|
Plagegeister aller Art und deren Bekämpfung: Help me!!! Trojaner? searchmeup? Dialer?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
06.05.2004, 09:41 | #1 |
| Help me!!! Trojaner? searchmeup? Dialer? Hallo, mein Vater hat gewaltige Probleme mit seinem Win 98 Rechner. Jedesmal wenn er ins Internet gehen will, versucht ein 0900 Dialer einzuwählen, wir bekommen ihn aber einfach nicht los. Es wurden zwei Trojaner gefunden: tr/sysupd32.dll2 (QHosts-B) und tr/ladder irgendwas wird gemeldet mitm ieloader (genauer konnt ers mir nimmer sagen) und die url searchmeup wird gefunden!!! Wir haben alles probiert: Win.ini durchgeschaut, nach nvidia32 gesucht, virenscanner laufen lassen (AntiVir) etc. Dann hab ich eine Beschreibung im Internet gefunden, wie man Trojaner losbekommt und hab alles wie folgt durchgeführt: "Yuckware ... viruses, trojans, worms, browser hijackers, spyware, redialers, and the like ... has become one of the biggest problems on the internet. Removing it from your computer will be quite a bit more time consuming than putting it there was. We'll be glad to help, if you'll take the time and effort to go through all the following steps first. Please read, understand, and follow this list ... it is the starting point for yuckware removal, and in most cases will do the trick all by itself!!! Do ALL of this, don't skip over anything. Every step is necessary, and the order in which they are performed is important to the success of the plan. This process will call for you to find and delete some things and to download and install a variety of updates and/or applications, in a particular order, and to execute certain of the applications in a particular order. If done as detailed, none of this will harm your system. If any step is skipped, or performed out of order, the desired fix likely will not be achieved. Please read, understand, and be prepared to exactly follow these instructions before beginning. If you have any questions, feel free to ask here before taking any chances. Know what you're going to have to do before you start to do it. Note: the bold, italicized, underlined blue items are links that will take you to the appropriate pages for necessary downloads and/or instructions. Just click on them to get to where you have to go. Save all downloads to separate, appropriately named folders on your desktop. To create a folder on your dektop, just right-click on any area of the desktop not occupied by icons, select "New>Folder", then type a distinctive, decriptive name in the highlighted box beneath the icon for the folder that will appear as "New Folder"on your desktop. First, if you are using WinME or XP, DISABLE SYSTEM RESTORE! When ALL the following have been done, re-enable it by following the same instructions, and replacing the checkmark you removed. Doing any of the rest of this with Restore enabled likely will be useless. Note: You will lose your saved restore points when you do this. Now, look for "TwainTech" , one of the most common hijackers, and if its on your system, get rid of it. Go to Start>SETTINGS>CONTROL PANEL>ADD/REMOVE PROGRAMS, and look for a program named "twain-tec", "TwainTech", or some close variant. If its there, click ADD/REMOVE and confirm you want to uninstall it. If there is no entry entry in ADD/REMOVE PROGRAMS, it still may be there. Assume it is, and do the following: For Win95, Win98 and WinXP users: a) To permanently disable the software click "Start" and then "Run" and type the following command which unregisters the software: regsvr32 c:\windows\twaintec.dll " b) To completely remove the software: reboot and then go to Sart>Run>Search>For Files and Folders, enter "xtarget.dll" (without the quotes), and click "Find (or Search) Now". It will take a while, but wait untill either it finds the file, or says "There are no files to display". If found, right-click on the file, then select-and-confirm delete. Find-and-delete any other files or folders with "twaintec" or "xtarget" in the name. Don't delete "Twain" files or folders ... just "TwainTech", "twain-tec", or very similar variations. The "Twain" files and folders are needed by your camera or scanner. For Win2K, WinME and WinNT users: a) To permanently disable the software click "Start" and then "Run" and type the following command which unregisters the software: "regsvr32 c:\winnt\twaintec.dll " b) To completely remove the software: reboot and then Find and Delete the file twaintec.dll, and find-and-delete any other file or folder with "twaintec*" (without the quotes, but include the *) in its name. Reboot. Next, in your browser's toolbar, select Tools>Internet Options>Delete Files>Apply>OK. Then, empty your recycle bin. Next, go to Windows Update and fully update your Windows and your browser. If you primarily use a browser other than Internet Explorer, be sure it too is fully updated. Then, download and run the latest version of Network Associate's free STINGER before doing anything else. Next, update your own antivirus program to the latest files, and run a full system scan. If you don't have a currently subscribed antivirus, a few free ones are available, such as Trend Micro's HOUSECALL , Panda's Active Scan, Grisoft's AVG Free, or Symantec's Security Check Free Virus Scan, among others. Whatever you use, do a full system scan, and follow any repair or removal instructions to the letter. When ALL those steps have been accomplished, download CoolWWWSearch.SmartKiller removal tool and CWSHREDDER. Note: these links will bring up the download option. These files are perfectly safe, and will not harm your system. Save each to your desktop, into separate, dintinctively named folders you will be able to locate easily. If you are running Win 95 or 98, you'll need a zip utility to extract the files. If you're running Win ME, 2K, or XP, a zip utility is unneeded. Install the apps and run them, CoolWWWSearch.SmartKiller removal tool FIRST. then CWSHREDDER, letting them fix whatever, if anything, they find. Next, download and install both Spybot S&D and AdAware , but DO NOT RUN THEIR SEARCHES untill you have opened each one and updated it using its web update function, as explained in the help file for each. When both products have been updated, disconnect from the internet and reboot your machine into safemode. If you are running Win95, Win98, or some versions of WinME, and customarily use a USB keyboard and/or mouse, you will need to substitute a standard PS2 Keyboard and/or mouse for the rest of this procedure, as the USB devices will not be recognized. If you are running any version of XP, thiat will not be a consideration. On most systems, you can enter safemode from a reboot by tapping F8 as soon as the machine begins to boot up, before any other screen appears. You may hear a beeping noise, and/or see a "Keyboard Error" message. Ignore them and keep tapping. You should soon be presented with a black-and-white boot choice screen. Select the #3 option, "Safe Mode", either by typing the numeral 3 or by using the up/down arrows of your keyboard, and hit enter. Your machine will boot up with only the barest necessities, and no background applications, running. Your display will probably look very different. Ignore that. If the F8 method does not work, another possibility is to tap, or sometimes to hold down, the "Esc" key as soon as the system begins to boot. If methods don't work for you, consult the User Support documentation that came with your machine or as available on the website of its manufacturer. Once in Safemode, go to Start>Programs>LavaSoft Adaware6>Adaware6.exe . When it opens, select "start" from its splashpage and let it run to completion. It may take quite a while. When it has finished, let it "Fix" anything it has found. Now, go to Start>Programs>Spybot Search and Destroy, and open it. Select "Immunize" , then click "Install". Then select "Permanently running bad download blocker for Internet Explorer", and click "Install". DO NOT place checks in any of the three "Recommended miscellaneous protections" panel at this time. Now, select "Search and Destroy", then select, down at the bottom of the page "Search for problems". Let it run to completion, which also may take quite a while, and let it "Fix" anything it finds. Run it one more time. It should find nothing. Once again, empty your recycle bin, then, while still in safemode, defragment your drive. That too will likely take quite a while. Now, open a browser (If necessary, choose "Work off line" and pay no attention to the "Cannot Display Page" message, and, from the browser's toolbar, select Tools>Internet options, and on the General, Security, and Privacy tabs, select the defaults and apply, then click "OK" and close the browser. Finally, reboot normally. Before doing any other browsing, messaging, chat, email checking or downloading, run HijackThis with no other browsers open or apps running, and save the log. Now go out on the web as you normally would, being careful what you click on. DO NOT reactivate System Restore unless and untill your machine is behaving properly. If you insist on things like opening attachments from unknown senders, hooking yourself up with "Exciting Free Browser Add-Ons", "Incredible Search Enhancers", or any other "Amazing Helpers", P2P file sharing, Porn, and surfing without up-to-date security and privacy software, you're on your own. If not, and you're still having problems, start a new thread in The Internet Forum, detailing exactly what you did, what the results were, and paste your Hijack This log into your post. Remember, do everything listed, in the order listed, and please start a new thread if you need further help. Don't post your help request to this thread. There's no other way to keep things sorted out and provide for individual attention." So, das haben wir alles gemacht. Ergebnis: Erst hat mein Dad den IE geöffnet und probegesurft, war alles ok. IE brachte als Startpage nimmer searchmeup sondern about.blank. Ich dachte, wir habens geschafft. Doch grad bekam ich wieder nen Anruf von ihm, der Dialer ist wieder da und versucht sich einzuwählen. Gottseidank hat mein Dad schon vor langem 0190 Nummern usw sperren lassen bei der Telekom. Jetzt steh ich da und weiß mir keinen Rat mehr. Hab gesehen, dass ihr bei Problemen öfter mal das Logfile von HijackThis hier rein kopiert. Hier ist das Logfile meines Vaters, nachdem wir alles probiert hatten: Logfile of HijackThis v1.97.7 Scan saved at 10:09:01, on 06.05.04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAMME\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\ADAPTEC SHARED\CREATECD\CREATECD50.EXE C:\WINDOWS\RUNWIN32.EXE C:\WINDOWS\WININET32.EXE C:\PROGRAMME\HP OFFICEJET SERIE 700\BIN\HPOSTR03.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAMME\HP OFFICEJET SERIE 700\BIN\HPOVDX03.EXE C:\WINDOWS\SYSTEM\HPOHID03.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\DESKTOP\SICHERHEIT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchmeup.com/search.php?aid=1057 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.com/search.php?aid=1057 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmeup.com/search.php?aid=1057 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchmeup.com/search.php?aid=1057 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmeup.com/search.php?aid=1057 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe Gott, ich hoff, ihr könnt mir weiterhelfen. Wenn nicht, muss ich ihn halt platt machen, aber muss ja nicht sein. Danke schonmal im Voraus für eure Hilfe!!! Liebe Grüße, Jessi Nachtrag: Hab jetzt in HijackThis mal O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe und O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe und alles mit searchmeup gefixt und hier ist das neue Logfile: Logfile of HijackThis v1.97.7 Scan saved at 10:52:02, on 06.05.04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAMME\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\ADAPTEC SHARED\CREATECD\CREATECD50.EXE C:\WINDOWS\RUNWIN32.EXE C:\WINDOWS\WININET32.EXE C:\PROGRAMME\HP OFFICEJET SERIE 700\BIN\HPOSTR03.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAMME\HP OFFICEJET SERIE 700\BIN\HPOVDX03.EXE C:\WINDOWS\SYSTEM\HPOHID03.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\DESKTOP\SICHERHEIT\HIJACKTHIS.EXE C:\WINDOWS\WINDIAL32.EXE C:\WINDOWS\WINDIAL32.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local [ 06. Mai 2004, 10:53: Beitrag editiert von: Jessi1981 ] |
06.05.2004, 10:25 | #2 |
| Help me!!! Trojaner? searchmeup? Dialer? </font><blockquote>Zitat:</font><hr />Original erstellt von Jessi1981:
__________________Hab jetzt in HijackThis mal O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe und O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe und alles mit searchmeup gefixt und hier ist das neue Logfile: </font>[/QUOTE]Richtig, die beiden Einträge sind auf jeden Fall auffällig und gehören definitiv nicht zu den Win98-Systemdateien. Trotzdem scheinen die entsprechenden Prozesse noch zu laufen (s. neues HJT-Log). Die Datei dann z. B. mal umbenennen und schauen, ob das Problem dadurch gelöst ist. Zusätzlich ist mir noch folgender Prozess aufgefallen: C:\WINDOWS\WINDIAL32.EXE Bitte mal die Eigenschaften der Datei überprüfen - z. B. Erstellungsdatum usw. Auch dies ist keine Win98-Systemdatei. Dein "umwerfendes" Posting habe ich aber leider nicht ganz gelesen - ist irgendwie ein bisschen lang geraten. Vielleicht beim nächsten Mal etwas präziser fragen. Gezielte Suche nach Dialern evtl. auch mal mit a² versuchen: http://www.emsisoft.de/de/software/free/ |
06.05.2004, 18:07 | #3 |
| Help me!!! Trojaner? searchmeup? Dialer? Hab jetzt alles so gemacht, wie von euch empfohlen, aber komisch ist jetzt, dass der pc zwar eine internetverbindung aufbauen kann, aber keine seiten angezeigt werden können (Offlinemodus ist NICHT eingeschalten). Aber Emails über Outlook können versendet werden. Jetzt hat mir mein Dad nur folgende Hiobsbotschaft überbracht, dass er ein paar Ordner in der Registry gelöscht hat, die auffällig waren, und von denen kein anderer Ordner abhängig war, und wo nur ein Eintrag drin stand. Ich hoff, der hat jetzt nicht den PC gar lahm gelegt.
__________________Zu dem ist auffällig, dass unten in der Taskleiste keine Symbole mehr auftauchen, wie die vom Virenscanner oder Drucker etc. Hier das aktuelle HijackThis LogFile: Logfile of HijackThis v1.97.7 Scan saved at 18:49:47, on 06.05.04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\DESKTOP\SICHERHEIT\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.de/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = |
06.05.2004, 19:13 | #4 |
Help me!!! Trojaner? searchmeup? Dialer? Hallo, wenn Dein Vater (was ich jetzt einfach mal unterstelle ) keinen Proxy-Server auf seinem Rechner installiert hat, sollte er folgende Einträge fixen: </font><blockquote>Zitat:</font><hr />R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = </font>[/QUOTE]Aber da fehlt doch noch etwas vom Log, oder? </font><blockquote>Zitat:</font><hr />...dass er ein paar Ordner in der Registry gelöscht hat, ... Zu dem ist auffällig, dass unten in der Taskleiste keine Symbole mehr auftauchen, wie die vom Virenscanner oder Drucker etc. </font>[/QUOTE]Das eine kann durchaus die Ursache für das andere sein, läßt sich aber aus der Ferne nur schwer beurteilen. Oder kann dein Vater noch sagen, was genau er gelöscht hat? Edit Verschoben nach: Trojaner-Info Trojaner, Viren, Würmer
__________________ Gruß, Lutz *** "Nur weil ich paranoid bin, bedeutet das nicht, dass sie nicht hinter mir her sind!" (Matthias Deutschmann) |
Themen zu Help me!!! Trojaner? searchmeup? Dialer? |
.exe, antivir, antivirus, attention, avg, avg free, browser, computer, email, error, finds, help, hijack this, hijackthis, hilfe, hilfe!!, internet, internet explorer, log in, logfile, nicht, officejet, recycle, regsvr32, rundll, scan, security, sicherheit, software, spyware, symantec, system restore, trend micro, trick, trojaner, trojaner gefunden, updates, usb, win me, windows, zwei trojaner |