Trojan.WinREG.LowZones.a?

Mr.Icetea · 12.03.2007, 16:00

Hallo,

Da ich grad etwas in Zeitnot bin hier die Kurzfassung meiner Probleme mit meinem Rechner:

- quick launch wird nicht gespeichert und ist nach jedem neustart wieder weg
- desktopanordnung, symbolleisten, sonstige symbole dasselbe
- es werden programme beim hochfahren gestartet, die da nicht sein sollten
--> unter msconfig sind nur 'ctfmon' 'antivir' und 'wlan (netgear)' aufgefuehrt;

Ich habe mit escan einen Virencheck gemacht. Der hat auch einige Eintraege gefunden. Kann mir bitte jemand helfen, und mir sagen welche Eintraege/Programme ich wie entfernen kann.

Vielen Dank im Voraus!!!:aplaus:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Microsoft Windows XP [Version 5.1.2600]
Fri Mar 02 14:24:56 2007 => *** File C:\Documents and Settings\Laura\UserData\My Documents\My Music\Mozart - Mozart - Pachabel Cannon In D Minor Perfect Version.mp3 having Size Restriction ***. Filesize 5880 kb
Fri Mar 02 14:01:10 2007 => Virus Database Date: 1/26/2007
Fri Mar 02 14:15:24 2007 => Virus Database Date: 3/2/2007
Fri Mar 02 15:03:27 2007 => Virus Database Date: 3/2/2007
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fri Mar 02 14:18:08 2007 => System found infected with internet spy Commercial KeyLogger (keylog.txt)! Action taken: No Action Taken.
Fri Mar 02 14:18:40 2007 => System found infected with cws.smartsearch Browser Hijacker (C:\WINDOWS\system32\uninstall.exe)! Action taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Fri Mar 02 14:38:42 2007 => File C:\pz.exe infected by "Trojan.WinREG.LowZones.a" Virus! Action Taken: No Action Taken.
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
Fri Mar 02 14:40:21 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc31\Quarantine\F06AAF7C-EED3-4035-9F32-40EAB9\4CF85FCD-486F-40EB-9A24-D00628 tagged as "not-a-virus:AdWare.Win32.NavExcel.i". Action Taken: No Action Taken.
Fri Mar 02 14:40:21 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc31\Quarantine\F06AAF7C-EED3-4035-9F32-40EAB9\85F0E07B-1494-4958-AC0D-E8D19F tagged as "not-a-virus:AdWare.Win32.NavExcel.i". Action Taken: No Action Taken.
Fri Mar 02 14:40:21 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc31\Quarantine\F06AAF7C-EED3-4035-9F32-40EAB9\90F70EFE-621C-4F5C-AF85-DCF6BB tagged as "not-a-virus:AdWare.Win32.NavExcel.i". Action Taken: No Action Taken.
Fri Mar 02 14:40:21 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc31\Quarantine\F6CAC6C6-3451-4A15-A95D-88A5A4\41111C5D-8F02-432D-AF5A-4A8876 tagged as "not-a-virus:AdWare.Win32.NavExcel.h". Action Taken: No Action Taken.
Fri Mar 02 14:40:21 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc31\Quarantine\F6CAC6C6-3451-4A15-A95D-88A5A4\4A2E7C09-3DA7-491E-8EC7-EC67A7 tagged as "not-a-virus:AdWare.Win32.NavExcel.h". Action Taken: No Action Taken.
Fri Mar 02 14:40:21 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc31\Quarantine\F6CAC6C6-3451-4A15-A95D-88A5A4\B5AF1E3C-EEA2-4A57-A0C3-16112C tagged as "not-a-virus:AdWare.Win32.NavExcel.h". Action Taken: No Action Taken.
Fri Mar 02 14:40:21 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc31\Quarantine\F6CAC6C6-3451-4A15-A95D-88A5A4\EAB30F76-37CB-40A8-B11E-646BD9 tagged as "not-a-virus:AdWare.Win32.NavExcel.h". Action Taken: No Action Taken.
Fri Mar 02 14:40:57 2007 => File C:\RECYCLER\S-1-5-21-1780737662-1695083492-1532339732-1007\Dc41\myBar\1.bin\NPMYWAY.DLL tagged as "not-a-virus:AdWare.Win32.MyWay.f". Action Taken: No Action Taken.
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Fri Mar 02 14:18:08 2007 => Offending file found: C:\WINDOWS\system32\keylog.txt
Fri Mar 02 14:18:40 2007 => Offending file found: C:\WINDOWS\system32\uninstall.exe
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Fri Mar 02 14:17:50 2007 => Offending Key found: HKLM\Software\magnet !!!
Fri Mar 02 14:18:01 2007 => Offending Key found: HKLM\Software\myway !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 15:58:47, on 12.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Laura\Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.versatel.de/internet-cd/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ohiou.edu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von Versatel
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Alle Bilder von gleichem Server filtern - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: In neuem Avant Browser öffnen - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Zur Werbebanner-Filterliste hinzufügen - C:\Program Files\Avant Browser\AddToADBlackList.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173446160316
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

undoreal · 13.03.2007, 10:01

Hallo.

In diesem Fall sehe ich keine Bedenken die Scan and Clean Variante von eScan MWAVE zu benutzen da keiner der Einträge ein False-positiv ist.
Also mach doch einfach das Häkchen bei "Scan only" raus und mach den scan nochmal. Ich denke, das ist die einfachste Variante.
Danach solltest du dein System noch mit SSW scannen.

Gruss

Undoreal

Trojan.WinREG.LowZones.a?

Log-Analyse und Auswertung: Trojan.WinREG.LowZones.a?

Trojan.WinREG.LowZones.a?

Trojan.WinREG.LowZones.a?

Ähnliche Themen: Trojan.WinREG.LowZones.a?