Hi, habe diesen Virus/Trojaner, was auch immer, auf meinem PC und krieg ihn nicht weg.

Hijack Log File:
Logfile of HijackThis v1.98.2
Scan saved at 18:37:51, on 14.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\CloneCD\CloneCDTray.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Software\software.exe
D:\Programme\CursorXP\CursorXP.exe
C:\WINDOWS\System32\d?dplay.exe
C:\Programme\GetRight\getright.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\Programme\Hijack This\HijackThis.exe
C:\WINDOWS\System32\winpack.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msvcr70.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.web--search.com/to.php?ID1=575&ID2=101037672&ID3=Jñ0ò&ID4=0&ID5={AFA26815-8048-4566-BB6D-44A48E02981A}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=127.0.0.1:1080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "D:\Programme\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [dlexport] C:\Programme\Windows Media Player\dlexport.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [sais] c:\programme\180solutions\sais.exe
O4 - HKLM\..\Run: [Software] C:\WINDOWS\System32\Software\software.exe
O4 - HKCU\..\Run: [CursorXP] D:\Programme\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msvcr70] C:\WINDOWS\System32\msvcr70.exe
O4 - Startup: dat75.tmp
O4 - Startup: Stardock ObjectBar.lnk = D:\Programme\ObjectBar\ObjectBar.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programme\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: concept/design's onlineTV - {0A2AD22A-4E9E-4DC7-9C35-D512E9A289B5} - K:\Programme\onlineTV\onlineTV.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/6/files.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {4CF9DEDA-09B7-7F65-CE2D-46B16716E263} - http://82.179.166.72/1/rdgDE208.exe
O16 - DPF: {7D79C2C5-C982-492E-32B6-2FF1304B1139} - http://82.179.166.72/1/rdgDE208.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)


habe ausserdem nen Bluescreen, der über den Active-Desktop überlappt, wo diese Meldung kommt:

Windows

Warning! Windows has detected SPYWARE INSTALLED on your computer.
What is Spyware, Adware and Malware?Spyware and Adware, also called 'Malware', are files made by publishers that allow them to snoop on your browsing activity, see what you purchase and send you 'pop-up' ads. They can slow down your PC, cause it to crash, record your credit card numbers and worse.
If you're like most Internet users, chances are you're probably infected with these files. Simply surfing the Internet, reading email, downloading music or other files can infect your PC without you knowing it.

* It is HIGHLY recommended to install protection from spyware

* Choose a good antispyware program and install it to protect your privacy

auf dieser Seite hab ich auch was gefunden: http://www.tas-independent-programming.com/

allerdings weis ich nmicht was ich sonst noch tun soll, nachdem ich die 3 Files gelöscht habe......kann mir wer helfen ????? =(((

hi
New.Net versuchs erstmal über Start - Systemsteuerung-Software ob Du da einen New Net eintrag zum deinstallieren findest.

@*velocy*
danach spybot download
laufen lassen.
danach escan download hier
und hier die anleitung
mache es genauso wie es beschrieben wird
teile uns das gesamte (!) Ergebnis des eScan mit: welche Viren wurden auf Deinem Rechner gefunden: "öffne die mwav.log -> Bearbeiten -> Suchen -> virus eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen." (Zitat Cidre)

chaosman

hi
ich noch mal

C:\WINDOWS\System32\Software\software.exe
C:\WINDOWS\System32\d?dplay.exe
C:\WINDOWS\System32\winpack.exe
C:\WINDOWS\System32\msvcr70.exe

diese dateien mit dem jotti onlinescan überprüfen, ergebnis hier posten, das sollte so aussehen

Service load:
0% 100%
File: Firefox_DOCUMENT.txt
Status:
OK
Packers detected:
None

AntiVir
No viruses found (0.14 seconds taken)
Avast
No viruses found (1.51 seconds taken)
BitDefender
No viruses found (0.35 seconds taken)
ClamAV
No viruses found (0.36 seconds taken)
Dr.Web
No viruses found (0.51 seconds taken)
F-Prot Antivirus
No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus
No viruses found (0.60 seconds taken)
mks_vir
No viruses found (0.20 seconds taken)
NOD32
No viruses found (0.37 seconds taken)
Norman Virus Control
No viruses found (0.12 seconds taken)

@chaosman (voller check gent natürlich auch)

Zitat:

Zitat von Passat2002

hi
New.Net versuchs erstmal über Start - Systemsteuerung-Software ob Du da einen New Net eintrag zum deinstallieren findest.

so, also New.Net eintrag war da----> gelöscht und neugestartet

werde jetzt alles andere machen, was ihr mir empfohlen habt, vielen Dank !!!!

so, hier die Komplette Log File:

Total Files scanned: 17902
Total Viruses found: 50
Total Errors: 10
Time Elapsed: 00:22:23

sonst überall 0
Virus Log:

File C:\PROGRA~1\WINDOW~2\dlexport.exe infected by "TrojanDownloader.Win32.Agent.cb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\unic2_32.dll infected by "TrojanSpy.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\WINDOW~2\dlexport.exe infected by "TrojanDownloader.Win32.Agent.cb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msvcr70.exe infected by "TrojanDownloader.Win32.Agent.am" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\apilr32.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appeh32.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\atlif32.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mfchr.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msxmidi.exe infected by "Trojan-Downloader.Win32.Zdesnado.y" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winya.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\amax.exe infected by "TrojanDownloader.Win32.Agent.eb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\CustIE32.dll infected by "Trojan.Win32.StartPage.po" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\doul.exe infected by "TrojanClicker.Win32.Agent.v" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\etile.exe infected by "TrojanClicker.Win32.Agent.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msvcr70.exe infected by "TrojanDownloader.Win32.Agent.am" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\MTC.dll infected by "not-a-virus:AdWare.ToolBar.Tubby.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\notepad.exe infected by "TrojanDownloader.Win32.Apher.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\putes.exe infected by "Trojan.Win32.StartPage.po" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sexru.exe tagged as not-a-virus:PornWare.Dialer.Salc. No Action Taken.
File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\unic2_32.dll infected by "TrojanSpy.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ywde.exe infected by "TrojanDownloader.Win32.Agent.eb" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\bb.exe infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\ICD3.tmp\rundlg32.dll infected by "not-a-virus:AdWare.ToolBar.SBSoft.f" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\ICD4.tmp\rundlg32.dll infected by "not-a-virus:AdWare.ToolBar.SBSoft.f" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\ICD5.tmp\rundlg32.dll infected by "not-a-virus:AdWare.ToolBar.SBSoft.f" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\ICD6.tmp\MediaTicketsInstaller.ocx infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\ICD7.tmp\MediaTicketsInstaller.ocx infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\ICD8.tmp\HDPlugin1019.dll infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\nsp170.tmp\new_net.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\nsp170.tmp\webhancer.exe infected by "not-a-virus:AdWare.WebHancer" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dk" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\powerscan.exe infected by "not-a-virus:AdWare.PowerScan.b" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\sidefind.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\temp.fr3433 infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\temp.fr4C42 infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\temp.fr8A00 infected by "not-a-virus:AdWare.ToolBar.SideFind" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\temp.fr968F infected by "Backdoor.Win32.Agent.en" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\Temp\webrebates.exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\21ZOLGVQ\classload[2].jar infected by "Trojan.Java.Classloader.v" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\21ZOLGVQ\tst[1].chm infected by "Trojan-Downloader.VBS.Psyme.q" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\B7H7B5CS\ysb_prompt[1].php infected by "Exploit.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\CP2NCLIZ\tshome[1].exe infected by "Trojan.Win32.StartPage.nz" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\G9GNIZ2F\hdplugin_1019_bundle43v5d33[1].cab infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\GZRBUW9X\ysb_regular[1].cab infected by "Trojan-Downloader.Win32.IstBar.gk" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\H4GN11OP\rdgDE208[1].exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\STEFAN~1\LOKALE~1\TEMPOR~1\Content.IE5\I7AT8ZIZ\CAFISR35.HTM infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

@*velocy*
hast du schon mal versucht in den abgesicherten modus dein Norton antivirus laufen zu lassen?


chaosman

Mein Norton-Abo ist abgelaufen, insofern....

dann verwende einen onlinescanner --> housecall
als standart --> AVAST
zum gegencheck --> bitdefender free