläufen im abgesicherten Modus. Nun habe ich mit HijackThis mal ein Logfile aufgezeichnet. Zwar kenne ich mich technisch nicht gereade gut mit diesen Dingen aus, aber ich hoffe mal, ihr könnt mir trotzdem helfen und es gibt eine Lösung, um dieses ungeziefer auszumerzen!?

Gruss
Stefan

....
Logfile of HijackThis v1.99.1
Scan saved at 16:12:53, on 17.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\ntjq.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\Programme\Messenger\msmsgs.exe
C:\DOKUME~1\PC1\LOKALE~1\Temp\Rar$EX00.266\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\shxez.dll/sp.html#45052
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\shxez.dll/sp.html#45052
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\shxez.dll/sp.html#45052
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\shxez.dll/sp.html#45052
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\shxez.dll/sp.html#45052
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shxez.dll/sp.html#45052
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shxez.dll/sp.html#45052
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {87842630-AA24-E369-2329-D8F2628A7285} - C:\WINDOWS\system32\d3cl.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Programme\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [msnappau] "C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Programme\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ntjq.exe] C:\WINDOWS\ntjq.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\RunOnce: [crxs.exe] C:\WINDOWS\crxs.exe
O4 - HKLM\..\RunOnce: [sdkww.exe] C:\WINDOWS\system32\sdkww.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .bmp: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.223 - http://195.49.173.219:8002/Java/cfs31223.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...etaStream3.cab
O16 - DPF: {103DFAE7-50CC-41FC-9D57-1A4BCA0DFD87} (Upload Control) - https://img.web.de/v/mail/mms/active...pload_1111.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {14F65762-96FB-44B9-8DAC-93845F377A0E} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1628af739eaa110...dxIE601_de.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/mail/mms/activex/upload_1118.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B74EF5B9-CFF8-462A-A6EF-8732FCCE00C9}: NameServer = 217.237.151.225 217.237.150.225
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - - (no file)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe

cacatoa · 18.05.2005, 09:10

Servus,
Da rumpelt´s ganz schön; ich glaube nicht, daß der Agent BI Dein einziges Prob ist...
Bevor wir hier groß zu bereinigen anfangen, machst du erst folgendes:
Die Dateien:
C:\WINDOWS\ntjq.exe
C:\WINDOWS\system32\d3cl.dll
C:\WINDOWS\crxs.exe
C:\WINDOWS\system32\sdkww.exe
bei Jotti online scannen lassen und alle Ergebnisse hier rein posten. Dann sehen wir weiter.
Außerdem möchte ich wissen, welches Deiner AV-Progs wo den Troj gefunden hat.
Auch denke ich mal, daß Dein System durchaus ein bißchen langsam ist; da zwei scanner gleichzeitig sich oftmals gegenseitig behindern und das System ausbremsen.
cacatoa

sheyne · 18.05.2005, 15:48

Okay, erstmal die Ergebnisse der gescannten Dateien...

=========================================================

Datei: ntjq.exe
Status:
INFIZIERT/MALWARE (Anmerkung: diese Datei wurde bereits vorher gescannt. Die Scanergebnisse werden daher nicht in der Datenbank gespeichert.)
Entdeckte Packprogramme:
-

AntiVir
TR/Dldr.Agent.BQ gefunden
Avast
Win32:Trojano-1311 gefunden
AVG Antivirus
Keine Viren gefunden
BitDefender
Keine Viren gefunden
ClamAV
Keine Viren gefunden
Dr.Web
Trojan.Click.395 gefunden
F-Prot Antivirus
Keine Viren gefunden
Fortinet
W32/Agent.BQ-tr gefunden
Kaspersky Anti-Virus
Trojan-Downloader.Win32.Agent.bq gefunden
mks_vir
Trojan.Downloader.Agent.Bq gefunden
NOD32
Win32/TrojanDownloader.Agent.BQ gefunden
Norman Virus Control
Keine Viren gefunden
VBA32
Trojan-Downloader.Win32.Agent.bq gefunden

=========================================================

Datei: d3cl.dll
Status:
INFIZIERT/MALWARE
Entdeckte Packprogramme:
PE-CRYPT.SQR, UPX

AntiVir
TR/Dldr.Agent.bc.7 gefunden
Avast
Win32:Trojano-1305 gefunden
AVG Antivirus
Keine Viren gefunden
BitDefender
Keine Viren gefunden
ClamAV
Keine Viren gefunden
Dr.Web
Trojan.Feat.2 gefunden
F-Prot Antivirus
Keine Viren gefunden
Fortinet
Keine Viren gefunden
Kaspersky Anti-Virus
Trojan-Downloader.Win32.Agent.bc gefunden
mks_vir
Trojan.Downloader.Agent.Bc gefunden
NOD32
Keine Viren gefunden
Norman Virus Control
Keine Viren gefunden
VBA32
Trojan.Feat.2 gefunden

=========================================================

Die Datei crxs.exe liegt nicht im Windows Verzeichnis!

=========================================================

Die Datei sdkww.exe liegt auch nicht mehr im System32 Verzeichnis.

=========================================================

Also ich habe vorher Spyboot, Norton, Adaware und Antivir laufen lassen. Fast überall auf der Platte wurden Viren und Trojaner gefunden. Momentan meldet nur noch der Antivir OnAccess ständig im Windows und System32 Verzeichnis diverse befallene (meist *.exe) Dateien. Was soll ich nun machen?

chaosman · 18.05.2005, 16:31

@sheyne
scanne dein system mit escan, um ein gesamtüberblick zu bekommen
http://www.trojaner-board.de/showthread.php?t=17492
poste wie beschrieben die ergebnisse, danach schauen wir mal was noch alles gefunden wird.
scan geht relativ lange, also nicht wundern wenn es über 1 Stunde geht.
chaosman

sheyne · 20.05.2005, 14:20

Hat in der Tat ein bischen gedauert, aber hier nun die Ergebnisse! Was ist als nächstes zu tun?

Stefan

=======================================

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thu May 19 17:36:33 2005 => File C:\WINDOWS\javanj32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 17:36:42 2005 => File C:\WINDOWS\ntjq.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
Thu May 19 17:36:42 2005 => File C:\WINDOWS\system32\ieup32.exe infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
Thu May 19 17:38:22 2005 => File C:\WINDOWS\apioc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
Thu May 19 17:38:59 2005 => File C:\WINDOWS\system32\d3cl.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 17:39:24 2005 => File C:\WINDOWS\system32\ipmz.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:00:07 2005 => File C:\Dokumente und Einstellungen\PC1\Lokale Einstellungen\Anwendungsdaten\Microsoft\Internet Explorer\V0.26.dat infected by "Trojan.Win32.Dialer.fy" Virus! Action Taken: No Action Taken.
Thu May 19 18:04:59 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Thu May 19 18:15:35 2005 => File C:\Programme\Norton AntiVirus\Quarantine\02A129BA.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:35 2005 => File C:\Programme\Norton AntiVirus\Quarantine\04044311.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:36 2005 => File C:\Programme\Norton AntiVirus\Quarantine\07871050.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:36 2005 => File C:\Programme\Norton AntiVirus\Quarantine\09932E4E.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:36 2005 => File C:\Programme\Norton AntiVirus\Quarantine\0D5423A0.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\0D6E20A6.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\0EAF5C89.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\10D263DF.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\10D50DDB.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\10D50DDB.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\10D937D7.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\10D937D7.VIR infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\10DC61D4.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:37 2005 => File C:\Programme\Norton AntiVirus\Quarantine\10F631B7.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\1103526F.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\110A2DA1.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\110A2DA1.VIR infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\110D579E.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\110D579E.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\110D579E.VIR infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\1110019A.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:38 2005 => File C:\Programme\Norton AntiVirus\Quarantine\11132B97.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\111A7F90.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\111A7F90.VIR infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\111D298C.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\111D298C.VIR infected by "Trojan.Win32.Agent.bi" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\11E24854.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\163777DF.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\16744698.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:39 2005 => File C:\Programme\Norton AntiVirus\Quarantine\16FB784D.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:40 2005 => File C:\Programme\Norton AntiVirus\Quarantine\1BF70A0D.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:40 2005 => File C:\Programme\Norton AntiVirus\Quarantine\1BF96C93.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:40 2005 => File C:\Programme\Norton AntiVirus\Quarantine\272742C6.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:40 2005 => File C:\Programme\Norton AntiVirus\Quarantine\2CD817EE.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:40 2005 => File C:\Programme\Norton AntiVirus\Quarantine\2E324EB7.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:40 2005 => File C:\Programme\Norton AntiVirus\Quarantine\30447936.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:40 2005 => File C:\Programme\Norton AntiVirus\Quarantine\30512128.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:41 2005 => File C:\Programme\Norton AntiVirus\Quarantine\32406B04.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:41 2005 => File C:\Programme\Norton AntiVirus\Quarantine\36C55E4D.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:41 2005 => File C:\Programme\Norton AntiVirus\Quarantine\386C668F.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:41 2005 => File C:\Programme\Norton AntiVirus\Quarantine\38C342F6.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:41 2005 => File C:\Programme\Norton AntiVirus\Quarantine\3C6F6C4C.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:41 2005 => File C:\Programme\Norton AntiVirus\Quarantine\3DB7528D.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:42 2005 => File C:\Programme\Norton AntiVirus\Quarantine\42132B12.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:42 2005 => File C:\Programme\Norton AntiVirus\Quarantine\431673E5.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:42 2005 => File C:\Programme\Norton AntiVirus\Quarantine\451226D6.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:42 2005 => File C:\Programme\Norton AntiVirus\Quarantine\47342610.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:42 2005 => File C:\Programme\Norton AntiVirus\Quarantine\497E643F.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:42 2005 => File C:\Programme\Norton AntiVirus\Quarantine\4A45025B.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:42 2005 => File C:\Programme\Norton AntiVirus\Quarantine\4A522A4D.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:43 2005 => File C:\Programme\Norton AntiVirus\Quarantine\4C914F47.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:43 2005 => File C:\Programme\Norton AntiVirus\Quarantine\4F537D68.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:43 2005 => File C:\Programme\Norton AntiVirus\Quarantine\4FF94571.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:43 2005 => File C:\Programme\Norton AntiVirus\Quarantine\58B964C7.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:43 2005 => File C:\Programme\Norton AntiVirus\Quarantine\59916FE3.tmp infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:43 2005 => File C:\Programme\Norton AntiVirus\Quarantine\5C8F7B17.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:43 2005 => File C:\Programme\Norton AntiVirus\Quarantine\5DC77CCB.tmp infected by "Email-Worm.Win32.NetSky.d" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\61A776BA.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\6404013C.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\64396EA0.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\65310286.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\65554B74.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\65E56FDF.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\67463925.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:44 2005 => File C:\Programme\Norton AntiVirus\Quarantine\689D1606.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:45 2005 => File C:\Programme\Norton AntiVirus\Quarantine\6A102D31.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:45 2005 => File C:\Programme\Norton AntiVirus\Quarantine\706624FA.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:45 2005 => File C:\Programme\Norton AntiVirus\Quarantine\78C00D08.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:45 2005 => File C:\Programme\Norton AntiVirus\Quarantine\78E130E4.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:45 2005 => File C:\Programme\Norton AntiVirus\Quarantine\799539CF.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:46 2005 => File C:\Programme\Norton AntiVirus\Quarantine\799E37C5.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:46 2005 => File C:\Programme\Norton AntiVirus\Quarantine\7A6F27F1.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:46 2005 => File C:\Programme\Norton AntiVirus\Quarantine\7B383549.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:15:46 2005 => File C:\Programme\Norton AntiVirus\Quarantine\7C3C2481.tmp infected by "Email-Worm.Win32.Mydoom.j" Virus! Action Taken: No Action Taken.
Thu May 19 18:26:55 2005 => File C:\WINDOWS\apioc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus! Action Taken: No Action Taken.
Thu May 19 18:45:12 2005 => File C:\WINDOWS\system32\d3cl.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:47:36 2005 => File C:\WINDOWS\system32\ipmz.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus! Action Taken: No Action Taken.
Thu May 19 18:54:13 2005 => File D:\Programme\Norton AntiVirus\Quarantine\20151B0C.VIR infected by "Email-Worm.Win32.Tanatos.a" Virus! Action Taken: No Action Taken.
Thu May 19 18:54:13 2005 => File D:\Programme\Norton AntiVirus\Quarantine\20184509.htm infected by "Trojan.JS.Seeker-based" Virus! Action Taken: No Action Taken.
Thu May 19 18:54:13 2005 => File D:\Programme\Norton AntiVirus\Quarantine\20184509.VIR infected by "Email-Worm.Win32.Tanatos.a" Virus! Action Taken: No Action Taken.
Thu May 19 18:54:13 2005 => File D:\Programme\Norton AntiVirus\Quarantine\201F1902.VIR infected by "Email-Worm.Win32.Tanatos.a" Virus! Action Taken: No Action Taken.
Thu May 19 19:15:01 2005 => File D:\WINNT\Temporary Internet Files\Content.IE5\SPTOE4OS\at[1].gif infected by "Exploit.JS.ActiveXComponent" Virus! Action Taken: No Action Taken.
Thu May 19 19:18:49 2005 => File D:\WINNT\system32\frmouoj.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus! Action Taken: No Action Taken.
Thu May 19 19:26:19 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thu May 19 17:38:30 2005 => File C:\WINDOWS\NDNuninstall4_94.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
Thu May 19 17:41:44 2005 => File C:\DOKUME~1\PC1\LOKALE~1\Temp\upd2A.tmp tagged as "not-a-virus:AdWare.MediaPops.b". Action Taken: No Action Taken.
Thu May 19 17:59:22 2005 => File C:\Dokumente und Einstellungen\PC1\Eigene Dateien\Meine empfangenen Dateien\vnc-3.3.7-x86_win32.exe tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.
Thu May 19 18:00:41 2005 => File C:\Dokumente und Einstellungen\PC1\Lokale Einstellungen\Temp\upd2A.tmp tagged as "not-a-virus:AdWare.MediaPops.b". Action Taken: No Action Taken.
Thu May 19 18:01:58 2005 => File C:\mIRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.03. No Action Taken.
Thu May 19 18:08:58 2005 => File C:\Programme\KFH\cl\dating.exe tagged as not-a-virus:RiskWare.Dialer.gen. No Action Taken.
Thu May 19 18:14:22 2005 => File C:\Programme\MLH\dating.exe tagged as not-a-virus:RiskWare.Dialer.gen. No Action Taken.
Thu May 19 18:15:45 2005 => File C:\Programme\Norton AntiVirus\Quarantine\6FCC6467.exe tagged as "not-a-virus:AdWare.BrilliantDigital.1100". Action Taken: No Action Taken.
Thu May 19 18:16:26 2005 => File C:\Programme\RealVNC\WinVNC\othread2.dll tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.
Thu May 19 18:16:26 2005 => File C:\Programme\RealVNC\WinVNC\vnchooks.dll tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.
Thu May 19 18:16:27 2005 => File C:\Programme\RealVNC\WinVNC\winvnc.exe tagged as not-a-virus:RiskWare.RemoteAdmin.WinVNC-based.c. No Action Taken.
Thu May 19 18:33:37 2005 => File C:\WINDOWS\NDNuninstall4_94.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
Thu May 19 18:53:08 2005 => File D:\Downloads\ntdrv302a.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Thu May 19 18:53:14 2005 => File D:\Downloads\getright\getrt42c.exe tagged as "not-a-virus:AdWare.Aureate". Action Taken: No Action Taken.
Thu May 19 19:10:22 2005 => File D:\Programme\KFH\cl\dating.exe tagged as not-a-virus:RiskWare.Dialer.gen. No Action Taken.
Thu May 19 19:14:01 2005 => File D:\WINNT\LS2SSUN.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Thu May 19 19:18:22 2005 => File D:\WINNT\Temp\Adware\kazaa_336.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
Thu May 19 19:18:38 2005 => File D:\WINNT\system32\Deutschland-uninstall.exe tagged as "not-a-virus:Porn-Dialer.Win32.Frelex". Action Taken: No Action Taken.
Thu May 19 19:18:46 2005 => File D:\WINNT\system32\Fantasy Access-uninstall.exe tagged as "not-a-virus:Porn-Dialer.Win32.Generic". Action Taken: No Action Taken.
Thu May 19 19:18:51 2005 => File D:\WINNT\system32\HCW848UN.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Thu May 19 19:19:06 2005 => File D:\WINNT\system32\mbho.dll tagged as "not-a-virus:AdWare.WurldMedia.a". Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thu May 19 19:26:19 2005 => Total Virus(es) Found: 116
Thu May 19 19:26:19 2005 => Total Errors: 109
Thu May 19 19:26:19 2005 => Time Elapsed: 01:50:01
Thu May 19 19:26:19 2005 => Total Objects Scanned: 87789
Thu May 19 17:35:36 2005 => Virus Database Date: 2005/05/19
Thu May 19 19:26:19 2005 => Virus Database Date: 2005/05/19
Fri May 20 15:09:42 2005 => Virus Database Date: 2005/05/19
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

Batti88 · 20.05.2005, 14:38

Oh ha, da rappelts im Karton!

Ma ne ganz dumme Frage: Woher stammt das letzte Logfile?

Doch net von Jotti oder? Warum steht da dank an Cidre und Haui drunter

???

chaosman · 20.05.2005, 14:51

@sheyne
das was ich schon befürchtete,
http://www.sophos.de/virusinfo/analy...ojagentde.html
allein wegen diesen backdoor kann ich dir nur raten dein system nueaufzusetzen.
sichere vorher die dialer dateien als beweismittel gegen hohe telefonrechnungen.

hier ein anleitung zum neuaufsetzen
http://www.trojaner-board.de/showthread.php?t=12154
sry
chaosman

sheyne · 20.05.2005, 14:52

Hi,

ich bin genau wie in dem verlinkten Thread beschrieben bvorgegangen, hab mein System mit Escan gescheckt und anschliesend das erwartete Logfile hier gepostet! Da steht "Dank an Haui...." weil ich das Logfile aus escan mit hilfe der Find.bat erstellt habe... So, dass von meiner Seite, was kann ich jetzt machen?

Stefan

sheyne · 20.05.2005, 14:56

Ups, das hört sich ja nicht gerade gut an!!:-(

Zum Glück nutze ich DSL und muss somit wohl kein überhöte Telefonrechnung erwarten. Kann man ausser Neuaufsetzen wirklich nichts machen?

Stefan

chaosman · 20.05.2005, 15:03

@sheyne
nein, ist ein backdoor, lese bitte den link genauestens durch.
da kann man dich nichts anderes empfehlen.
sry
chaosman

TR/Agent.BI

Plagegeister aller Art und deren Bekämpfung: TR/Agent.BI

Trojaner TR/Agent.BI eliminieren... Bitte um Hilfe

TR/Agent.BI

TR/Agent.BI

TR/Agent.BI

TR/Agent.BI

TR/Agent.BI

TR/Agent.BI

TR/Agent.BI

TR/Agent.BI

TR/Agent.BI

Ähnliche Themen: TR/Agent.BI

18.05.2005, 16:31	#4
chaosman	TR/Agent.BI @sheyne scanne dein system mit escan, um ein gesamtüberblick zu bekommen http://www.trojaner-board.de/showthread.php?t=17492 poste wie beschrieben die ergebnisse, danach schauen wir mal was noch alles gefunden wird. scan geht relativ lange, also nicht wundern wenn es über 1 Stunde geht. chaosman __________________ Bonus vir semper tiro

20.05.2005, 14:38	#6
Batti88	TR/Agent.BI Oh ha, da rappelts im Karton! Ma ne ganz dumme Frage: Woher stammt das letzte Logfile? Doch net von Jotti oder? Warum steht da dank an Cidre und Haui drunter ??? __________________ --> TR/Agent.BI

20.05.2005, 14:52	#8
sheyne	TR/Agent.BI Hi, ich bin genau wie in dem verlinkten Thread beschrieben bvorgegangen, hab mein System mit Escan gescheckt und anschliesend das erwartete Logfile hier gepostet! Da steht "Dank an Haui...." weil ich das Logfile aus escan mit hilfe der Find.bat erstellt habe... So, dass von meiner Seite, was kann ich jetzt machen? Stefan

20.05.2005, 14:56	#9
sheyne	TR/Agent.BI Ups, das hört sich ja nicht gerade gut an!!:-( Zum Glück nutze ich DSL und muss somit wohl kein überhöte Telefonrechnung erwarten. Kann man ausser Neuaufsetzen wirklich nichts machen? Stefan

20.05.2005, 15:03	#10
chaosman	TR/Agent.BI @sheyne nein, ist ein backdoor, lese bitte den link genauestens durch. da kann man dich nichts anderes empfehlen. sry chaosman __________________ Bonus vir semper tiro