Kann bitte jmd. nochmal durchsehen ?
 

Kann bitte jmd. das nochmal durchsehen ? Habe nach Anleitung den Scan gemacht und hier sind beide logs, danke !

1.

Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 06.07.2008 01:30:26
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Maximum heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: enabled
System booted in Safe Mode
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:FindNextFileW (219) intercepted, method CodeHijack (method not defined)
Function kernel32.dll:LoadLibraryExW (580) intercepted, method CodeHijack (method not defined)
Function kernel32.dll:MoveFileWithProgressW (611) intercepted, method APICodeHijack.JmpTo[2A2B0759]
Function kernel32.dll:OpenFile (622) intercepted, method APICodeHijack.JmpTo[2A2AEABB]
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrLoadDll (70) intercepted, method APICodeHijack.JmpTo[2A2A94EE]
Function ntdll.dll:LdrUnloadDll (80) intercepted, method APICodeHijack.JmpTo[2A2A88C1]
Function ntdll.dll:NtQueryDirectoryFile (234) intercepted, method APICodeHijack.JmpTo[2A2B1451]
Function ntdll.dll:NtQueryInformationFile (240) intercepted, method APICodeHijack.JmpTo[2A2ACE63]
Function ntdll.dll:NtQuerySystemInformation (263) intercepted, method APICodeHijack.JmpTo[2A2AE565]
Function ntdll.dll:NtReadVirtualMemory (276) intercepted, method APICodeHijack.JmpTo[2A2AE1F6]
Function ntdll.dll:NtVdmControl (359) intercepted, method APICodeHijack.JmpTo[2A2AC0CF]
Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method APICodeHijack.JmpTo[2A2ACB64]
Function ntdll.dll:RtlGetNativeSystemInformation (609) intercepted, method APICodeHijack.JmpTo[2A2AE565]
Function ntdll.dll:ZwQueryDirectoryFile (1043) intercepted, method APICodeHijack.JmpTo[2A2B1451]
Function ntdll.dll:ZwQueryInformationFile (1049) intercepted, method APICodeHijack.JmpTo[2A2ACE63]
Function ntdll.dll:ZwQuerySystemInformation (1072) intercepted, method APICodeHijack.JmpTo[2A2AE565]
Function ntdll.dll:ZwReadVirtualMemory (1085) intercepted, method APICodeHijack.JmpTo[2A2AE1F6]
Function ntdll.dll:ZwVdmControl (1168) intercepted, method APICodeHijack.JmpTo[2A2AC0CF]
Function ntdll.dll:ZwWriteVirtualMemory (1178) intercepted, method APICodeHijack.JmpTo[2A2ACB64]
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:CreateProcessWithLogonW (100) intercepted, method APICodeHijack.JmpTo[2A2AA19B]
Function advapi32.dll:RegSetValueExA (507) intercepted, method CodeHijack (method not defined)
Function advapi32.dll:RegSetValueExW (508) intercepted, method CodeHijack (method not defined)
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
Driver communication failure [00000002] - [1]
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
Driver communication failure [00000002] - [1]
2. Scanning memory
Number of processes found: 10
Number of modules loaded: 166
Scanning memory - complete
3. Scanning disks
Direct reading C:\WINDOWS\system32\config\default.LOG
Direct reading C:\WINDOWS\system32\config\SECURITY.LOG
Direct reading C:\WINDOWS\system32\config\SysEvent.Evt
Direct reading C:\WINDOWS\system32\config\SecEvent.Evt
Direct reading C:\WINDOWS\system32\config\AppEvent.Evt
Direct reading C:\WINDOWS\system32\config\DEFAULT
Direct reading C:\WINDOWS\system32\config\SECURITY
Direct reading C:\WINDOWS\system32\config\SYSTEM
Direct reading C:\WINDOWS\system32\config\SAM
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Direct reading C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
Direct reading C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
Direct reading C:\WINDOWS\system32\CatRoot2\edb.log
Direct reading C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
Direct reading C:\WINDOWS\system32\CatRoot2\tmp.edb
File quarantined succesfully (C:\WINDOWS\system32\Objsafe.tlb)
C:\WINDOWS\system32\Objsafe.tlb >>>>> Dialer.EMSAT deleted successfully
File quarantined succesfully (C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf)
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf >>>>> Spy.MyWebSearch deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe)
C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll)
C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar)
C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\webdriver\rdriver.dll)
C:\WINDOWS\wt\webdriver\rdriver.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\rdriver.dll)
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\rdriver.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\WTHost.exe)
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\WTHost.exe >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtmulti.dll)
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtmulti.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtmulti.jar)
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtmulti.jar >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll)
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\WINDOWS\wt\wtvh.dll)
C:\WINDOWS\wt\wtvh.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PlayFirst\Games\checksums\dinerdashhometownhero\game\assets\furniture\barstools\green.anm.checksum)
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PlayFirst\Games\checksums\dinerdashhometownhero\game\assets\furniture\barstools\green.anm.checksum >>>>> Trojan.DelFat deleted successfully
File quarantined succesfully (C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PlayFirst\Games\checksums\dinerdashhometownhero\game\assets\downloads\_default\paperdoll\flo_apron1\apron1_closet.png.checksum)
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PlayFirst\Games\checksums\dinerdashhometownhero\game\assets\downloads\_default\paperdoll\flo_apron1\apron1_closet.png.checksum >>>>> Trojan.DelFat deleted successfully
Direct reading C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Direct reading C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Direct reading C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG
Direct reading C:\Dokumente und Einstellungen\NetworkService\ntuser.dat
File quarantined succesfully (C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\ICD4.tmp\f3Setup1.exe)
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\ICD4.tmp\f3Setup1.exe >>>>> AdvWare.Win32.MyWebSearch.aw deleted successfully
C:\Dokumente und Einstellungen\***\Found\FOUND.000\FILE0011.CHK >>> suspicion for Trojan-PSW.Win32.LdPinch.caw ( 0BB6888A 0C9FEBFE 00291905 0027FA96 32768)
File quarantined succesfully (C:\Dokumente und Einstellungen\***\Found\FOUND.000\FILE0011.CHK)
Direct reading C:\Dokumente und Einstellungen\***.ACER-6655572C9F\ntuser.dat.LOG
Direct reading C:\Dokumente und Einstellungen\***.ACER-6655572C9F\Cookies\index.dat
Direct reading C:\Dokumente und Einstellungen\***.ACER-6655572C9F\Lokale Einstellungen\Verlauf\History.IE5\index.dat
Direct reading C:\Dokumente und Einstellungen\***.ACER-6655572C9F\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Dokumente und Einstellungen\***.ACER-6655572C9F\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Direct reading C:\Dokumente und Einstellungen\***.ACER-6655572C9F\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Direct reading C:\Dokumente und Einstellungen\***.ACER-6655572C9F\ntuser.dat
C:\Programme\Zylom Games\Cake Mania Deluxe\cakemania.bak - PE file with non-standard extension(dangerousness level is 5%)
File quarantined succesfully (C:\Programme\Zylom Games\Cake Mania Deluxe\cakemania.bak)
C:\Programme\PlayFirst\WordJong\WordJong.exe.bak - PE file with non-standard extension(dangerousness level is 5%)
File quarantined succesfully (C:\Programme\PlayFirst\WordJong\WordJong.exe.bak)
Direct reading C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\change.log
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019246.tlb)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019246.tlb >>>>> Dialer.EMSAT deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019247.exe)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019247.exe >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019248.dll)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019248.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019249.dll)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019249.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019250.dll)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019250.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019251.exe)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019251.exe >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019252.dll)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019252.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019253.dll)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019253.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019254.dll)
C:\System Volume Information\_restore{9DF46C33-6EFC-4C04-8812-88746C783574}\RP1\A0019254.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\wtvh.dll)
C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\wtvh.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\wtmulti.dll)
C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\wtmulti.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\WTHost.exe)
C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\WTHost.exe >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\rdriver.dll)
C:\Recycled\Dc3\wt\wtupdates\Webd\4.1.1\files\rdriver.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\webdriver\4.1.1\wtmulti.dll)
C:\Recycled\Dc3\wt\webdriver\4.1.1\wtmulti.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\webdriver\4.1.1\wthost.exe)
C:\Recycled\Dc3\wt\webdriver\4.1.1\wthost.exe >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\webdriver\rdriver.dll)
C:\Recycled\Dc3\wt\webdriver\rdriver.dll >>>>> Spy.WildTangent deleted successfully
File quarantined succesfully (C:\Recycled\Dc3\wt\wtvh.dll)
C:\Recycled\Dc3\wt\wtvh.dll >>>>> Spy.WildTangent deleted successfully
C:\FOUND.013\FILE0069.CHK >>> suspicion for Trojan-Downloader.Win32.Agent.afu ( 0AB58B5E 0B2165D3 001C36F2 001C9BE7 32768)
File quarantined succesfully (C:\FOUND.013\FILE0069.CHK)
File quarantined succesfully (C:\Downloads\SuperGrannyWWSetup-dm[1].exe)
C:\Downloads\SuperGrannyWWSetup-dm[1].exe >>>>> AdvWare.Win32.Trymedia.b deleted successfully
Removing traces of deleted files...
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
>>> C:\Programme\WildTangent\Apps\CDA\CDALogger0402.dll HSC: suspicion for Spy.WindTangent
File quarantined succesfully (C:\Programme\WildTangent\Apps\CDA\CDALogger0402.dll)
>>> C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll HSC: suspicion for Spy.WindTangent
File quarantined succesfully (C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll)
non-standard default prefix in IE: "http://***.burnsrecyclinginc.com/hvplace/rel1.php?id=amb_mypref6_"
Non-standard IE Default prefix: "http://***.burnsrecyclinginc.com/hvplace/rel1.php?id=amb_mypref6_"
>>> D:\autorun.inf HSC: suspicion for hidden autorun (high degree of probability)
File quarantined succesfully (D:\autorun.inf)
>>> D:\Setup.exe HSC: suspicion for hidden autorun D:\autorun.inf [Autorun\Open]
File quarantined succesfully (D:\Setup.exe)
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Alerter (Warndienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: anonymous user access is enabled
>>> Security: Internet Explorer allows ActiveX, not marked as safe
>>> Security: block ActiveX not marked as safe in Internet Explorer
>>> Security: Internet Explorer allows unsigned ActiveX elements
>>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
Checking - complete
9. Troubleshooting wizard
>> Abnormal EXE files association
>> Protocol prefixes are modified
>> Internet Explorer - ActiveX, not marked as safe, are allowed
>> Internet Explorer - signed ActiveX elements are allowed without asking user
>> Internet Explorer -unsigned ActiveX elements are allowed
>> Internet Explorer - automatic queries of ActiveX operating elements are allowed
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 420175, extracted from archives: 243199, malicious software found 33, suspicions - 2
Scanning finished at 06.07.2008 02:30:36
Time of scanning: 01:00:10
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

2.

C:\Dokumente und Einstellungen\***\Found\FOUND.000\FILE0011.CHK;2;Suspicion for Trojan-PSW.Win32.LdPinch.caw ( 0BB6888A 0C9FEBFE 00291905 0027FA96 32768)
C:\Programme\Zylom Games\Cake Mania Deluxe\cakemania.bak;3;PE file with non-standard extension(dangerousness level is 5%)
C:\Programme\PlayFirst\WordJong\WordJong.exe.bak;3;PE file with non-standard extension(dangerousness level is 5%)
C:\FOUND.013\FILE0069.CHK;2;Suspicion for Trojan-Downloader.Win32.Agent.afu ( 0AB58B5E 0B2165D3 001C36F2 001C9BE7 32768)
C:\Programme\WildTangent\Apps\CDA\CDALogger0402.dll;3; HSC: suspicion for Spy.WindTangent
C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll;3; HSC: suspicion for Spy.WindTangent
D:\autorun.inf;3; HSC: suspicion for hidden autorun (high degree of probability)
D:\Setup.exe;3; HSC: suspicion for hidden autorun D:\autorun.inf [Autorun\Open]

Wir haben hier irgendein Logfile vorliegen, und haben keinen Namen von dem Programm mit dem es erstellt wurde...
Poste bitte mal ein Hijackthis Logfile.