Hallo!

Habe mir den Sfondi Dialer eingefangen.
Spybot und Ad-aware konnten ihn bis jetzt nicht finden. Genausowenig wie Antivirus.

Hat von Euch evtl. jemand eine Lösung?

Jetzt habe ich hier gelesen, das man sein System mit HijackThis scannen soll. Das hab ich eben gemacht.

Hier das Log-File:

Code: Alles auswählenAufklappen

ATTFilter

Logfile of HijackThis v1.99.1
Scan saved at 08:51:03, on 17.06.05
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Norton Internet Security\NISSERV.EXE
C:\Programme\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\OPTICA~1\4DMAIN.EXE
C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Programme\Norton Internet Security\IAMAPP.EXE
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\epswad4.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\GMX\GMX SMS-Manager\SMSMngr.exe
C:\Programme\sipgate X-Lite\sipgateXLite.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\ceytec software\Reminder 99\remind99.exe
C:\Programme\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programme\Netropa\Onscreen Display\OSD.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\WINCMD\TOTALCMD.EXE
f:\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiel-zeit.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\OPTICA~1\4DMAIN.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Programme\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdPopup] C:\WINDOWS\epswad4.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Flat2Serve Server] F:\Programme\flat2serv 2\F2SHSERV.EXE
O4 - HKCU\..\Run: [Flat2Serve BeOnline] f:\PROGRA~1\FLAT2S~1\BEONLINE.EXE
O4 - HKCU\..\Run: [GMX SMS-Manager] C:\Programme\GMX\GMX SMS-Manager\SMSMngr.exe
O4 - HKCU\..\Run: [Buyertools Reminder] "C:\Programme\Buyertools\Buyertools Reminder\Reminder.exe" /autorun
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Programme\sipgate X-Lite\sipgateXLite.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Reminder 99.lnk = C:\Programme\ceytec software\Reminder 99\remind99.exe
O4 - Startup: WinMySQLadmin.lnk = F:\xampp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: sipgate X-Lite.lnk = C:\Programme\sipgate X-Lite\sipgateXLite.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int7.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/DE/install.cab
O16 - DPF: {40BF816B-D862-41B9-9445-ECA36D5F67F9} (Flatcast Viewer 4.12) - http://www.1mal1.com/flatcast/NpFv412.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101401725359
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {D2296475-B79C-44A9-9B2C-32B5DC6B8B45} (PhotosCtrlDE Class) - http://de.photos.yahoo.com/ocx/de/yexplorer1_9de.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - F:\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: flat2serv Starting Service (flat2servService) - Unknown owner - F:\Programme\flat2serv\f2sservice.exe (file missing)
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\SYSTEM32\GEARSEC.EXE (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySql - Unknown owner - F:/xampp/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Programme\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programme\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Programme\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
         

Wäre nett, wenn sich das mal jemand ansehen könnte.

Vielen Dank...
Peter

@Buggyboy
du hast mehrere unbekannte prozesse im system,
überprüfe bitte dein system mit escan
http://www.trojaner-board.de/showthread.php?t=17492


chaosman

Hallo; ich habe warscheinlich so einen Sfondi drauf. Bei mir öffnet sich zu erst
einmal ein popup von Sfondi vonwegen Screensavers und dann eine warnuhg von Microsoft die aber keine von Microsoft ist.
escan habe ich laufen lassen ich hoffe ich setze den log richtig.



File C:\WINDOWS\etb\nt_hide66.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\windows\system32\kalvtnf32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\etb\pokapoka66.exe infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\windows\system32\elitedrb32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\etb\pokapoka66.exe infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\windows\system32\kalvtnf32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "StyleXP Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WhenU.SaveNow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "kalv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WhenU/SaveNow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "RedV Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "roings Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WhenU.SaveNow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SpywareNo!/SpySheriff Commercial KeyLogger" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\Programme\Uninstall.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".fcp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Hunting Unlimited 3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA nForce Drivers". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "oeupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WhenUSaveMsg". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4C071CCC-D80E-4D86-AD9F-CACF95A198A2}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\editLive4common.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4EFA3C5D-DA8E-4A03-82D9-5F0E616B163C}" refers to invalid object "C:\PROGRA~1\GEMEIN~1\Ephox\CJSUIT~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4FF20192-4473-4A40-AA79-CC3579936223}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\editLive4common.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{502C0FCF-C0FC-4167-9B29-0E813382B4E5}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\editLive4common.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07}" refers to invalid object "H:\Programme\BearShare\RunMSC.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A7856B5C-BBC2-4453-A60C-A3F5DF483C95}" refers to invalid object "C:\PROGRA~1\GEMEIN~1\Ephox\CJCOMM~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E76ECE4B-D3C0-4A01-BFFA-E2D6ECD756D5}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\editLive4common.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F8354A1F-4FDE-4A3C-BA0E-81E4A538A640}" refers to invalid object "C:\PROGRA~1\GEMEIN~1\Ephox\CJDOCK~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{C53EC2D9-40D2-4C87-8C51-CB88938C1DA5}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\editLive4common.exe". Action Taken: No Action Taken.
Entry "HKCR\.spl" refers to invalid object "ShockwaveFlash.ShockwaveFlash". Action Taken: No Action Taken.
Entry "HKCR\.swf" refers to invalid object "ShockwaveFlash.ShockwaveFlash". Action Taken: No Action Taken.
Entry "HKCR\ed2k\shell\open\command" refers to invalid object ""H:\Programme\eMule\eMule.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\gnu\shell\open\command" refers to invalid object ""H:\Programme\BearShare\BearShare.exe" --noinstcheck -spawnedfromurl %1". Action Taken: No Action Taken.
Entry "HKCR\gnufile\shell\open\command" refers to invalid object ""H:\Programme\BearShare\BearShare.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\gnutella\shell\open\command" refers to invalid object ""H:\Programme\BearShare\BearShare.exe" -noinstcheck -spawnedfromurl %1". Action Taken: No Action Taken.
Entry "HKCR\magnet\shell\open\command" refers to invalid object ""H:\Programme\BearShare\BearShare.exe" -noinstcheck -spawnedfromurl %1". Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\solling5\Eigene Dateien\BSINSTALLDE.exe tagged as "not-a-virus:AdWare.SaveNow.z". Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\solling5\Lokale Einstellungen\Temp\393372_1452_2180_3244_66.41.tmp1 infected by "Trojan.Win32.EliteBar.a" Virus! Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\solling5\Lokale Einstellungen\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.lq" Virus! Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\solling5\Lokale Einstellungen\Temp\saveinstwm.exe tagged as "not-a-virus:AdWare.SaveNow.z". Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\solling5\Lokale Einstellungen\Temp\temp.fr7397\pokapoka66.exe infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005632.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005633.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005675.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005676.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005759.exe infected by "Trojan-Dropper.Win32.Agent.kd" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005938.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005939.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP73\A0005940.exe infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP75\A0005965.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP75\A0005966.dll infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{64B10ED7-4B36-47B7-A21B-ED1CB20BC37F}\RP75\A0005968.exe infected by "Trojan-Downloader.Win32.Agent.tv" Virus! Action Taken: No Action Taken.


Verzeiht wenn ich den log falsch gemacht habe.....

Bin Blond

@ Hittransporter!
Damit wir hier nicht durcheinander kommen:
Eröffne einen neuen thread (forum wählen, *click* "Neues thema")
und poste ein HJT-Logfile nach Cidres Anweisung!
http://www.trojaner-board.de/showthread.php?t=17493
stupormundi