Hallo allerseits!

Hab mir bei der Datensicherung meiner Freundin was eingeholt, und krieg den kleinen Mistkerl nicht weg. Hier mein Hijackthis-Log, was kann ich jetzt machen? Vielen Dank im Voraus,

muaddib81

Logfile of HijackThis v1.99.1
Scan saved at 23:06:15, on 07.03.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
D:\Muli\eMule\Incoming\eTrust.PestPatrol.v5.0.Anti.Spyware-YAG\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Appz and Toolz\Adobe\Acrobat Reader 7.0\Reader\reader_sl.exe
C:\Program Files\IDETOOL\IDETOOL.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Muli\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Appz and Toolz\Adobe\Acrobat Reader 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [eTrustPPAP] "D:\Muli\eMule\Incoming\eTrust.PestPatrol.v5.0.Anti.Spyware-YAG\PPActiveDetection.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\system32\winupd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Appz and Toolz\Adobe\Acrobat Reader 7.0\Reader\reader_sl.exe
O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\APPZAN~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\APPZAN~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1109088700672
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe

Hallo muaddib81,

um sicher zu gehen was da noch alles passiert ist,
führe bitte dies mal aus:
1. Downloade Dir escan und befolge genau diese Anleitung (dauert etwa eine Stunde),
2. starte nach dem Scan wieder in den normalen Modus,
3. öffne die Datei "mwav.log", klicke auf "bearbeiten" danach auf "suchen"
4. gebe dann "infected" ein,
5. suche weiter bei Treffern, markiere diese und kopiere sie ins Forum,
6. neben den Treffern auch das Gesamtergebnis (befindet sich ganz unter im Logfile) posten.

Beispiel:
Wed Feb 02 19:48:56 2005 => Total Files Scanned:
Wed Feb 02 19:48:56 2005 => Total Virus(es) Found:
.
.
.
.


dartus

Aua, aua...
Hab den Scan mal drüberlaufen, und mir ist erstmal die Kinnlade runter...
Knapp 1200 Treffer beim Scan, die alle zu kopieren dürfte dauern, hier der erste Teil der escan-log-Treffer falls der Hilft, ich muss jetzt erstmal ins Bettchen...

Danke,
muaddib81

edit: na toll, die ganzen Sachen einzufügen klappt nicht, ich bekomme ne fehlermeldung, und die textdatei ist auch zu gross... hier dann ein ganz kleiner abschnitt...

Tue Mar 08 03:45:54 2005 => File C:\WINDOWS\system32\winupd.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:05 2005 => File C:\WINDOWS\system32\userinit.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:06 2005 => File C:\WINDOWS\inf\unregmp2.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:06 2005 => File C:\WINDOWS\system32\shmgrate.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:06 2005 => File C:\WINDOWS\system32\RunDLL32.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:06 2005 => File C:\WINDOWS\system32\regsvr32.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:06 2005 => File C:\PROGRA~1\OUTLOO~1\setup50.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:07 2005 => File C:\WINDOWS\system32\ie4uinit.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:07 2005 => File C:\PROGRA~1\LEXMAR~1\lxbtbmgr.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:07 2005 => File C:\WINDOWS\system32\dumprep.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:08 2005 => File C:\WINDOWS\system32\winupd.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:09 2005 => File C:\WINDOWS\System32\mshta.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:11 2005 => File C:\WINDOWS\system32\cisvc.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:11 2005 => File C:\WINDOWS\system32\clipsrv.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:11 2005 => File C:\WINDOWS\System32\dllhost.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:11 2005 => File C:\WINDOWS\System32\dmadmin.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:12 2005 => File C:\WINDOWS\System32\imapi.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:13 2005 => File C:\WINDOWS\system32\lxbtcoms.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:13 2005 => File C:\WINDOWS\System32\mnmsrvc.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:14 2005 => File C:\WINDOWS\System32\msdtc.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:14 2005 => File C:\WINDOWS\System32\msiexec.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:15 2005 => File C:\WINDOWS\system32\netdde.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:16 2005 => File C:\WINDOWS\system32\sessmgr.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:17 2005 => File C:\WINDOWS\system32\smlogsvc.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:17 2005 => File C:\WINDOWS\System32\tlntsvr.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:19 2005 => File C:\WINDOWS\hh.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:19 2005 => File C:\WINDOWS\IsUn0407.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:19 2005 => File C:\WINDOWS\IsUninst.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken
Tue Mar 08 03:46:21 2005 => File C:\WINDOWS\notepad.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:22 2005 => File C:\WINDOWS\R.COM infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:22 2005 => File C:\WINDOWS\REGEDIT.COM infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:22 2005 => File C:\WINDOWS\regedit.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:24 2005 => File C:\WINDOWS\winhlp32.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:25 2005 => File C:\WINDOWS\system32\accwiz.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:26 2005 => File C:\WINDOWS\system32\actmovie.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:26 2005 => File C:\WINDOWS\system32\ahui.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:27 2005 => File C:\WINDOWS\system32\asr_fmt.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:27 2005 => File C:\WINDOWS\system32\asr_ldm.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:27 2005 => File C:\WINDOWS\system32\asr_pfu.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:31 2005 => File C:\WINDOWS\system32\calc.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:33 2005 => File C:\WINDOWS\system32\charmap.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:33 2005 => File C:\WINDOWS\system32\ckcnv.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:33 2005 => File C:\WINDOWS\system32\cleanmgr.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:34 2005 => File C:\WINDOWS\system32\cliconfg.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:34 2005 => File C:\WINDOWS\system32\clipbrd.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:35 2005 => File C:\WINDOWS\system32\cmdl32.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:35 2005 => File C:\WINDOWS\system32\cmmon32.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:35 2005 => File C:\WINDOWS\system32\cmstp.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:37 2005 => File C:\WINDOWS\system32\conime.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:37 2005 => File C:\WINDOWS\system32\control.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.
Tue Mar 08 03:46:41 2005 => File C:\WINDOWS\system32\dcomcnfg.exe infected by "Email-Worm.Win32.Bagle.n" Virus. Action Taken: No Action Taken.

Hallo muaddib81,

Zitat:

Zitat von muaddib81

Knapp 1200 Treffer ...

bei einer derartigen Verseuchung rate ich Dir dringend zu "Format c:".
http://www.mathematik.uni-marburg.de...c-removal.html

hier eine empfehlenswerte Anleitung:

http://www.trojaner-board.de/showthread.php?t=12154

Thema Datensicherung:

http://www.trojaner-board.de/showpos...8&postcount=11

sry
dartus

Ok, vielen Dank für die Hilfe. Den Format C: hätte ich schon längst gemacht, aber ich wollte sichergehen, weil ich noch etliche Daten auf der Platte hab, die nicht mir gehören (meine Freundin ist derzeit im Begriff, ihr System neu aufzusetzen, und den ganzen Kram zu brennen hätte ewig gedauert, da haben wir meine HDD angeschlossen... dabei hab ich mir wohl auch was eingeholt...)

Mal sehen, wie ich das mache.

Danke nochmal,
muaddib81