Hallo allerseits!

Habe schon seit längerer Zeit das Problem dass mir AVP den oben genannten Trojaner meldet! Eine meiner temporären Internetdateien ist davon infiziert. Nach der Löschung miest eine andere temp. Internetdatei.
Obwohl ich ihn schon so oft gelöscht habe greift er immer wieder mein System an...

Ich würde mich freuen wenn mir jemand helfen könnte!

Hier mein Hijack-Log:


Logfile of HijackThis v1.99.1
Scan saved at 10:29:17, on 07.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Information Update\iu.exe
C:\PROGRA~1\T-DSLS~1\SpeedMgr.exe
C:\Dokumente und Einstellungen\Kili\Anwendungsdaten\estr.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programme\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programme\T-DSL SpeedManager\tsmsvc.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\edonkey\eMule\emule.exe
C:\WINDOWS\system32\scanregw.exe
C:\Programme\T-Online\T-Online_Software_5\Browser\browser.exe
C:\Dokumente und Einstellungen\Kili\Eigene Dateien\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=134272
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=134272
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=134272
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {074FD9C5-0D12-63B1-2F76-6A2D82F3F1A6} - C:\WINDOWS\System32\gno.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {3041A1EB-2464-16CB-52B2-16AADAC095AD} - C:\WINDOWS\System32\pnn.dll (file missing)
O2 - BHO: (no name) - {4196B7AC-6C70-5F87-44F2-07CB0CE9B2FF} - C:\WINDOWS\System32\yhwz.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: (no name) - {C40A646D-F0F0-F709-D50B-88ADAABA71C2} - C:\WINDOWS\system32\wvl.dll
O2 - BHO: (no name) - {CCC6CCE6-4C35-74C3-5460-7EEC5E613BFA} - C:\WINDOWS\System32\hhv.dll (file missing)
O2 - BHO: (no name) - {CE592611-A6CC-9E33-AED6-952292A330F7} - C:\WINDOWS\System32\wnqkb.dll (file missing)
O2 - BHO: (no name) - {DB81BAA3-3324-04DB-4164-5B9E198979A4} - C:\WINDOWS\System32\zciett.dll (file missing)
O2 - BHO: (no name) - {EBAC8AA3-1E14-34EB-6C54-6BB329B95494} - C:\WINDOWS\System32\zciett.dll (file missing)
O2 - BHO: (no name) - {EF294E6F-9CEA-F442-D319-FCE4EEF044AD} - C:\WINDOWS\System32\hyv.dll (file missing)
O2 - BHO: (no name) - {F9EBFCE6-6106-41F7-7950-4EC16E5116CA} - C:\WINDOWS\System32\hhv.dll (file missing)
O2 - BHO: Local Spool Net support DLL - {FCADDC50-BE46-409A-9842-CEBE1C6E37EB} - c:\windows\system32\localsplnet.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [netdaemon] C:\windows\system32\netdaemon /v
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [System32] lExplorer.EXE
O4 - HKLM\..\Run: [Information Update] C:\Programme\Information Update\iu.exe
O4 - HKLM\..\Run: [HaNSoN] EXPL0RER.EXE
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\PROGRA~1\T-DSLS~1\SpeedMgr.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKCU\..\Run: [Ittptku] C:\WINDOWS\System32\scanregw.exe
O4 - HKCU\..\Run: [Rlos] C:\Dokumente und Einstellungen\Kili\Anwendungsdaten\estr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Schnellstart.lnk = C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Word\Office10\OSA.EXE
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {E3050623-3887-4DA3-BBCB-EB4EC80FA7E4} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {E3050623-3887-4DA3-BBCB-EB4EC80FA7E4} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121443428984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123250483341
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CCEBFC0-E910-41BF-B993-5A86226EE997}: NameServer = 217.237.150.33 217.237.151.161
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe

Hallo kanicut,

lade Dir clearprog 1.4.1 final. Nimm eine Datenträgerbereinigung vor (clearprog starten, Häckchen bei alles löschen und auf löschen klicken). Leere den Quaratäne-Ordner Deines Antivir-Programmes.
Überprüfe Dein System mit Escan (bitte erst aufmerksam lesen dann scannen). Teile das Scan-Ergebnis mittels der "find.bat" mit.

dartus

Danke erstmal, werde alles nach deiner anleitung machen, dann poste ich wieder

hallo nochmal!
bin deiner anleitung gefolgt, nur das mit find.bat hat nicht so geklappt...

diese files/viren standen nach dem scan unter "Virus Log Information":

File C:\PROGRA~1\INFORM~1\iu.exe infected by "Trojan-Downloader.Win32.Centim.dn" Virus! Action Taken: No Action Taken.

File C:\DOKUME~1\Kili\ANWEND~1\estr.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.

File C:\WINDOWS\system32\cqy.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.

File c:\windows\system32\localsplnet.dll tagged as "not-a-virus:AdWare.MediaBack.c". Action Taken: No Action Taken.

File C:\PROGRA~1\INFORM~1\iu.exe infected by "Trojan-Downloader.Win32.Centim.dn" Virus! Action Taken: No Action Taken.

File C:\DOKUME~1\Kili\ANWEND~1\estr.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.

Object "IstBAR Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "MyBar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "180Solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "mysearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "myway Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "WebSiteViewer Spyware/Adware" found in File System! Action Taken: No Action Taken.

File C:\Dokumente und Einstellungen\Kili\Anwendungsdaten\soht.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.

File C:\Programme\AVPersonal\INFECTED\EXPL0RER.VIR infected by "Backdoor.Win32.DarkMoon.az" Virus! Action Taken: No Action Taken.

File C:\Programme\AVPersonal\INFECTED\explorer.VIR infected by "Backdoor.Win32.SdBot.aca" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP166\A0067198.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP178\A0083803.exe tagged as "not-a-virus:AdWare.PurityScan.by". Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP178\A0083821.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP178\A0083836.exe infected by "Backdoor.Win32.SubSeven.pac" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP180\A0086396.exe tagged as "not-a-virus:AdWare.MediaBack.c". Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP181\A0087572.exe tagged as "not-a-virus:AdWare.PurityScan.cj". Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP181\A0087584.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP209\A0089464.exe infected by "Trojan-Downloader.Win32.INService.gen" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP242\A0096775.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.

File C:\System Volume Information\_restore{197DA5FC-B573-4167-ABA5-467936ECBB19}\RP244\A0096967.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.

File C:\WINDOWS\Downloaded Program Files\videox.dll tagged as "not-a-virus:AdWare.BHO.RedHotNet.a". Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall4_85.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.

File C:\WINDOWS\NDNuninstall6_38.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.

Bitte um Hilfe!

Hallo kanicut,

da dieser in Deinm System aktiv war:
"Backdoor.Win32.DarkMoon.az"

Meine Empfehlung Neuinstallation.

http://www.mathematik.uni-marburg.de...c-removal.html
http://www.mathematik.uni-marburg.de...ompromise.html
http://en.wikipedia.org/wiki/Botnet
http://de.wikipedia.org/wiki/Backdoor

Empfohlene Anleitung zur Neuinstallation

http://www.trojaner-board.de/showthread.php?t=12154

Thema Datensicherung:

http://www.trojaner-board.de/showpos...8&postcount=11

dartus