Penetranter Tojaner

Urban-Solanum · 02.05.2005, 07:52

VS wird nicht mit meinem Trojaner fertig.

Könnt ihr mal schaun was da noch zu retten ist.

Logfile of HijackThis v1.99.1

Scan saved at 15:39:36, on 29.04.2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\Ahead\InCD\InCDsrv.exe

C:\Programme\STOPzilla!\szntsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\System32\bmwebcfg.exe

C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

C:\Programme\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

C:\Programme\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\Programme\Panda Software\Panda Antivirus Platinum\apvxdwin.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\atiptaxx.exe

C:\Programme\Ahead\InCD\InCD.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

C:\WINDOWS\appiy.exe

C:\WINDOWS\System32\rundll32.exe

C:\Programme\Messenger\msmsgs.exe

C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Programme\Sony Handheld\HOTSYNC.EXE

C:\Programme\Sony Handheld\USBSwt.exe

C:\Programme\Panda Software\Panda Antivirus Platinum\pavProxy.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE

C:\Programme\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\msiexec.exe

C:\Dokumente und Einstellungen\Axel Fischer\Lokale Einstellungen\Temp\Temporäres Verzeichnis 2 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\AXELFI~1\LOKALE~1\Temp\se.dll/spage.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\omwsr.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\AXELFI~1\LOKALE~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4D6EA93F-5339-BE3A-0F9A-CAF3C7148518} - C:\WINDOWS\syswj32.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {EDF23C8A-4E79-43C3-9FBA-1E93B915E5DE} - C:\WINDOWS\System32\hooj.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [SCANINICIO] "C:\Programme\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Programme\Internet Explorer\IEXPLORE.EXE

O4 - HKLM\..\Run: [appiy.exe] C:\WINDOWS\appiy.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\AXELFI~1\LOKALE~1\Temp\se.dll,DllInstall

O4 - HKLM\..\Run: [STOPzilla] "C:\Programme\STOPzilla!\Stopzilla.exe" /autorun

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: HotSync Manager.lnk = C:\Programme\Sony Handheld\HOTSYNC.EXE

O4 - Startup: SonyPDA USB Switcher.lnk = C:\Programme\Sony Handheld\USBSwt.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Programme\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Programme\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm119YYDE

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O10 - Broken Internet access because of LSP provider 'bmnet.dll' missing

O12 - Plugin for .mpeg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{148E2C91-26EE-4092-9FE8-8AEC4BDC39E9}: NameServer = 194.25.2.129,194.25.2.130

O18 - Filter: text/html - {3EDEF150-E2D5-44C5-8C18-61FD2C1BD5F9} - C:\WINDOWS\System32\hooj.dll

O18 - Filter: text/plain - {3EDEF150-E2D5-44C5-8C18-61FD2C1BD5F9} - C:\WINDOWS\System32\hooj.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\System32\bmwebcfg.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe

O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Programme\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programme\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Programme\STOPzilla!\szntsvc.exe

felix1 · 02.05.2005, 15:10

Dein erstes Problem ist schon mal hier:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\AXELFI~1\LOKALE~1\Temp\se.dll/spage.html

http://www.trojaner-board.de/showthread.php?t=14366

Und dann: eScan und poste dann das Ergebnis hier.
http://www.trojaner-board.de/42731-escan-anleitung.html

Urban-Solanum · 03.05.2005, 10:10

Danke esrtmal. Also das Programm gegen se.dll hab ich durchlaufen lassen und dann den eScan gemacht. Hier das Ergebniss:

File C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoestb.dll infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appiy.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\syswj32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\M3OUTLCN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\syswj32.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appiy.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File System Found infected by "IBIS Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "mywebsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "sw Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "se Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "hsa Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\getqjt.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\okbuvj.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\uiszwd.txt infected by "not-a-virus:AdWare.SearchPage" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\omwsr.dll infected by "not-a-virus:AdWare.SearchPage" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\AXELFI~1\LOKALE~1\Temp\temp.fr434E infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\AXELFI~1\LOKALE~1\TEMPOR~1\Content.IE5\ED0RA1U5\SmileyCentralFWBInitialSetup1.0.0.8-2[1].cab infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\AXELFI~1\LOKALE~1\TEMPOR~1\Content.IE5\QREVIHEV\dia17301[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\AXELFI~1\LOKALE~1\TEMPOR~1\Content.IE5\QREVIHEV\activ-x[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\AXELFI~1\LOKALE~1\TEMPOR~1\Content.IE5\OLI74PY3\umax-xp[1].htm infected by "Trojan-Clicker.JS.Linker.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\omwsr.dll infected by "not-a-virus:AdWare.SearchPage" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\f3PSSavr.scr infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\getqjt.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\okbuvj.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\uiszwd.txt infected by "not-a-virus:AdWare.SearchPage" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Axel Fischer\Lokale Einstellungen\Temp\temp.fr434E infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Axel Fischer\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ED0RA1U5\SmileyCentralFWBInitialSetup1.0.0.8-2[1].cab infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Axel Fischer\Lokale Einstellungen\Temporary Internet Files\Content.IE5\QREVIHEV\dia17301[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Axel Fischer\Lokale Einstellungen\Temporary Internet Files\Content.IE5\QREVIHEV\activ-x[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Axel Fischer\Lokale Einstellungen\Temporary Internet Files\Content.IE5\OLI74PY3\umax-xp[1].htm infected by "Trojan-Clicker.JS.Linker.h" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\F3CJPEG.DLL infected by "not-a-virus:AdWare.FunWeb.d" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\F3HISTSW.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\F3HTMLMU.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\F3PSSAVR.SCR infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\F3RESTUB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\F3SCHMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\F3WPHOOK.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\M3OUTLCN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\M3SKIN.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\MWSOEMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\bar\1.bin\MWSOESTB.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\Programme\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP19\A0004947.exe infected by "Trojan.Win32.StartPage.pu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP19\A0005088.EXE infected by "Trojan-Downloader.Win32.Small.aod" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP23\A0010726.DLL infected by "not-a-virus:AdWare.FunWeb.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-6.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-7.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-9.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-10.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-14.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-15.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-16.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-17.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-18.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{C599962C-930A-49EE-A7FF-EC277A91C1B1}\RP28\snapshot\MFEX-19.DAT infected by "Trojan.Win32.StartPage.uz" Virus. Action Taken: No Action Taken.
File C:\Recycled\Q330995.exe infected by "Trojan-Downloader.Win32.Small.amb" Virus. Action Taken: No Action Taken.

felix1 · 03.05.2005, 10:28

Abgesehen, dass Dein System veraltet ist, hast Du z.B.:
http://www.sophos.de/virusinfo/analy...ojpsymeaq.html
Lösche erst mal im abgesicherten Modus alle TIF.

02.05.2005, 15:10	#2
felix1 /// Helfer-Team	Penetranter Tojaner Dein erstes Problem ist schon mal hier: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\AXELFI~1\LOKALE~1\Temp\se.dll/spage.html http://www.trojaner-board.de/showthread.php?t=14366 Und dann: eScan und poste dann das Ergebnis hier. http://www.trojaner-board.de/42731-escan-anleitung.html __________________

03.05.2005, 10:28	#4
felix1 /// Helfer-Team	Penetranter Tojaner Abgesehen, dass Dein System veraltet ist, hast Du z.B.: http://www.sophos.de/virusinfo/analy...ojpsymeaq.html Lösche erst mal im abgesicherten Modus alle TIF.

Penetranter Tojaner

Log-Analyse und Auswertung: Penetranter Tojaner

Trojaner? --> aktueller Logfile