xcdsrv.exe, was ist das denn?
 

Hallo experten und expertinnen
Da googeln nix nutzte wende mich an Euch
Zonealarm meldet folgende warnung
Geändertes programm versucht auf das internet zuzugreifen
ziel IP und das Port 9876
xcdsrv.exe :snyper:

was könnte das sein?
mfg caba

Hallo,

diese Datei lässt auf aktive Malware schließen.
Überprüfe diese Dateien bei http://virusscan.jotti.org/de und poste das Ergebnis.

Ich denke muss festplatte formatieren..die suche nach dem datei lief erfolgslos...

So folgendes...die option nach dem exe datei verlief erfolgslos
in der ordner sind nu 2 texdateien...allerdings waren war meine passwort welchen ich bei der anmeldung bei euch benutze in einer der textdatei und alles was ich schrieb...like a keylogger
sollte ich diese ordner löschen?

#:12 [xcdsrv.exe]
FilePath : C:\WINDOWS\system32\bkn\
ProcessID : 1596
ThreadCreationTime : 24.06.2005 18:23:20
BasePriority : Normal
FileVersion :
ProductVersion :
ProductName :
CompanyName :
FileDescription :
InternalName :
LegalCopyright :
LegalTrademarks :
OriginalFilename :
Comments

Alexa Object Recognized!
Type : RegValue

Das sieht alles andere als gut aus...
Ein Neuaufsetzen wäre am sinnvollsten und würde ich dir auch anraten, aber lass uns zuerst weiter dein System analysieren.

Scanne mit eScan AntiVirus im abgesicherten Modus und poste uns die Virus Log Information.

Bis MAcroWorld fertig ist poste ich mal was in den 2 editoren drinn steht nu pw hab ich gelöscht
mfg
ps..also..grossartige seite habts ihr da..schon seids in der favoriten in firefox:-)

erste texteditor:
<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>T35 Hosting: Page Not Found</title>
<script type='text/javascript' src='http://demo.t35.com/pop.js'></script>
<!-- BEGIN: AdSolution-Tag 4.2: Global-Code [PLACE IN HTML-HEAD-AREA!] --> <script type="text/javascript" language="javascript"
src="http://a.as-us.falkag.net/dat/dlv/aslmain.js"></script>
<!-- END: AdSolution-Tag 4.2: Global-Code -->
<!-- BEGIN: AdSolution-Website-Tag 4.2 : T35 / Commercial Break OnClick NextPage --> <script language="javascript" type="text/javascript"> Ads_kid=0;Ads_bid=0;Ads_xl=0;Ads_yl=0;Ads_xp='';Ads_yp='';Ads_xp1='';Ads_yp1='';Ads_opt=0;Ads_wrd='[KeyWord]';Ads_prf='';Ads_par='';Ads_cnturl='';Ads_sec=0;Ads_channels='';
</script>
<script type="text/javascript" language="javascript"
src="http://a.as-us.falkag.net/dat/cjf/00/08/81/57.js"></script>
<!-- END:AdSolution-Tag 4.2 -->


<body>

</body>

</html>

zweite texteditor:

[e][e][20:00:32][Caption: Mozilla Firefox Startseite - Mozilla Firefox]

xcd
srv
.exe{ENTER}
{BACK}{BACK}{BACK}{BACK}
{ENTER}
csaba2699{TAB}

{TAB}
duschbad
{CTRL}{ALT}@sms.at
duschbad{CTRL}{ALT}{CTRL}{ALT}{CTRL}{ALT}{CTRL}{ALT}@sms.a
tF
3MXT
2
, was ist das denn?
Z
onealarm meldet fol
gende w
arnnung{BACK}{BACK}{BACK}{BACK}ung
{UP ARR}Hallo experte
n
{ENTER}Da ich
in der {BACK}{BACK}{BACK}{BACK}{BACK}
{BACK}{BACK}na{BACK}{BACK}{BACK}{BACK}{BACK}
{BACK}googeln nix nutzte
wende mich an euch


{ENTER}
{BACK}E
{ENTER}
Geänderte
s programm
versucht auf
da sinternet zuzug
reifen
{BACK}{R ARR}
{BACK}n
{ENTER}Ziel IP
80
.186
{BACK}
{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}
ziel IP und das Port
9876
{ENTER}{ENTER}was kö
nnte das sein?
und expertinnen
{DWN ARR}
{ENTER}
mfg{ENTER}[e][e][20:11:07][Caption: Trojaner-Board - Neues Thema erstellen - Mozilla Firefox]

{ENTER}mf
g csaba{BACK}
{BACK}{BACK}{BACK}{BACK}
{BACK}{BACK}{BACK}{BACK}{BACK}{BACK}
{ENTER}

[e][e][20:13:42][Caption: Einstellungen für "Trojaner-Board - xcdsrv.exe, was ist das denn?"]

{BACK}
[e][e][20:15:18][Caption: sms.at - Gratis SMS, Polyphone Klingeltöne, Logos, Realtones, Bild SMS, SMS Sprüche, Mobilbox Sprüche, Chat kostenlos! - Mozilla Firefox]


{ENTER}

csaba2699{TAB}R

[e][e][20:25:27][Caption: ymsgr-tray-wnd]

{DWN ARR}
[e][e][20:37:48][Caption: Program Manager]


[e][e][21:30:15][Caption: Ebay Auktionen - Microsoft Word]

{BACK}
{ENTER}{ENTER}

So endlich fertig,hoffe kann man das was auslesen
mfg caba

File C:\WINDOWS\system32\bkn\xcdsrv.exe infected by "Trojan-Dropper.Win32.VB.gq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\bkn\xcdsrv.exe infected by "Trojan-Dropper.Win32.VB.gq" Virus! Action Taken: No Action Taken.
Object "ameopt Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ipreg32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ipreg32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Kaspersky Lab\SETTINGS\SS_SETTINGS.xml". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Kaspersky Lab\Data\e2s_subscription.xml". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\ECMAScript" refers to invalid object "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JavaScript" refers to invalid object "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JavaScript Author" refers to invalid object "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JavaScript1.1" refers to invalid object "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JavaScript1.1 Author" refers to invalid object "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JavaScript1.2" refers to invalid object "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JavaScript1.2 Author" refers to invalid object "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JavaScript1.3" refers to invalid object "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JScript" refers to invalid object "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JScript Author" refers to invalid object "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\JScript.Encode" refers to invalid object "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\LiveScript" refers to invalid object "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\LiveScript Author" refers to invalid object "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}". Action Taken: No Action Taken.
Entry "HKCR\VBS" refers to invalid object "{B54F3741-5B07-11cf-A4B0-00AA004A55E8}". Action Taken: No Action Taken.
Entry "HKCR\VBS Author" refers to invalid object "{B54F3742-5B07-11cf-A4B0-00AA004A55E8}". Action Taken: No Action Taken.
Entry "HKCR\VBScript" refers to invalid object "{B54F3741-5B07-11cf-A4B0-00AA004A55E8}". Action Taken: No Action Taken.
Entry "HKCR\VBScript Author" refers to invalid object "{B54F3742-5B07-11cf-A4B0-00AA004A55E8}". Action Taken: No Action Taken.
Entry "HKCR\VBScript.Encode" refers to invalid object "{B54F3743-5B07-11cf-A4B0-00AA004A55E8}". Action Taken: No Action Taken.
Entry "HKCR\XML" refers to invalid object "{989D1DC0-B162-11d1-B6EC-D27DDCF9A923}". Action Taken: No Action Taken.
File C:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.c. No Action Taken.
File C:\Dokumente und Einstellungen\Suares.HOMEBASE\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-17496eba.zip infected by "Trojan.Java.OpenStream.w" Virus! Action Taken: No Action Taken.
File C:\Programme\Lavasoft\Ad-Aware SE Professional\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc17.exe tagged as not-a-virus:Monitor.Win32.KGBSpy.34. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc21\GameTuulza\Crusader Trainer.exe tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc33.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\aaw-lang-pack.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc33.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\Lang\Language-pack 2\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc33.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\plfilespecs.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc33.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\plhexdump.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc33.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\pltweakse.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dc33.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\regh.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{2857EBB1-949F-4505-9547-3FA213A7D09B}\RP105\A0035470.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.c. No Action Taken.
File C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Desktop items\MaTuulsa\GameTuulza\Crusader Trainer.exe tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File D:\Desktop items\MaTuulsa\Security\Lavasoft.Ad-Aware.SE.Professional.v1.06r11\Ad-Aware.Professional SE 1.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\aaw-lang-pack.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Desktop items\MaTuulsa\Security\Lavasoft.Ad-Aware.SE.Professional.v1.06r11\Ad-Aware.Professional SE 1.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\Lang\Language-pack 2\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Desktop items\MaTuulsa\Security\Lavasoft.Ad-Aware.SE.Professional.v1.06r11\Ad-Aware.Professional SE 1.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\plfilespecs.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Desktop items\MaTuulsa\Security\Lavasoft.Ad-Aware.SE.Professional.v1.06r11\Ad-Aware.Professional SE 1.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\plhexdump.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Desktop items\MaTuulsa\Security\Lavasoft.Ad-Aware.SE.Professional.v1.06r11\Ad-Aware.Professional SE 1.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\pllangs.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Desktop items\MaTuulsa\Security\Lavasoft.Ad-Aware.SE.Professional.v1.06r11\Ad-Aware.Professional SE 1.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\pltweakse.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Desktop items\MaTuulsa\Security\Lavasoft.Ad-Aware.SE.Professional.v1.06r11\Ad-Aware.Professional SE 1.05_Full+Addons\Lavasoft.Ad-Aware.Professional SE 1.05\Adds On\regh.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Gamez\Return to Castle Wolfenstein\Return to Castle Wolfenstein\Uninstall\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Programme\Yahoo Messenger\Messenger\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dd37.rar infected by "Trojan-Dropper.Win32.VB.gq" Virus! Action Taken: No Action Taken.
File D:\RECYCLER\S-1-5-21-1606980848-117609710-725345543-1003\Dd4.exe tagged as not-a-virus:Monitor.Win32.KGBSpy.34. No Action Taken.