Hallo!

Ich habe anscheinend alle Viren der Welt eingeladen, auf meinem Rechner zu Gast zu sein... jedenfalls hat der eScan ganz schreckliche Dinge zu Tage gefördert (ich habe nur die "infected" kopiert):

File C:\WINDOWS\System32\hduli.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys2.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\winmsdc.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\BACKUP\incoming\incoming\eDonkey0.45.exe infected by "not-a-virus:AdWare.ToolBar.Ucmore" Virus. Action Taken: No Action Taken.
File C:\BACKUP\incoming\incoming\edonkey0.50.1.exe infected by "not-a-virus:AdWare.MetaDirect.b" Virus. Action Taken: No Action Taken.
File C:\BACKUP\incoming\Medal of Honor KeyGen.exe infected by "not-virus:Joke.Win32.JepRuss" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP113\A0028283.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP113\A0028289.exe infected by "TrojanDownloader.Win32.PurityScan.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP118\A0029463.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP119\A0029493.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP121\A0030549.exe infected by "TrojanDownloader.Win32.PurityScan.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP121\A0030555.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP121\A0030569.exe infected by "TrojanDownloader.Win32.PurityScan.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP123\A0031634.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP125\A0031752.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP126\A0031769.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP128\A0031831.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP129\A0031839.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP129\A0031849.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP129\A0031861.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP129\A0031874.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP129\A0031886.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP130\A0031887.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP130\A0031905.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP135\A0032189.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP145\A0032394.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP146\A0033443.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP152\A0035592.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP158\A0035771.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP158\A0035780.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP159\A0035782.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP159\A0035793.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP159\A0035805.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP159\A0035844.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP159\A0035846.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP160\A0035887.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP160\A0035897.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP160\A0035909.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP160\A0035915.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP160\A0035917.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{710513D3-AFD1-49CC-9CC7-8B1C11952B20}\RP161\A0035924.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\hduli.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vbsys.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vbsys2.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winmsdc.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.

Jetzt wollte ich die Dinger manuell löschen, aber entweder finde ich die nicht (obwohl ich die "geschützten" Dateien zugelassen habe, wie Ihr das hier auch schon beschrieben habt) oder mir wird der Zugriff verweigert (so z.B. bei C:\WINDOWS\system32\vbsys2.dll)

Halleluja! Und nun???

Liebe Grüße

Ramona

@mo178
poste doch mal der vollständigkeithalber mal ein HJT logfile
download
anleitung
bereite dich geistig auf ein neu aufsetzen vom system vor
chaosman

...Dein Wunsch ist mir natürlich Befehl!

Logfile of HijackThis v1.99.0
Scan saved at 21:09:01, on 19.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Exif Launcher\QuickDCF.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\devldr32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\ARMIN\Desktop\mwav.exe
C:\unzipped\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R3 - URLSearchHook: Search - {CA2A20D9-C64A-4C58-8AD4-016C79F3636F} - C:\WINDOWS\System32\Q704171.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search - {318A203C-80A7-492A-B10B-C9AA68D52418} - C:\WINDOWS\System32\Q704171.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {56E451C1-6122-4080-A116-5E81C70243F3} - C:\WINDOWS\System32\Q704171.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Programme\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Search - {56E451C1-6122-4080-A116-5E81C70243F3} - C:\WINDOWS\System32\Q704171.dll
O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099337232281
O17 - HKLM\System\CCS\Services\Tcpip\..\{582726C5-A8D9-4EE0-90D3-5DADAF06A743}: NameServer = 69.50.188.178 69.31.80.244
O18 - Filter: text/html - {021C6933-4D85-4FD4-8E9E-DBDD04A4BD95} - C:\WINDOWS\System32\Q704171.dll
O18 - Filter: text/plain - {021C6933-4D85-4FD4-8E9E-DBDD04A4BD95} - C:\WINDOWS\System32\Q704171.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper - AHEAD Software - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe


Die meisten "Bösen" habe ich schon vorher mal gefixed, aber entfernt sind sie damit anscheinend immer noch nicht...

LG, Ramona

@mo178
Haui45 hat recht,da hilft nur format c

hier ein paar tips
http://board.protecus.de/showtopic.p...me=1097944155&

chaosman

Zitat:

File C:\WINDOWS\System32\hduli.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.

Lies dazu bitte folgenden Thread durch:
http://www.trojaner-board.de/showthread.php?t=12330

imo gibts da nur format c:

Oha! Ein Rootkit (oder wie die Dinger heißen....)

Okay, ums Neuaufsetzen komme ich dann ja nicht herum.

Inzwischen habe ich mich vom ie verabschiedet und benutze Firefox. Kann ich damit, ohne formatiert zu haben, ins Netz? Oder lieber gleich abmelden und "schrubben"?

Vielen Dank übrigens für die schnelle Antwort!!!!

Zitat:

Oder lieber gleich abmelden und "schrubben"?

Genau das.

Zitat:

Vielen Dank übrigens für die schnelle Antwort!!!!

Bitte

Alles klar, bin weg!