Mayday - smitfraud.c und andere

pxt · 18.05.2005, 16:54

Hallo Leute,
neulich hat sich meine Antiquitaet mit einem blauen Bildhintergrund und der - nach Studium des Forums- leider allzu vertrauten Meldung... Trojan-spy Smitfraud.c. usw. als doch recht anfaellig erwiesen.
Adaware und Spybot waren ebenso nutzlos wie ein aktueller Kaspersky-Virenscanner.
Habe den Rechner mit HJT und escan bearbeitet, kann jedoch das logfile von escan nicht posten, da das file fuer diskette zu gross (6,3 MB) ist und der Rechner die Speicherung auf CD nicht erlaubt, da sinngemaess " datei in Benutzung sei".
Escan findet 28 Viren und oder Trojaner.

Haenge das HJT logfile an.

Kann mir (relativer Laie) jemand helfen ?

Logfile of HijackThis v1.99.1
Scan saved at 15:42:12, on 13.05.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS.000\SYSTEM\MGACTRL.EXE
C:\PROGRAMME\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\PROGRAMME\0190 WARNER\WARN0190.EXE
C:\WINDOWS.000\SYSTEM\M5MDPHT5K9THD.EXE
C:\WINDOWS.000\SYSTEM\BOFER9Y77CMHYW.EXE
C:\PROGRAMME\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAMME\MATROX MGA POWERDESK\QDESK\MGAQDESK.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/greg/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=35463
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS.000\SYSTEM\PFO26C~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [MGA Control Center] Mgactrl.exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\Programme\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS.000\SYSTEM\M5MDPHT5K9THD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS.000\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS.000\SYSTEM\BOFER9Y77CMHYW.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [romahere3] C:\WINDOWS.000\SYSTEM\BOFER9Y77CMHYW.EXE
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MGA QuickDesk.lnk = C:\Programme\Matrox MGA PowerDesk\qdesk\mgaqdesk.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.000\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

chaosman · 18.05.2005, 16:57

@pxt
poste bitte von escanlogfile
EscanErgebnis
Teile uns das Ergebnis des eScan mit: "öffne die mwav.log -> Bearbeiten -> Suchen -> infected oder tagged eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen."

das paßt auch auf diskette
chaosman

pxt · 18.05.2005, 17:26

Werd ich machen, dauert aber bei meiner langsamen kiste gewaltig.
Bis spaeter.

Cidre · 18.05.2005, 17:28

Nachdem du die Empfehlung von chaosman abgearbeitet hast, versuchst du dich an dieser Lösung -> http://www.trojaner-board.de/showthread.php?t=17863.

pxt · 20.05.2005, 07:21

Hallo Cidre, hallo chaosman,
hier die Logs von escan und spybot. Hoffe alles richtig gemacht zu haben.

File C:\WINDOWS.000\SYSTEM\PFO26C3JD2OKG1.DLL infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\PFO26C~1.DLL infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\M5MDPHT5K9THD.EXE infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pcgh88dbdd77b.dll infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\1i0l7e0ir9o.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pfo26c3jd2okg1.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\58765.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\261864.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\618819.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\32526767.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\358656.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\95374.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\567321.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\273763.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\10158909.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\2079451.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\2338814.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\3594596.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\163465.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\87247.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WIN98\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\pk263wsp(1).exe infected by "not-a-virus:AdWare.TimeSink" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pcgh88dbdd77b.dll infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\1i0l7e0ir9o.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pfo26c3jd2okg1.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS.000\TEMP\58765.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\261864.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\618819.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\32526767.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\358656.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\95374.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\567321.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\273763.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\10158909.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\2079451.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\2338814.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\3594596.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\163465.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\87247.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\sicherung\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.

und jetzt spybot:

--- Search result list ---

--- Spybot - Search && Destroy version: 1.3 ---
2003-03-16 Includes\Temporary.sbi
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Revision.sbi

--- System information ---
Windows 98 (Build: 2222) A

--- Startup entries list ---
Located: HK_LM:Run, 0190 Warner
command: C:\PROGRA~1\0190WA~1\WARN0190.EXE
file: C:\PROGRA~1\0190WA~1\WARN0190.EXE
size: 250880
MD5: 037d15e2a4d9999e4b51f7ce5756b07b

Located: HK_LM:Run, AVGCtrl
command: C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
file: C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
size: 102455
MD5: f48d60ed4cbd6f45cbee7ff2d903b739

Located: HK_LM:Run, Colorific Control Panel
command: C:\Programme\Matrox MGA PowerDesk\Color\hgcctl95.exe
file: C:\Programme\Matrox MGA PowerDesk\Color\hgcctl95.exe
size: 44544
MD5: 06fab89b6fd571d7e75fd5cf88810171

Located: HK_LM:Run, Control handler
command: C:\WINDOWS.000\SYSTEM\M5MDPHT5K9THD.EXE
file: C:\WINDOWS.000\SYSTEM\M5MDPHT5K9THD.EXE
size: 95232
MD5: f178817e731710c1a8e82b63f27626b1

Located: HK_LM:Run, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS.000\Rundll32.exe
size: 24576
MD5: 48bbf89b3016102501b1c451cd28da73

Located: HK_LM:Run, MGA Control Center
command: Mgactrl.exe
file: C:\WINDOWS.000\SYSTEM\Mgactrl.exe
size: 58368
MD5: 37d4eaa4b0b0b4cf0d6f6158ed2b91af

Located: HK_LM:Run, ScanRegistry
command: C:\WINDOWS.000\scanregw.exe /autorun
file: C:\WINDOWS.000\scanregw.exe
size: 90112
MD5: 0a023031670985b0d4625ea53a9eb2af

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS.000\SYSTEM\SysTray.Exe
size: 32768
MD5: 8094ccb55e6264f3edcfdc37f828d346

Located: HK_LM:Run, TaskMonitor
command: C:\WINDOWS.000\taskmon.exe
file: C:\WINDOWS.000\taskmon.exe
size: 28672
MD5: 885126928b28bcaa93e1ed7e132db33f

Located: HK_LM:RunServices, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS.000\Rundll32.exe
size: 24576
MD5: 48bbf89b3016102501b1c451cd28da73

Located: HK_LM:RunServices, SchedulingAgent
command: C:\WINDOWS.000\SYSTEM\mstask.exe
file: C:\WINDOWS.000\SYSTEM\mstask.exe
size: 118784
MD5: 98de00b3d8502f590a0bc226a9862a39

Located: HK_LM:RunServices, TrueVector
command: C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
file: C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE
size: 922720
MD5: 5430d0b202c78c433df0e4f6eb4f5dcf

Located: HK_LM:RunOnce, GrpConv
command: grpconv.exe -o
file: C:\WINDOWS.000\grpconv.exe
size: 55488
MD5: 06dba72b498dc2b830c404358f2dcb7b

Located: HK_LM:RunOnce, OE_Uninstall_01
command: C:\Programme\Outlook Express\setup50.exe /APP:OE /CALLER:WIN9X /UNINSTALL

Located: HK_LM:RunOnce, WAB_Uninstall_01
command: C:\Programme\Outlook Express\setup50.exe /APP:WAB /CALLER:WIN9X /UNINSTALL

Located: HK_CU:Run, romahere3
command: C:\WINDOWS.000\SYSTEM\BOFER9Y77CMHYW.EXE
file: C:\WINDOWS.000\SYSTEM\BOFER9Y77CMHYW.EXE
size: 15360
MD5: 3fbd398d9a58ee99b944e7e6479ccbeb

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: Startup (Benutzer), MGA QuickDesk.lnk
command: C:\Programme\Matrox MGA PowerDesk\qdesk\mgaqdesk.exe
file: C:\Programme\Matrox MGA PowerDesk\qdesk\mgaqdesk.exe
size: 58368
MD5: eed855b5345e9a89ac6e4c1e57444d89

--- Browser helper object list ---
{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} ()
BHO name:
CLSID name:
Path: C:\WINDOWS.000\SYSTEM\
Long name: pfo26c3jd2okg1.dll
Short name: PFO26C~1.DLL
Date (created): 11.05.05 21:34:08
Date (last access): 18.05.05
Date (last write): 11.05.05 21:34:10
Filesize: 66048
Attributes: archive
MD5: 4DDC171656007CA9506ABF96BD056E51
CRC32: ECC4ACE6
Version: 0.1.0.0

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Internet Explorer Classes for Java (Internet Explorer Classes for Java)
DPF name: Internet Explorer Classes for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\iejava.cab
info link:
info source: Patrick M. Kolla

--- Process list ---
Spybot - Search && Destroy process list report, 18.05.05 23:01:16

PID: 4293888801 (2124360409) C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
PID: 4294824669 (4294827481) C:\PROGRAMME\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
PID: 4294827481 (4294967109) C:\WINDOWS.000\EXPLORER.EXE
PID: 4294953413 (4294967109) C:\WINDOWS.000\SYSTEM\MPREXE.EXE
PID: 4294967109 (4293888801) C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 18.05.05 23:01:16

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
http://super-spider.com/greg/sp.php
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS.000\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://super-spider.com/greg/sp.php
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://super-spider.com/greg/sp.php
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://letgohome.com/hp.htm?id=35463
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS.000\SYSTEM\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...07&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.msn.de/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...07&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.osp
GUID: {FF017DE1-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS.000\SYSTEM\mswsosp.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\mswsosp.dll
DB protocol: MS.w95.spi.*

Protocol 1: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS.000\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 2: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS.000\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 3: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS.000\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 4: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS.000\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Protocol 5: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS.000\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS.000\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.

Werde am Wochenende den Tip von Cidre versuchen.

Schon mal vielen Dank

pxt

pxt · 24.05.2005, 08:16

Hallo Cidre, hallo chaosman,
ich habe die Vorschläge durchgearbeitet und zumindest einen Teilerfolg erzielt. Der blaue Hintergrund ist weg, allerdings wird der IExplorer immer noch resistent umgeleitet. Escan meldet mit 23 Viren zwar 50 % weniger als zuvor, aber immer es ist noch ein bisschen üppig.
Weitere Symtome: Abstruz der "Systemsteuerung" mit Meldung "..reagiert nicht..." bei Versuchen Einstellungen zu ändern, Weiterhin versucht sich IE bei jedem Aufruf des Windows-Explorers selbsttaetig ins Net zu wählen.

Kann mit jemand weiterhelfen !!!

Hier der aktuelle Escan Log:

File C:\WINDOWS.000\SYSTEM\PFO26C3JD2OKG1.DLL infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\PFO26C~1.DLL infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\M5MDPHT5K9THD.EXE infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pcgh88dbdd77b.dll infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\1i0l7e0ir9o.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pfo26c3jd2okg1.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\238324.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\46989.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\45104.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WIN98\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\pk263wsp(1).exe infected by "not-a-virus:AdWare.TimeSink" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pcgh88dbdd77b.dll infected by "Trojan-Downloader.Win32.Small.rr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\1i0l7e0ir9o.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\SYSTEM\pfo26c3jd2okg1.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS.000\TEMP\238324.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\46989.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS.000\TEMP\45104.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\sicherung\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.

und zum Schluss HJS

Logfile of HijackThis v1.99.1
Scan saved at 22:10:25, on 23.05.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\DDHELP.EXE
C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
C:\WINDOWS.000\EXPLORER.EXE
C:\PROGRAMME\ZUBEHöR\WORDPAD.EXE
C:\PROGRAMME\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://letgohome.com/hp.htm?id=35463
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.msn.de/
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS.000\SYSTEM\PFO26C~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [MGA Control Center] Mgactrl.exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\Programme\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS.000\SYSTEM\M5MDPHT5K9THD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS.000\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MGA QuickDesk.lnk = C:\Programme\Matrox MGA PowerDesk\qdesk\mgaqdesk.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.000\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AE527D20-C264-11D9-AB05-444553540000} - C:\WINDOWS.000\SYSTEM\WLDR.DLL (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

Bin fuer jede Info die mir weiterhilft dankbar.

Gruss PXT

pxt · 26.05.2005, 08:30

Zitat:

Zitat von Cidre

Nachdem du die Empfehlung von chaosman abgearbeitet hast, versuchst du dich an dieser Lösung -> http://www.trojaner-board.de/showthread.php?t=17863.

Mion Cidre,
habe escan laufen lassen und gepostet.
Bin dann nach Anleitung vorgegangen und habe das Ergebnis (escan) am Montag gepostet. Bluescreen ist weg, es sind aber immer noch ein paar wüste Knaben an Bord.

Hast Du noch Vorschläge wie ich die Burschen loswerde.

gruss pxt

pxt · 01.06.2005, 13:19

@cidre @chaosman

auch ratlos ??

pxt

18.05.2005, 17:28	#4
Cidre Administrator, a.D.	Mayday - smitfraud.c und andere Nachdem du die Empfehlung von chaosman abgearbeitet hast, versuchst du dich an dieser Lösung -> http://www.trojaner-board.de/showthread.php?t=17863. __________________ Gruß, Cidre [B]Neuaufsetzen des Systems/Absicherung - Wie poste ich falsch?

Mayday - smitfraud.c und andere

Plagegeister aller Art und deren Bekämpfung: Mayday - smitfraud.c und andere