Servus,

Ich hab seid 1 Woche das Problem dass der Prozess Iexplorer.exe 2mal in meinem Taskmanager aufgeführt wird. Der Prozess lässt sich zwar beenden, aber er taucht sofort wieder auf.
Da ich das Problem schonmal hatte weiß ich das ihr mir hier helfen könnt

Mein Logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:24, on 23.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\styler\Styler.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\Dokumente und Einstellungen\XXX\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Programme\Zango\bin\10.3.74.0\HostIE.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Programme\styler\TB\StylerTB.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Programme\Zango\bin\10.3.74.0\HostIE.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [memo site kind that] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grid Blue Memo Site\Mix close.exe
O4 - HKLM\..\Run: [ZangoOE] C:\Programme\Zango\bin\10.3.74.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Programme\Zango\bin\10.3.74.0\ZangoSA.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [plus stop] C:\DOKUME~1\XXX\ANWEND~1\PLAYBI~1\holelog.exe
O4 - HKCU\..\Run: [Steam] "C:\Programme\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Programme\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WeatherDPA] "C:\Programme\Zango\bin\10.3.74.0\Weather.exe" -auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - h**p://messenger.zone.msn.com/DE-DE/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - h**p://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - h**p://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe

--
End of file - 7370 bytes

Hoffe ihr könnt mir wieder Helfen

Hallo.

Zitat:

Da ich das Problem schonmal hatte weiß ich das ihr mir hier helfen könnt

Dann scheinst du nichts daraus gelernt zu haben. Das ist ziemlich dämlich!
Immer schön am saugen.?.

Systembereinigung

• Deaktiviere die Systemwiederherstellung auf allen Laufwerken. Nachdem die Bereinigung KOMPLETT beendet ist kann sie wieder aktiviert werden.
  
• Räume mit cCleaner auf. (Punkt 1 & 2)
  
• Downloade AVZ und speichere es in einen eigenen Ordner auf dem Desktop.
  
• Entpacke es in diesem Ordner und starte die Anwendung durch einen Doppelklick auf die AVZ.exe.
  
• Beende alle anderen Arbeiten am PC und speichere alle offenen Projekte.
  
• Deaktiviere den Wächter/On-Access-Modul (Echtzeit-Scanner) deines AntiViren Programmes und schließe alle AntiViren Programme komplett!
  
  
• Unter File -> Database Update ->Start drücken.
  
• Unter AVZPM -> Install extended monitoring driver drücken.
  
• Unter AVZGuard -> Enable AVZGuard drücken dieser verhindert alle anderen Arbeiten am PC!
  
  
• Im Hauptfenster oben sind verschiedene Reiter. Im Linken kannst du die Search Range einstellen. Mache hier bitte Haken vor alle deine Festplatten.
  
• Im Reiter daneben kannst du die File Types einstellen. Wähle hier bitte All files.
  
• Im Reiter ganz rechts kannst du die Search parameters einstellen. Schiebe den Regler der Heuristic Analysis bitte nach ganz oben und setzte den Haken bei Extended analysis. Alles weitere bleibt wie es ist!
  
• Dann setzte rechts im Hauptfenster unter Actions den Haken bei Perform healing und danach unbedingt auch den Haken bei Copy deletet files to "infected" Folder. Sonst werden keine Backups erstellt!

Die letzten Einstellungen werden nochmal in folgendem Bild zusammengefasst. Gleiche sie bitte genau mit deinen Einstellungen ab!

• Nun starte den Scan bitte durch Drücken des Start Buttons.
  
  
• Nachdem der Scan beendet ist klicke auf den Disketten Speicher-Button und speichere das log im AVZ Ordner auf dem Desktop.
  Danach klicke auf die Brille darunter. Es öffnet sich ein Fenster bei dem unten rechts bitte auf Save as CSV klickst und die Datei ebenfalls im AVZ Ordner abspeicherst.

• Die beiden logs hänge bitte an deinen nächsten Post an.
  
  
• Deaktiviere den AVZGuard: Im Hauptfenster unter AVZGuard -> Disable AVZGuard.

Systemanalyse

• Deaktiviere die Systemwiederherstellung auf allen Laufwerken. Nachdem die Bereinigung KOMPLETT beendet ist kann sie wieder aktiviert werden.
  
• Räume mit cCleaner auf. (Punkt 1 & 2)
  
• Deaktiviere den Wächter/On-Access-Modul (Echtzeit-Scanner) deines AntiViren Programmes und schließe alle AntiViren Programme komplett!
  
• Downloade AVZ und speichere es in einen eigenen Ordner auf dem Desktop.
  
• Entpacke es in diesem Ordner und starte die Anwendung durch einen Doppelklick auf die AVZ.exe.
  
• Unter File -> Database Update Start drücken.
  
• Während des Scans sollte der Rechner weiterhin Verbindung mit dem Internet haben.
  
• Unter File -> System Analys, die Option Attach System Analysis log to ZIP anhaken und Start drücken. Wähle als Speicherort den von dir erstellten AVZ-Ordner.
  
• Nachdem der Scan beendet ist lade die avz_sysinfo.zip bei Rapidshare hoch und poste den Download-Link.

Gut hab alles gemacht wie beschreiben hier die Daten.

1. FIle
C:\Dokumente und Einstellungen\Sunny\Eigene Dateien\Eigene Musik\Justin Timberlake (Ayo Technology)\My Love.wma;2;Suspicion for Trojan-Downloader.Win32.Small.deo ( 00724FE4 0DD0851A 001C427F 001ED00D 512000)
C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Microsoft\Messenger\ostberlinsunny@hotmail.de\Sharing Folders\annybunny89@aol.com\My Love.wma;2;Suspicion for Trojan-Downloader.Win32.Small.deo ( 00724FE4 0DD0851A 001C427F 001ED00D 512000)
C:\Programme\DivX\DivX Converter\dpil100.dll;2;Suspicion for AdvWare.Win32.NewWeb.i ( 00707F72 00000000 001AEEF2 001AFFE8 61440)
C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP45\A0007453.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP45\A0007742.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP82\A0013788.dll;2;Suspicion for AdvWare.Win32.HotBar.ck ( 00726555 0A820A7D 0026B41E 00250531 140552)
C:\WINDOWS\$NtServicePackUninstall$\format.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\WINDOWS\$NtServicePackUninstall$\more.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\WINDOWS\$NtServicePackUninstall$\tree.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\WINDOWS\Installer\80499.msi;2;Suspicion for AdvWare.Win32.Vapsup.bsz ( 0054695C 08CD5FC5 001E0EE1 001DE996 81920)
F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\wa001352.htm;3;PE file with non-standard extension(dangerousness level is 5%)
F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\wc001296.htm;3;PE file with non-standard extension(dangerousness level is 5%)
F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\ws001270.htm;3;PE file with non-standard extension(dangerousness level is 5%)
F:\Program Files (x86)\Azureus\plugins\azemp\azmplay.exe.bak;3;PE file with non-standard extension(dangerousness level is 5%)
F:\Users\Sunny\Music\Justin Timberlake (Ayo Technology)\My Love.wma;2;Suspicion for Trojan-Downloader.Win32.Small.deo ( 00724FE4 0DD0851A 001C427F 001ED00D 512000)
F:\Windows\System32\chcp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\System32\diskcomp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\System32\diskcopy.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\System32\format.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\System32\mode.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\System32\more.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\System32\tree.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\SysWOW64\chcp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\SysWOW64\diskcomp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\SysWOW64\diskcopy.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\SysWOW64\format.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\SysWOW64\mode.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\SysWOW64\more.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\SysWOW64\tree.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_3368babd30a0a3dd\diskcomp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_3368babd30a0a3dd\diskcopy.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\amd64_microsoft-windows-format_31bf3856ad364e35_6.0.6000.16386_none_8070bc3a456bf33b\format.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\chcp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\mode.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\more.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\tree.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\x86_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_d74a1f39784332a7\diskcomp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\x86_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_d74a1f39784332a7\diskcopy.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\x86_microsoft-windows-format_31bf3856ad364e35_6.0.6000.16386_none_245220b68d0e8205\format.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\chcp.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\mode.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\more.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\tree.com;3;PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
C:\Programme\Spyware Doctor\smumhook.dll;5;Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\hnetcfg.dll;5;Suspicion for Keylogger or Trojan DLL
C:\autorun.inf;3; HSC: suspicion for hidden autorun (high degree of probability)

2. File
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 23.08.2008 15:11:03
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Maximum heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:LoadLibraryExW (583) intercepted, method CodeHijack (method not defined)
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtCreateSection (137) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtTerminateProcess (348) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwCreateSection (947) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwTerminateProcess (1157) intercepted, method CodeHijack (method not defined)
Function ntdll.dll:ZwWriteVirtualMemory (1178) intercepted, method CodeHijack (method not defined)
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.4 Searching for masking processes and drivers
Searching for masking processes and drivers - complete
Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 89E531F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 89E531F8 -> hook not defined
Checking - complete
2. Scanning memory
Number of processes found: 38
Analyzer: process under analysis is 684 C:\WINDOWS\system32\winlogon.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1872 C:\WINDOWS\system32\RUNDLL32.EXE
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1880 C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1940 C:\Programme\iTunes\iTunesHelper.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1976 C:\WINDOWS\system32\ctfmon.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 392 C:\Programme\DAEMON Tools Lite\daemon.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1188 C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
Analyzer: process under analysis is 1256 C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 1432 C:\WINDOWS\system32\libusbd-nt.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1696 C:\WINDOWS\System32\nvsvc32.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1548 C:\WINDOWS\system32\PnkBstrA.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1788 C:\Programme\Spyware Doctor\pctsAuxs.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1928 C:\Programme\Spyware Doctor\pctsSvc.exe
[ES]:Contains network functionality
[ES]:Capable of sending mail ?!
[ES]:Application has no visible windows
Analyzer: process under analysis is 2676 C:\Programme\iPod\bin\iPodService.exe
[ES]:Application has no visible windows
Analyzer: process under analysis is 2824 C:\Programme\styler\Styler.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer: process under analysis is 1588 C:\Programme\Mozilla Firefox\firefox.exe
[ES]:Contains network functionality
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 2596 C:\WINDOWS\system32\wisptis.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Number of modules loaded: 361
Scanning memory - complete
3. Scanning disks
Direct reading C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat
Direct reading C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat
Direct reading C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat
Direct reading C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Direct reading C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat
Direct reading C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT
Direct reading C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Direct reading C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\cert8.db
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\content-prefs.sqlite
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\cookies.sqlite
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\downloads.sqlite
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\formhistory.sqlite
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\key3.db
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\places.sqlite
Direct reading C:\Dokumente und Einstellungen\Sunny\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\places.sqlite-stmtjrnl
Direct reading C:\Dokumente und Einstellungen\Sunny\Cookies\index.dat
C:\Dokumente und Einstellungen\Sunny\Eigene Dateien\Eigene Musik\Justin Timberlake (Ayo Technology)\My Love.wma >>> suspicion for Trojan-Downloader.Win32.Small.deo ( 00724FE4 0DD0851A 001C427F 001ED00D 512000)
C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Microsoft\Messenger\ostberlinsunny@hotmail.de\Sharing Folders\annybunny89@aol.com\My Love.wma >>> suspicion for Trojan-Downloader.Win32.Small.deo ( 00724FE4 0DD0851A 001C427F 001ED00D 512000)
File quarantined succesfully (C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Microsoft\Messenger\ostberlinsunny@hotmail.de\Sharing Folders\annybunny89@aol.com\My Love.wma)
Direct reading C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Direct reading C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\Cache\_CACHE_001_
Direct reading C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\Cache\_CACHE_002_
Direct reading C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\Cache\_CACHE_003_
Direct reading C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\7ze1nhoz.default\Cache\_CACHE_MAP_
Direct reading C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Dokumente und Einstellungen\Sunny\Lokale Einstellungen\Verlauf\History.IE5\index.dat
Direct reading C:\Dokumente und Einstellungen\Sunny\NTUSER.DAT
C:\Programme\DivX\DivX Converter\dpil100.dll >>> suspicion for AdvWare.Win32.NewWeb.i ( 00707F72 00000000 001AEEF2 001AFFE8 61440)
File quarantined succesfully (C:\Programme\DivX\DivX Converter\dpil100.dll)
File quarantined succesfully (C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll)
C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll >>>>> AdvWare.Win32.Shopper.v deleted successfully
C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP45\A0007453.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP45\A0007453.com)
C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP45\A0007742.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP45\A0007742.com)
C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP82\A0013788.dll >>> suspicion for AdvWare.Win32.HotBar.ck ( 00726555 0A820A7D 0026B41E 00250531 140552)
File quarantined succesfully (C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP82\A0013788.dll)
File quarantined succesfully (C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP87\A0015075.dll)
C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP87\A0015075.dll >>>>> AdvWare.Win32.Shopper.v deleted successfully
Direct reading C:\System Volume Information\_restore{8E70AB04-C59D-4B7D-9C75-BA047F46333A}\RP87\change.log
C:\WINDOWS\$NtServicePackUninstall$\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (C:\WINDOWS\$NtServicePackUninstall$\format.com)
C:\WINDOWS\$NtServicePackUninstall$\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (C:\WINDOWS\$NtServicePackUninstall$\more.com)
C:\WINDOWS\$NtServicePackUninstall$\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (C:\WINDOWS\$NtServicePackUninstall$\tree.com)
C:\WINDOWS\Installer\80499.msi/{MS-OLE}/\76 >>> suspicion for AdvWare.Win32.Vapsup.bsz ( 0054695C 08CD5FC5 001E0EE1 001DE996 81920)
File quarantined succesfully (C:\WINDOWS\Installer\80499.msi)
Direct reading C:\WINDOWS\SchedLgU.Txt
Direct reading C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
Direct reading C:\WINDOWS\system32\CatRoot2\edb.log
Direct reading C:\WINDOWS\system32\CatRoot2\tmp.edb
Direct reading C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
Direct reading C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
Direct reading C:\WINDOWS\system32\config\AppEvent.Evt
Direct reading C:\WINDOWS\system32\config\default
Direct reading C:\WINDOWS\system32\config\Internet.evt
Direct reading C:\WINDOWS\system32\config\SAM
Direct reading C:\WINDOWS\system32\config\SecEvent.Evt
Direct reading C:\WINDOWS\system32\config\SECURITY
Direct reading C:\WINDOWS\system32\config\software
Direct reading C:\WINDOWS\system32\config\SysEvent.Evt
Direct reading C:\WINDOWS\system32\config\system
Direct reading C:\WINDOWS\system32\drivers\sptd.sys
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Direct reading C:\WINDOWS\WindowsUpdate.log
F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\wa001352.htm - PE file with non-standard extension(dangerousness level is 5%)
File quarantined succesfully (F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\wa001352.htm)
F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\wc001296.htm - PE file with non-standard extension(dangerousness level is 5%)
File quarantined succesfully (F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\wc001296.htm)
F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\ws001270.htm - PE file with non-standard extension(dangerousness level is 5%)
File quarantined succesfully (F:\Program Files\Ubisoft\Tom Clancy's Rainbow Six Vegas 2\KellerGame\pb\dll\ws001270.htm)
F:\Program Files (x86)\Azureus\plugins\azemp\azmplay.exe.bak - PE file with non-standard extension(dangerousness level is 5%)
File quarantined succesfully (F:\Program Files (x86)\Azureus\plugins\azemp\azmplay.exe.bak)
Direct reading F:\Users\Sunny\AppData\Local\Temp\~DF170B.tmp
Direct reading F:\Users\Sunny\AppData\Local\Temp\~DF42B2.tmp
Direct reading F:\Users\Sunny\AppData\Local\Temp\~DF7D56.tmp
Direct reading F:\Users\Sunny\AppData\Local\Temp\~DF99A0.tmp
Direct reading F:\Users\Sunny\AppData\Local\Temp\~DFAE5C.tmp
Direct reading F:\Users\Sunny\AppData\Local\Temp\~DFD654.tmp
F:\Users\Sunny\Music\Justin Timberlake (Ayo Technology)\My Love.wma >>> suspicion for Trojan-Downloader.Win32.Small.deo ( 00724FE4 0DD0851A 001C427F 001ED00D 512000)
File quarantined succesfully (F:\Users\Sunny\Music\Justin Timberlake (Ayo Technology)\My Love.wma)
F:\Windows\System32\chcp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\System32\chcp.com)
F:\Windows\System32\diskcomp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\System32\diskcomp.com)
F:\Windows\System32\diskcopy.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\System32\diskcopy.com)
F:\Windows\System32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\System32\format.com)
F:\Windows\System32\mode.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\System32\mode.com)
F:\Windows\System32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\System32\more.com)
F:\Windows\System32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\System32\tree.com)
F:\Windows\SysWOW64\chcp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\SysWOW64\chcp.com)
F:\Windows\SysWOW64\diskcomp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\SysWOW64\diskcomp.com)
F:\Windows\SysWOW64\diskcopy.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\SysWOW64\diskcopy.com)
F:\Windows\SysWOW64\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\SysWOW64\format.com)
F:\Windows\SysWOW64\mode.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\SysWOW64\mode.com)
F:\Windows\SysWOW64\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\SysWOW64\more.com)
F:\Windows\SysWOW64\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\SysWOW64\tree.com)
F:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_3368babd30a0a3dd\diskcomp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_3368babd30a0a3dd\diskcomp.com)
F:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_3368babd30a0a3dd\diskcopy.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_3368babd30a0a3dd\diskcopy.com)
F:\Windows\winsxs\amd64_microsoft-windows-format_31bf3856ad364e35_6.0.6000.16386_none_8070bc3a456bf33b\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\amd64_microsoft-windows-format_31bf3856ad364e35_6.0.6000.16386_none_8070bc3a456bf33b\format.com)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\chcp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\chcp.com)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\mode.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\mode.com)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\more.com)
F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_d704c72f22c6f4dd\tree.com)
F:\Windows\winsxs\x86_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_d74a1f39784332a7\diskcomp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\x86_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_d74a1f39784332a7\diskcomp.com)
F:\Windows\winsxs\x86_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_d74a1f39784332a7\diskcopy.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\x86_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.0.6000.16386_none_d74a1f39784332a7\diskcopy.com)
F:\Windows\winsxs\x86_microsoft-windows-format_31bf3856ad364e35_6.0.6000.16386_none_245220b68d0e8205\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\x86_microsoft-windows-format_31bf3856ad364e35_6.0.6000.16386_none_245220b68d0e8205\format.com)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\chcp.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\chcp.com)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\mode.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\mode.com)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\more.com)
F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(dangerousness level is 35%)
File quarantined succesfully (F:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.0.6000.16386_none_7ae62bab6a6983a7\tree.com)
Removing traces of deleted files...
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Programme\Spyware Doctor\smumhook.dll --> Suspicion for Keylogger or Trojan DLL
C:\Programme\Spyware Doctor\smumhook.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
C:\WINDOWS\system32\hnetcfg.dll --> Suspicion for Keylogger or Trojan DLL
C:\WINDOWS\system32\hnetcfg.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs

rest hat nich gepasst kommt im nächsten^^

6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
>>> C:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
File quarantined succesfully (C:\autorun.inf)
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry ()
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: TlntSvr ()
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 273727, extracted from archives: 134028, malicious software found 2, suspicions - 6
Scanning finished at 23.08.2008 15:39:20
Time of scanning: 00:28:18

Und hier der link von Rapidshare

http://rapidshare.com/files/139503054/avz_sysinfo.zip.html

Ich hatte in der Anleitung nicht um sonst geschrieben:

Zitat:

Die beiden logs hänge bitte an deinen nächsten Post an.

1. Hast du das log gepostet und nicht angehängt. So wird es sehr unübersichtlich weil es zu lang für einen Post ist.
2. Fehlt das log der in Quarantäne gestellten Dateien. Das hänge bitte auch noch an.

Zitat:

Danach klicke auf die Brille darunter. Es öffnet sich ein Fenster bei dem unten rechts bitte auf Save as CSV klickst und die Datei ebenfalls im AVZ Ordner abspeicherst.

CSV Datei kann er nich hochladen und die txt Datei ist zu groß ... deswegen hatte ich das so gemacht.

Ah so. Na dann entschuldige ich mich!

Kannst du damit trotzdem was anfangen ??
oder soll ich irgendwas anderes machen ??

Führe bitte folgendes Skript mit AVZ aus (File -> Custom Skript):

Zitat:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes');
TerminateProcessByName('c:\windows\system32\pnkbstra.exe');
TerminateProcessByName('c:\programme\windows live\messenger\msnmsgr.exe');
TerminateProcessByName('c:\programme\internet explorer\iexplore.exe');
QuarantineFile('PDRFRAME.sys','');
QuarantineFile('PDRELI.sys','');
QuarantineFile('PDFRAME.sys','');
QuarantineFile('PDCOMP.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\mchInjDrv.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\KCOM.SYS','');
DeleteFile('C:\Programme\Messenger Plus! Live\Detoured.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\lame_enc.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\libsndfile.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\MsgPlusLive.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\MsgPlusLiveRes.dll');
BC_DeleteFile('sprw.sys');
BC_DeleteFile('C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys');
BC_DeleteFile('C:\WINDOWS\System32\Drivers\PxHelp20.sys');
BC_DeleteFile('C:\DOKUME~1\Sunny\LOKALE~1\Temp\asbp2poa.sys');
DeleteFile('C:\DOKUME~1\Sunny\ANWEND~1\PLAYBI~1\holelog.exe');
DeleteFile('C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grid Blue Memo Site\Mix close.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\OEAddOn.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\Weather.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\ZangoSA.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\HostIE.dll');
DeleteFile('C:\Programme\styler\TB\StylerTB.dll');
DeleteFile('c:\dokume~1\sunny\anwend~1\playbi~1\CURB FOUR CAMP.exe');
DeleteFile('C:\Programme\Norton Security Scan\Nss.exe');
DeleteFolder('C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grid Blue Memo Site');
DeleteFolder('C:\Programme\Zango');
DeleteFolder('C:\DOKUME~1\XXX\ANWEND~1\PLAYBI~1');
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.

Der Rechner startet dabei neu!


Dateien Online überprüfen lassen:


* Lasse dir auch die versteckten Dateien anzeigen!

* Suche die Seite Virtustotal auf. Kopiere folgenden Dateipfad per copy and paste in das Eingabefeld neben dem "Durchsuchen"-Button. Klicke danach auf "Senden der Datei"!

* Alternativ kannst du dir die Datei natürlich auch über den "Durchsuchen"-Button selbst heraussuchen.

Zitat:

C:\Programme\styler\unrar\unrar.dll
C:\Programme\styler\Styler.exe

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
* Sollte die Datei bereits analysiert worden sein so lasse sie unbedingt trotzdem nocheinmal analysieren!
* Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.


Du hast so dermaßen viel Messenger Schrott auf dem Rechner das es echt schwer fällt da durch zu steigen. Grade bei einer solchen Kompromitierung. Mache also bitte folgendes:

Deinstalliere alle Messenger! Besonders die Windows Live, Uno, Plus und wie auch immer. Vergiss nicht, dir vorher deine Zugansdaten zu notieren!
Deinstalliere den SpywareDoctor.
Räume mit CCleaner auf. (Punkt 1&2)

Poste danach bitte ein frisches HijackThis und AVZ log.

Beim Ausführen des Scriptes kommt ein Fehler und zwar.

Error: Undeclared identifier. 'Delete Folder' at Position 33:13

Mist sry.

Hier das neue Skript:

Code: Alles auswählenAufklappen

ATTFilter

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java');
RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes');
TerminateProcessByName('c:\windows\system32\pnkbst ra.exe');
TerminateProcessByName('c:\programme\windows live\messenger\msnmsgr.exe');
TerminateProcessByName('c:\programme\internet explorer\iexplore.exe');
QuarantineFile('PDRFRAME.sys','');
QuarantineFile('PDRELI.sys','');
QuarantineFile('PDFRAME.sys','');
QuarantineFile('PDCOMP.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\mchInj Drv.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\KCOM.S YS','');
DeleteFile('C:\Programme\Messenger Plus! Live\Detoured.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\lame_enc.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\libsndfile.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\MsgPlusLive.dll');
DeleteFile('C:\Programme\Messenger Plus! Live\MsgPlusLiveRes.dll');
BC_DeleteFile('sprw.sys');
BC_DeleteFile('C:\WINDOWS\system32\Drivers\GEARAsp iWDM.sys');
BC_DeleteFile('C:\WINDOWS\System32\Drivers\PxHelp2 0.sys');
BC_DeleteFile('C:\DOKUME~1\Sunny\LOKALE~1\Temp\asb p2poa.sys');
DeleteFile('C:\DOKUME~1\Sunny\ANWEND~1\PLAYBI~1\ho lelog.exe');
DeleteFile('C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grid Blue Memo Site\Mix close.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\OEAdd On.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\Weath er.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\Zango SA.exe');
DeleteFile('C:\Programme\Zango\bin\10.3.74.0\HostI E.dll');
DeleteFile('C:\Programme\styler\TB\StylerTB.dll');
DeleteFile('c:\dokume~1\sunny\anwend~1\playbi~1\CU RB FOUR CAMP.exe');
DeleteFile('C:\Programme\Norton Security Scan\Nss.exe');
DeleteDirectory('C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grid Blue Memo Site');
DeleteDirectory('C:\Programme\Zango');
DeleteDirectory('C:\DOKUME~1\XXX\ANWEND~1\PLAYBI~1');
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.
         

So da bin ich wieder tut mir leid das es solange gedauerd hat aber ich war im Urlaub^^

hier die beiden Logs:

Anhang 2652

Anhang 2653

Das sieht gut aus. Hast du noch Probleme?

Nunja soweit läuft alles gut , danke für deine Hilfe
das einzigste was ich noch hab ist
das ich 2 mal iexplorer.exe offen habe obwohl ich selber nicht
im internet bin bzw ... den iexlporer aufgemacht habe ^^

surfe ja nur mit mozilla