LogFile

[Unregistriert]

Hi,

hab auf meinem Desktop eine Security Warnung stehen.
In den Eigenschaften fehlt die Option zum Einstellen des Hintregrundbildes.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:56, on 24.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\Programme\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\NavNT\vptray.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\rnathchk.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Program Files\Sodt\Rygmip.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\Yahoo!\Messenger\ypager.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Microsoft Office\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Programme\Microsoft Office\Office\EXCEL.EXE
\Af-ws063\c$\Programme\MySQL-Front\mysqlfront.exe
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\system32\taskmgr.exe
C:\Programme\ACD Systems\ACDSee\5.0\ACDSee5.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Gemeinsame Dateien\ACD Systems\IDBSvr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\tchoumi.AF_DE\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.media-netcom.de
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINNT\pumba2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINNT\pumba2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zatfljnt] C:\Program Files\Sodt\Rygmip.exe
O4 - HKLM\..\Run: [PSGuard] C:\Programme\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\Messenger\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\Messenger\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.media-netcom.de
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.61.148.68/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = af-de.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = af-de.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = intra.farm,af-de.int,local.mail
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = af-de.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = intra.farm,af-de.int,local.mail
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = intra.farm,af-de.int,local.mail
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Apache - Unknown owner - C:\Programme\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Programme\HP\e-DiagTools\Service.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NetOp Helper ver. 7.01 (2002169) (NetOp Host for NT Service) - Danware Data A/S - C:\Programme\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[Ruby]

Hallo Gast,

du hast einen Wurm mit Backdoor-Funktionauf dem System: W32/Raleka-A.
Der Wurm versucht, IRC-Server zu kontaktieren und wartet auf Anweisungen von einem remoten Angreifer:

Beende diesen Prozess im Tasmanager:
C:\Programme\HP\e-DiagTools\service.exe

Lösche den File im abgesicherten Modus:
C:\Programme\HP\e-DiagTools\service.exe


Scanne diese Dateien bei Virustotal und Jotti

C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Programme\NavNT\vptray.exe
C:\Program Files\Sodt\Rygmip.exe
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
.... \Programme\MySQL-Front\mysqlfront.exe
C:\Programme\Gemeinsame Dateien\ACD Systems\IDBSvr.exe
C:\Programme\PSGuard\PSGuard.exe
C:\Programme\NetOp Remote Control\HOST\NHOSTSVC.EXE

Teile uns >>alle Einzel-Scan-Ergebnisse mittels copy&paste<< mit.

[ego79]

update JOBS set Active = 0 where JobID in ( 5, 10, 33, 41, 42, 63, 64, 66, 68, 69, 70);

http://forum.hijackthis.de/showthread.php?t=6008

This is a report processed by VirusTotal on 06/24/2005 at 14:33:48 (CET) after scanning the file "DefWatch.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
This is a report processed by VirusTotal on 06/24/2005 at 14:35:37 (CET) after scanning the file "Rtvscan.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com

--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


This is a report processed by VirusTotal on 06/24/2005 at 14:37:10 (CET) after scanning the file "VPTray.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


This is a report processed by VirusTotal on 06/24/2005 at 14:38:37 (CET) after scanning the file "Rygmip.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 TR/DelProx.A
Avira 6.31.0.7 06.24.2005 TR/DelProx.A
BitDefender 7.0 06.24.2005 Trojan.Small.CY
ClamAV devel-20050501 06.24.2005 Trojan.Small-35
DrWeb 4.32b 06.24.2005 Trojan.DownLoader.1389
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 Win32.Dyfuca.B
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 Trojan.Win32.Small.CY
Kaspersky 4.0.2.24 06.24.2005 Trojan.Win32.Small.cy
McAfee 4520 06.23.2005 potentially unwanted program Adware-DFC
NOD32v2 1.1152 06.23.2005 Win32/Small.CY
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 Spyware/Dyfuca
Sybari 7.5.1314 06.24.2005 Win32.Dyfuca.B
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 Trojan/Small.cy
VBA32 3.10.3 06.23.2005 Trojan.Win32.Small.cy



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


This is a report processed by VirusTotal on 06/24/2005 at 14:41:02 (CET) after scanning the file "MAPISP32.EXE" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


This is a report processed by VirusTotal on 06/24/2005 at 14:43:33 (CET) after scanning the file "SshClient.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


This is a report processed by VirusTotal on 06/24/2005 at 14:46:00 (CET) after scanning the file "mysqlfront.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


This is a report processed by VirusTotal on 06/24/2005 at 14:47:58 (CET) after scanning the file "IDBSvr.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


This is a report processed by VirusTotal on 06/24/2005 at 14:49:59 (CET) after scanning the file "NHOSTSVC.EXE" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.24.2005 no virus found
ClamAV devel-20050501 06.24.2005 no virus found
DrWeb 4.32b 06.24.2005 no virus found
eTrust-Iris 7.1.194.0 06.24.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.24.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.24.2005 no virus found
McAfee 4520 06.23.2005 no virus found
NOD32v2 1.1152 06.23.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.24.2005 no virus found
Sybari 7.5.1314 06.24.2005 no virus found
Symantec 8.0 06.23.2005 no virus found
TheHacker 5.8.2.059 06.24.2005 no virus found
VBA32 3.10.3 06.23.2005 suspected of Unknown.Win32Virus



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com


Datei: DefWatch.exe
Status: OK
Entdeckte Packprogramme: -

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Keine Viren gefunden

Datei: Rtvscan.exe
Status: OK
Entdeckte Packprogramme: -

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Keine Viren gefunden


Datei: VPTray.exe
Status: OK
Entdeckte Packprogramme: -

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Keine Viren gefunden


Datei: Rygmip.exe
Status: INFIZIERT/MALWARE
Entdeckte Packprogramme: PETITE

AntiVir TR/DelProx.A gefunden
ArcaVir Trojan.Small.Cy.A gefunden
Avast Win32:Trojano-1035 gefunden
AVG Antivirus Small.P gefunden
BitDefender Trojan.Small.CY gefunden
ClamAV Trojan.Small-35 gefunden
Dr.Web Trojan.DownLoader.1389 gefunden
F-Prot Antivirus W32/Downloader.AAW gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Trojan.Win32.Small.cy gefunden
NOD32 Win32/Small.CY gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Trojan.Win32.Small.cy gefunden


Datei: MAPISP32.EXE
Status: OK
Entdeckte Packprogramme: -

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Keine Viren gefunden


Datei: SshClient.exe
Status: OK
Entdeckte Packprogramme: -

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Keine Viren gefunden


Datei: mysqlfront.exe
Status: EVENTUELL INFIZIERT/MALWARE (Es ist verdächtig, dass die Sandbox-Emulation lange dauerte und/oder die Datei gepackt war. Normalerweise sind Programme nicht gepackt und zwingen die Sandbox nicht zu einer langwierigen Emulation. Beachten Sie, dass kein Scanner eine Warnung gegeben hat, d.h. die Datei kann sehr wohl harmlos sein. Wir raten allerdings zur Vorsicht.)
Entdeckte Packprogramme: UPX

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Keine Viren gefunden


Datei: IDBSvr.exe
Status: OK
Entdeckte Packprogramme: -

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Keine Viren gefunden


Datei: NHOSTSVC.EXE
Status: VIELLEICHT INFIZIERT/MALWARE (Anmerkung: Diese Datei wurde lediglich durch die heuristische Detektion als Malware angezeigt. Die Ergebnisse des Scans werden daher nicht in der Datenbank gespeichert.)
Entdeckte Packprogramme: -

AntiVir Keine Viren gefunden
ArcaVir Keine Viren gefunden
Avast Keine Viren gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
Fortinet Keine Viren gefunden
Kaspersky Anti-Virus Keine Viren gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
VBA32 Unknown.Win32Virus gefunden (mögliche Variante)

[Ruby]

Haoo ego79

einer fehlt noch:

C:\Programme\PSGuard\PSGuard.exe

bitte nachholen und herzlichen Dank für die super Aufstellungen!

[ego79]

Vielen Dank überhaupt für die super schnelle Hilfe.

Über den PSGuard hatte ich mich schwer gewundert, wie der plötzlich auf meinen Rechner kommt!
Ich hielt es für eine gute Idee, diesen zu entfernen. Das hab ich dann über die Systemsteuerung->Software dann auch gemacht.

Gruss
ego

[ego79]

was ich noch vergessen habe zu sagen:

Beende diesen Prozess im Tasmanager:
C:\Programme\HP\e-DiagTools\service.exe

--> Den Prozess gab es nicht. Nur SERVICES.EXE (der ließ sich aber nicht beenden; ist wohl auch nicht gemeint...)

[Ruby]

@ ego79

es gibt ihn leider schon, nur läßt er sich wahrscheinlich nicht so ohne Weiteres finden.

Lade bitte alle Dateien

C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\Programme\NavNT\vptray.exe
C:\Program Files\Sodt\Rygmip.exe
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
.... \Programme\MySQL-Front\mysqlfront.exe
C:\Programme\Gemeinsame Dateien\ACD Systems\IDBSvr.exe
C:\Programme\NetOp Remote Control\HOST\NHOSTSVC.EXE

zu dieser URL hoch:
-> ST-Adware-Upload

und nur zwei Dateien zu uns:
C:\Programme\NetOp Remote Control\HOST\NHOSTSVC.EXE
.... \Programme\MySQL-Front\mysqlfront.exe
-> Upload malicious software (*)

Meldest du dich, wenn du damit fertig bist?

[ego79]

Hi Ruby,

ok, habe alle Dateien hochgeladen...


Gruss
ego

[Ruby]

Danke @ Ego.

1
Lade den CCleaner runter, setze in alle Kästchen (Windows, Anwendungen und Probleme) ein Häkchen und drücke dann auf "Starte Cleaner".

2
Vergewissere dich, dass du auf deinem Rechner alles siehst: In den Ordneroptionen das Häkchen entfernen bei "geschützte Systemdateien ausblenden" und etwas weiter unten wählt man bei "Versteckte Ordner und Verzeichnisse" den Punkt "Alle Dateien und Ordner anzeigen".

3
Scanne deinen Rechner mit einem Full-System-Scan mit Panda ActiveScan.
Erlaube AktvieX für den Online Scan. Der Scan kann ca 2-3 Stunden dauern. Speichere das Logfile.
Boote deinen Rechner danach neu auf.

4
Vergib eine neue Startseite für den Internet Explorer.
Konfiguriere den IE wie hier empfohlen: Sicherheitseinstellungen!

5
Lass HijackThis laufen
Speichere das Logfile.

-> Poste das Panda Online-Scan Logfile.
-> Poste das neue HJT Logfile.

[ego79]

Hallo Ruby,

leider fehlt mir das LogFile von Panda Active Scan.
Hab das Tool durchlaufen lassen. Er ist auch fertig geworden, aber wenn der Rechner einmal in den Standby Modus fällt, dann macht das Tool scheinbar nicht weiter.

Anbei aber das LogFile von HiJackThis, das ich danach dann gestartet habe:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 09:19:54, on 28.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programme\NetOp Remote Control\HOST\NHOSTSVC.EXE
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\Explorer.EXE
C:\Programme\NavNT\vptray.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Program Files\Sodt\Rygmip.exe
C:\WINNT\system32\internat.exe
C:\Programme\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\Messenger\ypager.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Microsoft Office\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Programme\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\rnathchk.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\nokia\multimediaconverter\Nokia_Multimedia_Converter_2_0\MMConverter.exe
C:\Programme\UltraEdit\UEDIT32.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\eclipse\eclipse.exe
C:\WINNT\system32\javaw.exe
C:\Programme\Microsoft Office\Office\EXCEL.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\tchoumi.AF_DE\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://websearchnetwork.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.media-netcom.de
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINNT\pumba2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINNT\pumba2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zatfljnt] C:\Program Files\Sodt\Rygmip.exe
O4 - HKLM\..\Run: [PSGuard] C:\Programme\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\Messenger\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\Messenger\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.media-netcom.de
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://213.61.148.68/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = af-de.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = af-de.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = intra.farm,af-de.int,local.mail
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = af-de.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = intra.farm,af-de.int,local.mail
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = intra.farm,af-de.int,local.mail
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Apache - Unknown owner - C:\Programme\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Programme\HP\e-DiagTools\Service.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NetOp Helper ver. 7.01 (2002169) (NetOp Host for NT Service) - Danware Data A/S - C:\Programme\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Kannst du dazu Aussagen treffen oder soll ich den Panda Active Scan nochmals durchlaufen lassen.

Gruss
ego