Hallo alle zusammen.
Ich hab ein Notebook hier bekommen. Das ist mit Trojanern und Viren und allem allem allem infiziert. Ich hab mit AVG 2012 fast alles entfernen können, doch ein Trojaner will leider nicht verschwinden.
Abgesicherter Modus klappt bei der Maschine leider nicht. Also muss das ganze beim normalen Systemstart stattfinden. Windows neu machen will ich ehrlich gesagt nicht. Meine Kenntnisse sind gut Windows Dienste mit der Registry arbeiten traue ich mir zu.
Ich hoffe ihr könnt mir helfen
1. Hijackthis Log
Dateianhänge:
2. AVG Virenfunde
3. Tasklist /svc in 2 Bildern
Zitat:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:52:59, on 27.07.2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\AVG Secure Search\vprot.exe
C:\Programme\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\AVG\AVG2012\avgwdsvc.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe
C:\Programme\Pivot Stickfigure DB Toolbar\TbHelper2.exe
C:\Programme\AVG\AVG2012\avgui.exe
C:\WINDOWS\system32\mmc.exe
C:\Programme\AVG\AVG2012\avgidsagent.exe
C:\Programme\AVG\AVG2012\avgemcx.exe
C:\Programme\AVG\AVG2012\avgnsx.exe
C:\Programme\AVG\AVG2012\avgrsx.exe
C:\Programme\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\regedit.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Firefox\plugin-container.exe
C:\Programme\Mozilla Firefox\plugin-container.exe
F:\HiJackThis204.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
hxxp://feed.helperbar.com/?
publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=dcba626f-e4aa-4871-
8ad9-442efa0e4496&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
hxxp://feed.helperbar.com/?
publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=dcba626f-e4aa-4871-
8ad9-442efa0e4496&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
hxxp://feed.helperbar.com/?
publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=dcba626f-e4aa-4871-
8ad9-442efa0e4496&affid=111583&searchtype=hp&babsrc=lnkry_nt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
hxxp://feed.helperbar.com/?
publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=dcba626f-e4aa-4871-
8ad9-442efa0e4496&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
hxxp://feed.helperbar.com/?
publisher=OPENCANDY&dpid=OPENCANDYAPRIL&co=DE&userid=dcba626f-e4aa-4871-
8ad9-442efa0e4496&affid=111583&searchtype=ds&babsrc=lnkry&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
hxxp://search.live.com/sphome.aspx
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-
B9534C691CE0} - C:\Programme\Pivot Stickfigure DB Toolbar\tbhelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:
\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:
\Programme\AVG\AVG2012\avgdtiex.dll
O2 - BHO: Web Assistant Helper - {336D0C35-8A85-403a-B9D2-65C292C39087} -
C:\Programme\Web Assistant\Extension32.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:
\Programme\Microsoft\Search Enhancement Pack\Search Helper
\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-
D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-
5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows
Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} -
C:\Programme\AVG Secure Search\11.0.0.10\AVG Secure Search_toolbar.dll
O2 - BHO: Complitly - {D27FC31C-6E3D-4305-8D53-ACDAEFA5F862} - C:\Dokumente
und Einstellungen\admin\Anwendungsdaten\CompitlyEngine\ComplitlyEngine.dll
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:
\Programme\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-
9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SMTTB2009 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Programme
\Pivot Stickfigure DB Toolbar\tbcore3.dll
O3 - Toolbar: @C:\Programme\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-
100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Programme\MSN Toolbar
\Platform\5.0.1449.0\npwinext.dll
O3 - Toolbar: Pivot Stickfigure DB Toolbar - {338B4DFE-2E2C-4338-9E41-
E176D497299E} - C:\Programme\Pivot Stickfigure DB Toolbar\tbcore3.dll
O3 - Toolbar: (no name) - !{0027da2d-c9f2-4b0b-ae05-e2cd1bdb6cff} - (no
file)
O3 - Toolbar: (no name) - !{95B7759C-8C7F-4BF1-B163-73684A933233} - (no
file)
O3 - Toolbar: (no name) - !{ae07101b-46d4-4a98-af68-0333ea26e113} - (no
file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hp\HP Software Update
\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Programme\Microsoft\Search
Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien
\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [vProt] "C:\Programme\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Programme\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\RunOnce: [removeSearchqudatamngr] cmd.exe /c RD /S /Q "C:
\Programme\Searchqu Toolbar"
O4 - HKLM\..\RunOnce: [removeSearchqutoolbar] cmd.exe /c RD /S /Q "C:
\Programme\Searchqu Toolbar\Datamngr\ToolBar"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\admin
\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User
'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User
'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User
'Default user')
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Dokumente
und Einstellungen\admin\Anwendungsdaten\DVDVideoSoftIEHelpers
\freeyoutubetomp3converter.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:
\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16}
- C:\Programme\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:
\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-
82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:
\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu
web_site.cab?1343145912531
O17 - HKLM\System\CCS\Services\Tcpip\..\{84E27738-2E2B-4176-A773-
611C4CABDCFC}: NameServer = 192.168.178.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA910A78-5E31-44A2-9888-
95072957BD03}: NameServer = 192.168.178.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:
\Programme\AVG\AVG2012\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:
\Programme\Gemeinsame Dateien\AVG Secure Search\ViProtocolInstaller
\11.2.0\ViProtocol.dll
O20 - AppInit_DLLs: c:\progra~1\sprote~1\sprote~1.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-
00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-
2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc)
- Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash
\FlashPlayerUpdateService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Programme\AVG
\AVG2012\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:
\Programme\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Google Update-Dienst (gupdate) (gupdate) - Google Inc. - C:
\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update-Dienst (gupdatem) (gupdatem) - Google Inc. -
C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla
Foundation - C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NMSAccess - Unknown owner - C:\Programme\CDBurnerXP
\NMSAccessU.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS
\system32\o2flash.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Web Assistant Updater - Unknown owner - C:\Programme\Web
Assistant\ExtensionUpdaterService.exe
--
End of file - 10801 bytes
|
27.07.2012, 16:20
Baum-Darstellung