Adware
NaviPromo
InstantAccess


Adware NaviPromo - InstantAccess

weiter bfu --> abarbeiten naviprom_bfu

weiter Black Light anwenden

Black Light

09/19/06 18:19:16 [Info]: Hidden process: C:\windows\system32\xskqiz.exe
09/19/06 18:21:24 [Info]: Hidden file: c:\WINDOWS\system32\xskqiz.dat
09/19/06 18:21:25 [Info]: Hidden file: C:\windows\system32\xskqiz.exe
09/19/06 18:21:25 [Info]: Hidden file: c:\WINDOWS\system32\xskqiz_nav.dat
09/19/06 18:21:25 [Info]: Hidden file: c:\WINDOWS\system32\xskqiz_navps.dat

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMLIB2.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMLIB_1034.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMLIB_1035.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMSERVICE_1039.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMSERVICE_1042.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMSERVICE_1044.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMSERVICE_1045.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMSERVICE_1046.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGCOMSERVICE_1048.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGDHTML_1020.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/EGDial.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/eglivecam.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ia.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/IEAccess2.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/netia32.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/objsafe.tlb

C:\System Volume Information\_restore{525C47E3-BEEC-48D1-9D1A-801A5E50CCB0}\RP19\A0011530.exe -> Spyware.NaviPromo

C:\WINDOWS\system32\msclock32.dll

weiter datfindbat

Verzeichnis von C:\WINNT\system32

11.11.2005 11:09 826 mzgxbrncls_navps.dat
11.11.2005 11:09 5.271 mzgxbrncls.dat
11.11.2005 08:32 20.992 msclock32.dll
09.11.2005 16:30 65.528 mzgxbrncls_nav.dat
02.11.2005 11:08 67.584 EGDACCESS_1069.dll
01.11.2005 15:31 240.180 mzgxbrncls.exe
21.10.2005 09:19 67.584 EGDACCESS_1068.dll

weiter HijackThis

O4 - HKLM\..\Run: [mzgxbrncls] c:\winnt\system32\mzgxbrncls.exe -start
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1069.dll,InstantAccess
O4 - HKCU\..\Run: [MailSkinner] c:\programme\mailskinner\mailskinner.exe
O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1064.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1026_EN.cab

weiter Zitat:Ich habe das Problem das ich einen Einwahlprogramm auf msclock32. Lösche ich die Datei mit Antivir geht das ganze Netz samt Firewall nicht mehr. Die folgende Fehlermeldung erscheint aber alle 30 Sekunden auf meinem Desktop und ist echt lästig. Nur wenn ich Zugriff erlauben und Datei belassen drücke ist es mir möglich überhaupt ins Netz zu kommen.

C:\WINDOWS\SYSTEM32\MSCLOCK32.DLL

Enthält Signatur eines kostenverursachenden Einwahlprogrammes DIAL/302248 (Dialer)

rundll32.exe EGDACCESS_1063.dll,InstantAccess (RUN)
EGDACCESS_1063.cab (Downloaded Program Files)
EGDACCESS_1062.cab (Downloaded Program Files)
EGDACCESS_1063_ASPIV4.cab (Downloaded Program Files)

weiter CleanUp

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\FBAE6UO8\EGDACCESS_1068_XP[1].cab[EGDACCES

weiter Start -- Ausführen -- regedit

HKEY_CURRENT_USER\SOFTWARE\EGDHTML
HKU\S-1-5-21-1645522239-1614895754-682003330-1003\Software\EGDHTML
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH

C:\WINDOWS\system32\EGDACCESS.dll
C:\WINDOWS\system32\EGDACCESS_1068.dll
C:\windows\system32\cndbhmu.exe
C:\WINDOWS\system32\msclock32.dll
C:\Programme\mailskinner\mailskinner.exe
C:\Programme\mailskinner
C:\Programme\InstantAccess
C:\winnt\system32\mzgxbrncls.exe
c:\winnt\system32\mzgxbrncls.exe
C:\WINNT\system32\mzgxbrncls_navps.dat
C:\WINNT\system32\mzgxbrncls.dat
C:\WINNT\system32\msclock32.dll
C:\WINNT\system32\mzgxbrncls_nav.dat
C:\WINNT\system32\EGDACCESS_1069.dll
C:\WINNT\system32\mzgxbrncls.exe
C:\WINNT\system32\EGDACCESS_1068.dll
C:\WINDOWS\system32\EGAUTH
C:\WINDOWS\system32\EGDACCESS

weiter HijackThis

O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKLM\..\Run: [inbslrwt] c:\winnt\system32\inbslrwt.exe -start
O4 - HKLM\..\Run: [sbhqpc] c:\windows\system32\sbhqpc.exe -start
O4 - HKCU\..\Run: [MailSkinner] c:\programme\mailskinner\mailskinner.exe

weiter datfindbat

Verzeichnis von C:\WINNT\system32

11.11.2005 11:09 826 mzgxbrncls_navps.dat
11.11.2005 11:09 5.271 mzgxbrncls.dat
11.11.2005 08:32 20.992 msclock32.dll
09.11.2005 16:30 65.528 mzgxbrncls_nav.dat
02.11.2005 11:08 67.584 EGDACCESS_1069.dll
01.11.2005 15:31 240.180 mzgxbrncls.exe
21.10.2005 09:19 67.584 EGDACCESS_1068.dll

Verzeichnis von C:\WINNT

11.11.2005 08:36 11 NetWare.INI
11.11.2005 08:36 2.777 TOBIT.INI

weiter HijackThis

O4 - HKLM\..\Run: [mzgxbrncls] c:\winnt\system32\mzgxbrncls.exe -start
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1069.dll,InstantAccess
O4 - HKCU\..\Run: [MailSkinner] c:\programme\mailskinner\mailskinner.exe
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1068.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1069.cab

weiter datfindbat

F:\WINDOWS

19/07/2005 20:52 0 bcnajst.exe

F:\WINDOWS\system32

02/11/2005 17:04 2ÿ550 Uninstall.ico
02/11/2005 17:04 1ÿ406 Help.ico
02/11/2005 17:04 1ÿ718 Open.ico
02/11/2005 17:04 1ÿ406 AddQuit.ico
02/11/2005 17:04 5ÿ350 IE.ico
02/11/2005 17:04 9ÿ470 Desktop.ico
02/11/2005 17:04 1ÿ718 Quick.ico
02/11/2005 15:36 20ÿ992 msclock32.dll
19/07/2005 20:50 0 82h0groh.html

weiter HijackThis

O4 - HKLM\..\Run: [cndbhmu] f:\windows\system32\cndbhmu.exe -start

F:\WINDOWS\system32\msclock32.dll
F:\WINDOWS\system32\82h0groh.html
F:\WINDOWS\bcnajst.exe

Checked file cndbhmu.exe
Filesize: 236084 Bytes

weiter Kaspersky Anti-Virus 0nlinescan - AdWare.NaviPromo.g gefunden

weiter NOD32 - Win32/Adware.NaviPromo application gefunden

weiter Panda: Onlinescan

Adware:adware/navipromo No disinfected C:\WINNT\SYSTEM32\wkxteisob_nav.dat
Adware:adware/ist.istbar No disinfected C:\WINNT\SYSTEM32\mscache.sys
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\fgrinjwbtv_nav.dat
C:\WINDOWS\SYSTEM32\jxyvhokfg_nav.dat

HKU\S-1-5-21-1645522239-1614895754-682003330-1003\Software\EGDHTML -> Dialer.Generic

C:\WINDOWS\system32\msclock32.dll -> Dialer.Generic : Cleaned with backup

c:\program files\mailskinner
c:\program files\InstantAccess
C:\WINDOWS\dxsetu.exe
C:\WINDOWS\system32\EGAUTH
C:\WINDOWS\system32\EGDACCESS
C:\WINDOWS\tmlpcert2005

weiter Panda: Onlinescan

Adware:adware/navipromo C:\WINDOWS\simcss
Dialer:dialer.b C:\WINDOWS\tmlpcert2005
Dialer:Dialer.Gen C:\WINDOWS\Downloaded Program Files\SexeQualite.exe
Dialer:Dialer.Gen C:\WINDOWS\Downloaded Program Files\xxxhard.exe
Dialer:Dialer.Gen C:\WINDOWS\Downloaded Program Files\CONFLICT.1\xxxhard.exe
Dialer:Dialer.Gen C:\WINDOWS\Downloaded Program Files\CONFLICT.2\xxxhard.exe

C:\System Volume Information\_restore{7D5CE0DA-D4E0-4587-A242-A0D581FF9B59}\RP178\A0023023.dll

weiter HijackThis

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnappm.exe

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\jxyvhokfg_nav.dat
Adware:Adware/NaviPromo No disinfected C:\WINDOWS\system32\msclock32.dll
Adware:Adware/NaviPromo No disinfected C:\WINDOWS\system32\msplock32.dll

C:\WINDOWS\gltdwif.exe
C:\WINDOWS\tqz.exe
C:\WINDOWS\system32\msclock32.dll
c:\windows\system32\jxyvhokfg.exe
C:\WINDOWS\SYSTEM32\jxyvhokfg_nav.dat
C:\WINDOWS\system32\gah95on6.exe

C:\WINDOWS\system32\C2MP\4bitrate.exe
C:\WINDOWS\system32\C2MP\FilterManager.exe
C:\WINDOWS\system32\C2MP\MiniCalc.exe
C:\WINDOWS\system32\C2MP\OGMCalc.exe
C:\WINDOWS\system32\C2MP\StatsReader.exe
C:\Apps\sst\closeAll.exe

weiter Start -- Ausführen -- regedit

HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2
HKEY_CLASSES_ROOT\EGCOMLIB2.EGComLibrary2.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{2ABE804B-4D3A-41BF-A172-304627874B45}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{94742E3F-D9A1-4780-9A87-2FFA43655DA2}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{A02780C3-7F77-4E28-855B-28890F3CF37A}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{B843DA96-2B2D-447E-90AB-B92929AA11AF}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDHTML.EGDialHTML.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGHTMLDialer.HTMLDialer.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\EGDialObject.EGDial.1
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{62BFAEC2-82A5-4117-A98B-FEA89413D924}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Interface\{81C2F7F3-F930-455E-9AA5-0876D387C787}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{83F0D6AA-CD15-46B5-AA4E-BDB506B4AE53}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{7699AEF9-F83A-44FA-B374-AA02CEDF247D}
HKEY_USERS\.DEFAULT\Software\EGDHTML

C:\WINDOWS\access.exe
C:\WINDOWS\system32\EGDHTML_xxxx.dll
C:\WINDOWS\system32\p2esocks_xxxx.dll
C:\WINDOWS\system32\eghtmldialer.dll
C:\WINDOWS\\access.exe
C:\WINDOWS\system32\EGDHTML_xxxx.dll
C:\WINDOWS\system32\eghtmldialer.dll
C:\WINDOWS\system32\p2esocks_xxxx.dll
C:\WINDOWS\eg_auth_1041.dll

HKEY_CLASSES_ROOT\egdhtml.egdialhtml
HKEY_CLASSES_ROOT\egdhtml.egdialhtml.1
HKEY_CLASSES_ROOT\egdialobject.egdial
HKEY_CLASSES_ROOT\eghtmldialer.htmldialer
HKEY_CLASSES_ROOT\eghtmldialer.htmldialer.1
HKEY_CLASSES_ROOT\P2ECOM.EGP2ECOM
HKEY_CLASSES_ROOT\P2ECOM.EGP2ECOM.1
HKEY_CLASSES_ROOT\EGAUTH.EGEGAUTH
HKEY_CLASSES_ROOT\EGAUTH.EGEGAUTH.1
HKEY_CLASSES_ROOT\EGCOMSERVICE.EGComSvc.1
HKEY_CLASSES_ROOT\EGCOMSERVICE.EGComSvc
HKEY_LOCAL_MACHINE\04
HKEY_CLASSES_ROOT\CLSID\{6AA93DF6-6757-4338-9087-F7601DE18402}
HKEY_CLASSES_ROOT\CLSID\{54C75FB0-6B8B-4278-BF7B-77036F15A69E}
HKEY_CLASSES_ROOT\TypeLib\{F3A257E6-FA04-4B30-A1B6-6B89EB814544}
HKEY_CLASSES_ROOT\Interface\{C13FA88A-D264-4BC8-92ED-52EB8181E209}
HKEY_CLASSES_ROOT\CLSID\{D7B59209-0ED9-4986-BD4A-527BE836C6B2}
HKEY_CLASSES_ROOT\TypeLib\{AD9B275B-E42D-4C7F-9FFB-29B5FB81688B}
HKEY_CLASSES_ROOT\Interface\{F8ACA5A0-060A-478A-8368-1407780D2251}
HKEY_CLASSES_ROOT\CLSID\{2ABE804B-4D3A-41BF-A172-304627874B45}
HKEY_CLASSES_ROOT\Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}
HKEY_CLASSES_ROOT\TypeLib\{83F0D6AA-CD15-46B5-AA4E-BDB506B4AE53}
HKEY_CLASSES_ROOT\CLSID\{50AD557E-3426-41FD-AFDD-2AF39BB1C387}
HKEY_CLASSES_ROOT\CLSID\{0594AF7E-573B-40DF-8165-E47AB2EAEFE8}
HKEY_CLASSES_ROOT\Interface\{3947AC1D-DB09-4353-BBCC-55B97F5035EF}
HKEY_CLASSES_ROOT\Interface\{A58F3D09-4543-4396-8BE7-105F14DD6ED5}
HKEY_CLASSES_ROOT\TypeLib\{0E594D22-ACE6-43A2-BCDA-BB7C65D3FE8C}
HKEY_CLASSES_ROOT\CLSID\{EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1}
HKEY_CLASSES_ROOT\CLSID\{1EB17D1C-141D-4D9D-91CB-24D99215851D}
HKEY_CLASSES_ROOT\CLSID\{469C7080-8EC8-43A6-AD97-45848113743C}
HKEY_CLASSES_ROOT\CLSID\{CEFB7B49-9652-464F-8AFD-A577C0500F39}
HKEY_CLASSES_ROOT\Interface\{2E30AC01-99D7-4E9C-B13E-94E1701B0AC9}
HKEY_CLASSES_ROOT\TypeLib\{E8C88115-4951-425B-8C45-4DFC5A5540EE}
HKEY_CLASSES_ROOT\Interface\{8F0A06F6-DF4D-4D54-B8CA-E8EEDBAE6DDB}
HKEY_CURRENT_USER\Software\livesvc
HKEY_CURRENT_USER\Software\EGDHTML
HKEY_CURRENT_USER\Software\egroup

weiter Ewido - Antispyware

HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH\CLSID -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH\CLSID\\ -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH\CurVer -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH.1 -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH.1\CLSID\\ -> Dialer.Generic : Gesäubert mit Backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/IELoader.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/EGAUTH.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/system32/netslv32.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access -> Dialer.Generic : Gesäubert mit Backup
HKU\S-1-5-21-1708537768-706699826-839522115-1001\Software\EGDHTM

weiter datfindbat

Verzeichnis von C:\WINNT\system32

11.11.2005 11:09 826 mzgxbrncls_navps.dat
11.11.2005 11:09 5.271 mzgxbrncls.dat
11.11.2005 08:32 20.992 msclock32.dll
09.11.2005 16:30 65.528 mzgxbrncls_nav.dat
02.11.2005 11:08 67.584 EGDACCESS_1069.dll
01.11.2005 15:31 240.180 mzgxbrncls.exe
21.10.2005 09:19 67.584 EGDACCESS_1068.dll

Verzeichnis von C:\WINNT

11.11.2005 08:36 11 NetWare.INI
11.11.2005 08:36 2.777 TOBIT.INI

C:\programme\mailskinner\mailskinner.exe
C:\winnt\system32\mzgxbrncls.exe
c:\winnt\system32\mzgxbrncls.exe
C:\WINNT\system32\mzgxbrncls_navps.dat
C:\WINNT\system32\mzgxbrncls.dat
C:\WINNT\system32\msclock32.dll
C:\WINNT\system32\mzgxbrncls_nav.dat
C:\WINNT\system32\EGDACCESS_1069.dll
C:\WINNT\system32\mzgxbrncls.exe
C:\WINNT\system32\EGDACCESS_1068.dll

weiter HijackThis

O4 - HKLM\..\Run: [mzgxbrncls] c:\winnt\system32\mzgxbrncls.exe -start
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1069.dll,InstantAccess
O4 - HKCU\..\Run: [MailSkinner] c:\programme\mailskinner\mailskinner.exe
O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1064.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1068.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1069.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN.cab
O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - http://scripts.downloadv3.com/binaries/P2EClient/EGAUTH_1046_EN_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN.cab

gleicher PC :

Verzeichnis von C:\WINNT\system32

14.11.2005 14:24 331 qlgnbrsoz_navps.dat
14.11.2005 14:24 3.939 qlgnbrsoz.dat
14.11.2005 09:11 20.992 msclock32.dll
14.11.2005 09:01 2.550 Uninstall.ico
14.11.2005 09:01 1.406 Help.ico
14.11.2005 09:01 1.718 Open.ico
14.11.2005 09:01 1.406 AddQuit.ico
14.11.2005 09:01 5.350 IE.ico
14.11.2005 09:01 9.470 Desktop.ico
14.11.2005 09:01 1.718 Quick.ico
14.11.2005 08:23 65.528 qlgnbrsoz_nav.dat
14.11.2005 08:23 240.180 qlgnbrsoz.exe

Verzeichnis von C:\WINNT

14.11.2005 10:44 43 GSWIN32.INI
14.11.2005 09:15 11 NetWare.INI
14.11.2005 09:13 2.777 TOBIT.INI
14.11.2005 09:10 489.418 WindowsUpdate.log

C:\winnt\system32\qlgnbrsoz.exe
C:\WINNT\system32\ntvdm.exe

weiter HijackThis

O4 - HKLM\..\Run: [qlgnbrsoz] c:\winnt\system32\qlgnbrsoz.exe -start
O16 - DPF: {D8B94E9A-A34B-4253-BF48-C7CB7F2CFDB0} - http://scripts.downloadv3.com/binaries/P2EClient/EGAUTH_1046_EN_XP.cab

C:\Documents and Settings\Username\Local Settings\Temporary Internet Files\Content.IE5\ATGVMV0B\sysinetsvc32_EN_XP[1]. cab/sysinetsvc32.dll -> Dialer.Generic

weiter lösche :

C:\WINNT\system32\qlgnbrsoz_navps.dat
C:\WINNT\system32\qlgnbrsoz.dat
C:\WINNT\system32\msclock32.dll
C:\WINNT\system32\Uninstall.ico
C:\WINNT\system32\Help.ico
C:\WINNT\system32\Open.ico
C:\WINNT\system32\AddQuit.ico
C:\WINNT\system32\IE.ico
C:\WINNT\system32\Desktop.ico
C:\WINNT\system32\Quick.ico
C:\WINNT\system32\EGAUTH_1068.dll
C:\WINNT\system32\EGAUTH_1069.dll
C:\WINNT\system32\EGAUTH_1046.dll
C:\WINNT\Downloaded Program Files\sysinetsvc32.dll
C:\WINNT\Downloaded Program Files\netslv32.dll
C:\WINNT\Downloaded Program Files\IELoader.dll
C:\WINNT\system32\EGAUTH.dll
C:\WINNT\system32\netslv32.dll
C:\WINNT\system32\qlgnbrsoz_nav.dat
C:\WINNT\system32\sysinetsvc32.dll
C:\WINNT\system32\qlgnbrsoz.exe

weiter Panda - Onlinescan

Dialer:Dialer.DNZ No disinfected C:\!KillBox\EGDACCESS_1068.dll
Dialer:Dialer.B No disinfected C:\!KillBox\EGDACCESS_1069.dll
Possible Virus. No disinfected C:\!KillBox\mailskinner\MailSkinner.exe
Possible Virus. No disinfected C:\Programme\MailSkinner\MailSkinner.exe
Adware:adware/navipromo No disinfected C:\WINNT\system32\msegcompid.dll

C:\WINDOWS\system32\sysinetsvc32.dll tagged as "not-a-virus:Porn-Dialer.Win32.InstantAccess.e
C:\WINDOWS\system32\dhtmlexe.exe infected by "Trojan.Win32.Dialer.eg

weiter HijackThis

O4 - HKLM\..\Run: [tqpufsybd] c:\windows\system32\tqpufsybd.exe -start
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/...svc32_EN_XP.cab

C:\windows\system32\tqpufsybd.exe
C:\Program Files\blcorp\WCCSC\RegOpt\RegManServ.exe

C:\WINDOWS\system32\EGDACCESS.dll
C:\WINDOWS\system32\EGDACCESS_1061.dll
C:\WINDOWS\system32\EGDACCESS_1063.dll
C:\WINDOWS\system32\EGDACCESS_1064.dll
C:\WINDOWS\system32\EGDACCESS_1068.dll
C:\WINDOWS\system32\EGDACCESS_ASPIV4_1063a.dll
C:\WINDOWS\system32\EGDACCESS_ASPIV4_1068.dll
C:\WINDOWS\system32\sysinetsvc32.dll
C:\WINDOWS\system32\EGDACCESS_1068.dll

weiter HijackThis

O16 - DPF: {0DA910BC-6919-489E-B584-D9A4AAC7B8DE} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1068_ASPIV4_XP.cab
O16 - DPF: {624321F1-0581-49D8-99BD-2E952C2DF31B} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_ASPIV4_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_FR_XP.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\PROGRA~1\BT2Net\BT2PLU~1.DLL (file missing)

weiter Winpfind

UPX! 9/30/2005 11:45:18 AM 10240 C:\WINDOWS\SYSTEM32\sysinetsvc32.dll
UPX! 10/17/2005 10:51:50 AM 20992 C:\WINDOWS\SYSTEM32\msclock32.dll

69.59.186.63 10/17/2005 10:51:56 AM 133120 C:\WINDOWS\SYSTEM32\kqefe.dll
209.66.67.134 10/17/2005 10:51:56 AM 133120 C:\WINDOWS\SYSTEM32\kqefe.dll
web-nex 10/17/2005 10:51:56 AM 133120 C:\WINDOWS\SYSTEM32\kqefe.dll
winsync 10/17/2005 10:51:56 AM 133120 C:\WINDOWS\SYSTEM32\kqefe.dll

69.59.186.63 10/17/2005 10:51:52 AM 181760 C:\WINDOWS\SYSTEM32\lxrirkc.dll
209.66.67.134 10/17/2005 10:51:52 AM 181760 C:\WINDOWS\SYSTEM32\lxrirkc.dll
web-nex 10/17/2005 10:51:52 AM 181760 C:\WINDOWS\SYSTEM32\lxrirkc.dll
winsync 10/17/2005 10:51:52 AM 181760 C:\WINDOWS\SYSTEM32\lxrirkc.dll

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

10/17/2005 9:09:24 PM S 2048 C:\WINDOWS\bootstat.dat
10/17/2005 9:06:54 PM H 57 C:\WINDOWS\p6Jrc
10/17/2005 11:02:10 AM H 54156 C:\WINDOWS\QTFont.qfn

cwpuqdeoak C:\!Submit\cwpuqdeoak.exe -start
winsync C:\WINDOWS\system32\dgpapn.exe reg_run

HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH\CLSID -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH\CLSID\\ -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH\CurVer -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH.1 -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\EGAUTH.EGEGAUTH.1\CLSID\\ -> Dialer.Generic : Gesäubert mit Backup

weiter datfindbat

C:\WINNT\system32\

04.12.2005 09:58 20.992 msclock32.dll
04.12.2005 09:58 6.599 fjkayvsz.dat
04.12.2005 09:52 948 fjkayvsz_navps.dat
22.11.2005 09:15 66.468 fjkayvsz_nav.dat
03.11.2005 21:27 20.992 msplock32.dll
03.11.2005 21:27 240.180 fjkayvsz.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Instant Access rundll32.exe EGDACCESS_1069.dll,InstantAccess

Adware:adware/navipromo

C:\WINDOWS\system32\mcrspgtvya_navps.dat
C:\WINDOWS\system32\mcrspgtvya.exe
C:\WINDOWS\system32\msclock32.dll
C:\WINDOWS\system32\msplock32.dll

C:\System Volume Information\_restore{335C7D9B-97A8-4E11-8B5D-228E69AE2588}\RP198\A0079695.dll -> Spyware.NaviPromo

weiter HijackThis

O4 - HKCU\..\Run: [Instant Access] rundll32.exe p2esocks_1024.dll,InstantAccess

C:\WINDOWS\system32\p2esocks_1022.dll infected by "Trojan.Win32.P2E.ai" Virus.
C:\WINDOWS\system32\p2esocks_1024.dll infected by "Trojan.Win32.P2E.al" Virus
File C:\WINDOWS\system32\EGAUTH.dll infected by "Trojan.Win32.P2E.al" Virus

%programfilesdir%\Instant Access\DialPass
%programfilesdir%\Instant Access\Dialer\Exe
%programfilesdir%\Instant Access\Center
%programfilesdir%\Instant Access\Multi\Exe
%programfilesdir%\Instant Access\Multi

%systemdir%\egcomlib*.dll
\011145.exe
egcomlib_pack.inf
%startmenudir%\instant access.lnk
%windir%\access.exe
EGDHTML_****.dll
%systemdir%\p2esocks_****.dll
%systemdir%\eghtmldialer.dll
EGDIAL.dll
mseggrpid.dll
ExeDialer.exe
%programfilesdir%\Instant Access\Center\FunFunFun.lnk
%programfilesdir%\Instant Access\Center\NoCreditCard.lnk
FunFunFun.lnk
FunFunFun.lnk
NoCreditCard.lnk
%commondesktopdir%\NoCreditCard.lnk
Instant-Access.exe
%commondesktopdir%\Instant-Access.exe
%systemdir%\ia.dll
egcomservice_****.dll
egcomservice2.dll
%windir%\Downloaded Program Files\Netslv32.inf
ieaccess2.inf
Netslv32.dll
%systemdir%\Netslv32.dll
%startmenudir%\NoCreditCard.lnk
%systemdir%\LiveService_*.dll
%systemdir%\mservice.dll
svcsysnet32.dll
%systemdir%\sysnetsvc32.dll
EGDACCESS_****.dll
%windir%\eg_auth_mut**.dll
eg_auth_****.dll
EGCOMLIB_****.dll
%systemdir%\p2esocks_****.dll
%systemdir%\ieaccess2.dll

%systemdir%/netslv32.dll
%windir%/Downloaded Progarm Files/Netslv32.dll

EGDHTML_[number].dll (Where [number] is a four-digit version number.)
EGDIAL.dll
Instant Access.exe
show_module.php
show_module.php_0.loginvis
ncc.ico
ExeDialer.exe
FunFunFun.lnk
mseggrpid.dl
EGCOMLIB2.dll

# C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Common
# C:\Program Files\Instant Access\Center\Exe\[yyyymmddhhmmss]\img

# C:\WINDOWS\system32\EGDHTML_[number].dll (Where [number] is a four-digit version number.)
# C:\WINDOWS\system32\EGDIAL.dll
# C:\WINDOWS\system32\mseggrpid.dl
# C:\WINDOWS\ExeDialer.exe

# C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Instant Access.exe.
# C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Common\show_module.php
# C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\Common\show_module.php_0.loginvis
# C:\Program Files\Instant Access\Dialer\Exe\[yyyymmddhhmmss]\img\ncc.ico
# C:\Program Files\Instant Access\Center\FunFunFun.lnk








virus-protect.org
startseite Valid HTML 4.01 Ranking-Hits antispam