Trojaner / Spyware

[Belasi]

Hi

Norton Anti Virus hat einen Trojaner lokalisiert, kann ihn aber nicht beseitigen. (win 2000pro)

Hier mein Logfile:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 14:15:53, on 21.04.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\zdhgft.exe
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINNT\system32\cmd32.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINNT\system32\ifmolfn.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\BullsEye Network\bin\bargains.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\tawo.exe
C:\WINNT\system32\??oolsv.exe
C:\WINNT\system32\umaks.exe
C:\WINNT\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Programme\CxtPls\cxtpls.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: (no name) - {95CC450A-DDB0-8F4D-9C00-ADC8168A7DC1} - C:\WINNT\system32\nyewegaf.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D0EBDABC-56B7-4F56-80B3-038AD9375EC1} - C:\WINNT\system32\ikgl.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [rF5U3mV] ifmolfn.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Programme\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Programme\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINNT\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\GEMEIN~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [zxwsnwi] c:\winnt\system32\zdhgft.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - HKCU\..\Run: [Awbn] C:\WINNT\system32\tawo.exe
O4 - HKCU\..\Run: [Oky] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [aou8RgZse] umaks.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {C40FD43A-A7FB-4E01-93C9-227D0AD6FA96} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C40FD43A-A7FB-4E01-93C9-227D0AD6FA96} - (no file) (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.flyordie.com/pub/dl/msjavx86.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c7.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548
O18 - Filter: text/html - {07660FCF-D0AB-4887-B303-72D9F58709C7} - C:\WINNT\system32\ikgl.dll
O18 - Filter: text/plain - {07660FCF-D0AB-4887-B303-72D9F58709C7} - C:\WINNT\system32\ikgl.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)

Ich hoffe es kann mir jemand helfen, ansonsten muss ich die Festplatte platt machen - brauche den PC dringend ...

[Speedy]

hi

scanne das system mit escan
1) download das programm von Microworld
2) entpacke die datei mwav.exe oder mwav.zip in den ordner c:\bases
sollte das zip-programm dies nicht in einem schritt zulassen, so muss der ordner c:\bases manuell genau so angelegt werden.
3) nun wird der windows-explorer geöffnet und mit einem doppelklick auf die datei KAVUpd.exe, oder kavupd.exe
das update gestartet. auf meinem system (windowsxpsp2) wird sofort ein ordner C:\Download erstellt, der nach dem update
ca. 110 datein und ca. 5 MB groß ist, ein weiterer ordner c:\Bases_X wurde ebefalls erstellt, inhalt 105 datein und ebefalls 5 MB groß
im ordner c:\bases sind 133 datein mit ca. 7,4 MB
4) wechsle in den abgesicherten modus von windows
5) öffne nun wieder den explorer, gehe zum ordner c:\bases und starte die datei mwavscan.com oder [mwavscan.exe[/url], schließe den explorer.
6) überprüfe die einstellungen, unter scan option-->memory, startup folders, registry, system folders und services (auswahl) und scan all files sollte aktiviert sein, dann den button *SCAN* drücken.

7) wenn der scan beendet ist (dauert ca. 1 Stunde), wechselst du zurück in den normalen modus.
8) nun öffnest du mit dem editor, die mwav.txt oder mwav.log und wählst unter bearbeiten -> suchen, hier gibst du infected ein



jene zeile in der infected steht, markieren, und hier einfügen, weitersuchen usw.
und ganz unten steht die zusammenfassung, diese auch hier posten

Wed Oct 06 03:19:24 2004 => Total Number of Files Scanned: 54651
Wed Oct 06 03:19:24 2004 => Total Number of Virus(es) Found: 0
Wed Oct 06 03:19:24 2004 => Total Number of Disinfected Files: 0
Wed Oct 06 03:19:24 2004 => Total Number of Files Renamed: 0
Wed Oct 06 03:19:24 2004 => Total Number of Deleted Files: 0
Wed Oct 06 03:19:24 2004 => Total Number of Errors: 0
Wed Oct 06 03:19:24 2004 => Time Elapsed: 01:13:32
Wed Oct 06 03:19:24 2004 => Virus Database Date: 2004/10/05
Wed Oct 06 03:19:24 2004 => Virus Database Count: 105164

Wed Oct 06 03:19:24 2004 => Scan Completed.

[Belasi]

Danke schon mal, Speedy.
Also, folgende Zeilen sind dabei rausgekommen:

Code:

Thu Apr 21 15:47:01 2005 => File c:\winnt\system32\qjpbor.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:01 2005 => File C:\WINNT\system32\gamo.dll infected by "Trojan.Win32.StartPage.ix" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:05 2005 => File C:\WINNT\Bolger.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:06 2005 => File C:\WINNT\isrvs\sysupd.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:06 2005 => File C:\WINNT\system32\gamo.dll infected by "Trojan.Win32.StartPage.ix" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:06 2005 => File C:\WINNT\system32\msbe.dll infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:13 2005 => File C:\PROGRA~2\MEDIAA~1\MEDIAA~2.EXE infected by "not-a-virus:AdWare.WinAD.am" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:14 2005 => File C:\WINNT\system32\cmd32.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:14 2005 => File C:\WINNT\system32\ifmolfn.exe infected by "Trojan-Downloader.Win32.Apropo.aa" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:14 2005 => File C:\PROGRA~2\AUTOUP~1\AUTOUP~1.EXE infected by "Trojan-Downloader.Win32.Apropo.g" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:15 2005 => File C:\PROGRA~1\BULLSE~1\bin\bargains.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:15 2005 => File C:\WINNT\isrvs\desktop.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:16 2005 => File c:\winnt\system32\qjpbor.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:16 2005 => File C:\WINNT\system32\tawo.exe infected by "not-a-virus:AdWare.PurityScan.w" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:16 2005 => File C:\WINNT\system32\umaks.exe infected by "not-a-virus:AdWare.Apropos.i" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:19 2005 => File C:\WINNT\system32\drivers\delprot.sys infected by "Trojan.Win32.Delprot.a" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:25 2005 => File C:\WINNT\svcproc.exe infected by "Trojan.Win32.Stervis.b" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with DyFuCA Spyware/Adware ({40b1d454-9ca4-43cc-86aa-cb175eac52fb})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "DyFuCA Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with DyFuCA Spyware/Adware ({1c01d150-91a4-4de0-9bf8-a35d1bdf1001})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with DyFuCA Spyware/Adware ({00000010-6f7d-442c-93e3-4a4827c2e4c8})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with Bargain Buddy Spyware/Adware ({4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with Bargain Buddy Spyware/Adware ({c6906a23-4717-4e1f-b6fd-f06ebed15678})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with Bargain Buddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e5678})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with Bargain Buddy Spyware/Adware ({f4e04583-354e-4076-be7d-ed6a80fd66da})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with VX2 Spyware/Adware ({92daf5c1-2135-4e0c-b7a0-259abfcd3904})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with VX2 Spyware/Adware ({bb0d5adc-028d-4185-9288-722ddce2c757})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with ClickSpring  Spyware/Adware ({9eb320ce-be1d-4304-a081-4b4665414bef})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "ClickSpring  Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with Adintelligence.AproposToolbar Spyware/Adware ({016235be-59d4-4ceb-add5-e2378282a1d9})! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "Adintelligence.AproposToolbar Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with DyFuCA Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "DyFuCA Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "kapabout Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with Internet Optimizer Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "Internet Optimizer Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with avenue media Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "avenue media Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with bargains Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "bargains Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => Offending value found in HKLM\Software\Microsoft\Windows\CurrentVersion\Run !!!
Thu Apr 21 15:47:28 2005 => System found infected with bullseye network Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "bullseye network Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with exactutil Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "exactutil Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with bargainbuddy Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "bargainbuddy Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with VGroup Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "VGroup Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with WebSiteViewer Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "WebSiteViewer Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with text/html Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "text/html Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with envolo Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "envolo Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with autoloader Spyware/Adware! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "autoloader Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with ezula Spyware/Adware (instsrv.exe)! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with ezula Spyware/Adware (bbchk.exe)! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with ezula Spyware/Adware (vx0.nls)! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => System found infected with ezula Spyware/Adware (exclean.exe)! Action taken: No Action Taken.
Thu Apr 21 15:47:28 2005 => File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:31 2005 => System found infected with WindUpdate Spyware/Adware (ide21201.vxd)! Action taken: No Action Taken.
Thu Apr 21 15:47:31 2005 => File System Found infected by "WindUpdate Spyware/Adware" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:31 2005 => File C:\WINNT\byfqx.ex$ infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:32 2005 => File C:\WINNT\dlcvlve.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:37 2005 => File C:\WINNT\loadclean.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:38 2005 => File C:\WINNT\Nail.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:47:39 2005 => File C:\WINNT\shop1004.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:48:04 2005 => File C:\WINNT\system32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:48:21 2005 => File C:\WINNT\system32\intfsdffdsronsad.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:48:24 2005 => File C:\WINNT\system32\izxczxcr.exe infected by "Trojan.Win32.LowZones.y" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:48:24 2005 => File C:\WINNT\system32\izxxzdsafsafczxcr.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:48:30 2005 => File C:\WINNT\system32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:49:23 2005 => File C:\WINNT\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:49:28 2005 => File C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\B74901758\build2.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:49:45 2005 => File C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html infected by "Trojan.JS.StartPage.u" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:49:54 2005 => File C:\DOKUME~1\ADMINI~1\LOKALE~1\TEMPOR~1\Content.IE5\4HMJ4PIN\a1[1].htm infected by "Trojan-Clicker.JS.Linker.j" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:50:00 2005 => File C:\DOKUME~1\ADMINI~1\LOKALE~1\TEMPOR~1\Content.IE5\K62IGYJH\a1[1].htm infected by "Trojan-Clicker.JS.Linker.j" Virus. Action Taken: No Action Taken.
Thu Apr 21 15:50:03 2005 => Scanning File C:\DOKUME~1\ADMINI~1\LOKALE~1\TEMPOR~1\Content.IE5\ODQZ0PMF\infected6xz[1].gif
Thu Apr 21 15:50:04 2005 => File C:\DOKUME~1\ADMINI~1\LOKALE~1\TEMPOR~1\Content.IE5\ODQZ0PMF\send_car_int[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.

Thu Apr 21 15:50:06 2005 => Total Objects Scanned: 3099
Thu Apr 21 15:50:06 2005 => Total Virus(es) Found: 64
Thu Apr 21 15:50:06 2005 => Total Disinfected Files: 0
Thu Apr 21 15:50:06 2005 => Total Files Renamed: 0
Thu Apr 21 15:50:06 2005 => Total Deleted Objects: 0
Thu Apr 21 15:50:06 2005 => Total Errors: 12
Thu Apr 21 15:50:06 2005 => Time Elapsed: 00:03:53
Thu Apr 21 15:50:06 2005 => Virus Database Date: 2005/04/20
Thu Apr 21 15:50:06 2005 => Virus Database Count: 126821
 
Thu Apr 21 15:50:06 2005 => Scan Completed.

wie gehts jetzt weiter?

[Belasi]

Scheint ja ziemlich viel infiziert zu sein. Was kann man den jetzt machen?

Gruss

Belasi

[Belasi]

Moin moin

ich bin ziemlich im Stress, sollte eigentlich bloss wissen, ob es Sinn macht, das System zu reinigen, wieviel Zeit das in Anspruch nimmt oder ob es schneller geht und sinnvoller ist, das System neu aufzusetzen und die System-Harddisk zu formatieren.

Danke schon mal für eine schnelle Antwort, damit ich weiss, woran ich bin.

Gruss

Belasi

[Marc]

Guten Morgen Belasi!

Wir pflegen normalerweise hier die angewohnheit, den Mod antworten zu lassen, der den Thread angefangen hat. Nun ist das natürlich jetzt auch eine ungünstige Zeit und ich bin nur hier weil ich Urlaub habe

Machen wirs kurz:
Die Reinigung wird mehrere Stunden dauern, kann sich aber auch durch verzögrte Antworten oder Probleme mehrere Tage hinziehen. Grundsätzlich können wir das aber in den Griff bekommen.
Nun musst Du dir überlegen:
Was habe ich alles auf dem PC, macht es für mich mehr Sinn das in einem Tag komplett neu zu installieren oder brauche ich länger und die Reinigung ist für mich sinnvoller.

Bitte teile uns deine Entscheidung mit, damit wir entsprechend reagieren können.

[Belasi]

Okay, ich habs mir überlegt, ich reinige ihn lieber... der Aufwand zum Neuaufsetzen wäre zu gross, ich hoffe mal, dass hier alles glatt geht danke schon mal

[Marc]

Ok
Dann fangen wir mal an:
http://www.mvps.org/winhelp2002/hosts.htm
Die auf dieser Seite angegebene Hosts.zip herunterladen und entpacken.
Heraus kommt eine Hosts (ohne Endung).
Diese in den Ordner C:\WINDOWS\SYSTEM32\DRIVERS\ETC kopieren und die vorhandene Hosts damit ersetzen.
Wir vermeiden damit (hoffentlich) Neuinfektionen während der Reinigung.
Anschliessend jeweils ein Onlinescan mit Kaspersky und mit Panda:
1. http://www.kaspersky.com/beta?product=161744315
2. http://www.pandasoftware.com/product..._principal.htm
3. http://www.download.com/3000-2144-10...age&tag=button
Ad-Aware downloaden, updaten und scannen, alles gefundene fixen.
Jeweils nach den Scans Neustarten.

Nun ein neues Hijackthis Logfile hier posten.
Bei Fragen, fragen!

[Belasi]

So, war noch weg und der Scan mit kaspersky hat ziemlich lange gedauert, da ich eine grosse Datenmenge aufm PC hab ...

hab ich das richtig so verstanden: scannen mit kaspersky, dann dateien fixen, dann neustart, mit panda scannen, dateien fixen... dann mit ad-aware...

damit ich nichts falsches mache: was bedeutet fixen? löschen oder was anderes?

[Speedy]

hi

fixen -> siehe meine signatur