Liebe Leute!

Ich habe den PC auf Malware gecheckt, und dort waren so ein paar Sachen, die mir nicht so sehr gefallen haben!
SP2 hatte ich bereits installiert, allerdings lief der PC nicht mehr - ja, ich weiss, Frauen und PC's , in ca. 2 Wochen kommt mein Schatz, und installiert den ganzen Kram!
Nun aber aufgrund des Malware-Berichts, hier ein Logfile!

Logfile of HijackThis v1.99.1
Scan saved at 10:42:26 PM, on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\ScanSoft\OmniPageSE\opware32.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RNapxs.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\BySoft FreeRAM\FreeRAM.exe
C:\Programme\FRITZ!DSL\StCenter.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Programme\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Programme\Microsoft Office\Office\OSA.EXE
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\mdmps32.exe
C:\Programme\FRITZ!DSL\FritzDsl.exe
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\kernel.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\sc_watch.exe
C:\Programme\Yahoo!\Messenger\ypager.exe
C:\Programme\T-Online\T-Online_Software_5\Browser\Browser.exe
c:\programme\t-online\t-online_software_5\browser\dlman.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://de.rd.yahoo.com/customize/ie/defaults/sb/ymsgr6/us/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/ymsgr6/us/*http://www.yahoo.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*http://www.yahoo.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://de.rd.yahoo.com/customize/ie/defaults/sb/ymsgr6/us/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/ymsgr6/us/*http://www.yahoo.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com/?.home=msgr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*http://www.yahoo.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programme\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LnkSet] C:\WINDOWS\RNapxs.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\Programme\BySoft FreeRAM\FreeRAM.exe
O4 - HKCU\..\Run: [a-squared] "C:\Programme\a2\a2guard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Programme\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: FRITZ!DSL Internet.lnk = C:\Programme\FRITZ!DSL\FritzDsl.exe
O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kodak EasyShare Software.lnk = C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Programme\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programme\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programme\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programme\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programme\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19cec2af6a8d20923305/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094806583488
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://ax.emsisoft.com/axscan.cab
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Seid Ihr so lieb, und würdet Ihn euch mal angucken?
Vielen Dank im Voraus!

LG,
Tanja
_____________
Anm.
Aktive Links editiert!
Beachte zukünftig die Hinweise dieser Anleitung: HiJackThis.


LG Cidre
S-Mod TB

Hallo,

Zitat:

PC auf Malware gecheckt, und dort waren so ein paar Sachen, die mir nicht so sehr gefallen haben!

Was wurde von welcher AV Anwendung moniert und ggf. wie entfernt? Die Virus Log Information von eScan AntiVirus könnte hilfreich sein.

Zitat:

C:\WINDOWS\RNapxs.exe
C:\WINDOWS\mdmps32.exe

Sollen laut Google zu einer Kindersicherung (Puresight PC) gehören. Kannst du dies bestätigen?

Ansonsten sehe ich keine weiteren Auffälligkeiten in deinem Log-File.

Hey Cidre!

Danke, dass Du Dich meines Logfiles angenommen hast. Hier nun, was der HiJackFree v1 an bedenklichen Dateien oder so gefunden hat:

Name: TkBellExe
Pfad: C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe -osboot
Ort: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Gut: 5 - Böse: 3
Details Anzeigen Erfordert Beachtung!
Bitte Details mit lokalen Daten vergleichen
und/oder Recherche bei Google

Details dazu sind folgende:

Status Name Command Description
X gcasServ realsched.exe Added by a variant of the TACTSLAY.A TROJAN! Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name
X Realplayer Codec Support realsched.exe Added by the AGOBOT-AAD WORM! Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name
N Realsched realsched.exe Application Scheduler installed along with RealOne Player. Runs independently of RealOne Player, to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. If it can't be disabled try deleting or renaming realsched.exe and then delete the entry in the registry
N TkBell.Exe realsched.exe Application Scheduler installed along with RealOne Player. Once installed, it runs independently of RealOne Player. See here for more information, including how to disable it. Also see evntsvc and Realsched. Note that eventsvc.exe no longer appears to be in a newer version. To disable "tkbell.exe" in the new version (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK
N TkBellExe evntsvc.exe Application Scheduler installed along with RealOne Player. Once installed, it runs independently of RealOne Player. See here for more information, including how to disable it. Also see evntsvc and Realsched. Note that eventsvc.exe no longer appears to be in a newer version. To disable "tkbell.exe" in the new version (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK
N TkBellExe realsched.exe Application Scheduler installed along with RealOne Player. Once installed, it runs independently of RealOne Player. See here for more information, including how to disable it. Also see evntsvc and Realsched. Note that eventsvc.exe no longer appears to be in a newer version. To disable "tkbell.exe" in the new version (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK
N TkBellExe tkbell.exe Application Scheduler installed along with RealOne Player. Once installed, it runs independently of RealOne Player. See here for more information, including how to disable it. Also see evntsvc and Realsched. Note that eventsvc.exe no longer appears to be in a newer version. To disable "tkbell.exe" in the new version (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK
X WinHelp realsched.exe Added by a variant of the LOVGATE WORM! Note - this is not the legitimate RealOne Player (realsched.exe) application of the same name


"Y" - Normally leave to run at start-up
"N" - Not required - typically infrequently used tasks that can be started manually if necessary
"U" - User's choice - depends whether a user deems it necessary
"X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
"?" - Unknown
Autorun information provided by http://www.sysinfo.org


nächstes:

Name: Yahoo! Pager
Pfad: C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
Ort: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Gut: 2 - Böse: 2
Details Anzeigen Erfordert Beachtung!
Bitte Details mit lokalen Daten vergleichen
und/oder Recherche bei Google


X System YPager.exe Added by the JUNTADOR.K TROJAN! Note - this is not Yahoo! Messenger
X Yahoo Messenger YPager.exe Added by the RBOT-QO WORM!
N Yahoo! Pager ypager.exe Yahoo! Messenger allows you to send instant messages. Available via Start -> Programs
N ypager ypager.exe Yahoo! Messenger allows you to send instant messages. Available via Start -> Programs

Das waren zumindest zwei - wobei mich dieser TkBellExe am meisten interessiert!

Liebe Grüsse,
Tanja

Hey Leute!

Hier nun der Inhalt der 'C:\eScan_neu.txt':


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Mon Sep 12 22:35:41 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Mon Sep 12 22:35:43 2005 => System found infected with netster Spyware/Adware ({56336bcb-3d8a-11d6-a00b-0050da18de71})! Action taken: No Action Taken.
Mon Sep 12 22:36:06 2005 => System found infected with SAHAgent Spyware/Adware (C:\WINDOWS\system32\lsp.dll)! Action taken: No Action Taken.
Mon Sep 12 22:36:06 2005 => System found infected with SAHAgent Spyware/Adware (lsp.dll)! Action taken: No Action Taken.
Mon Sep 12 22:36:07 2005 => System found infected with Tencent QQ Spyware/Adware (acodec.dll)! Action taken: No Action Taken.
Mon Sep 12 22:46:28 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Mon Sep 12 23:51:24 2005 => Total Disinfected Files: 0
Tue Sep 13 18:45:06 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Tue Sep 13 18:45:08 2005 => System found infected with netster Spyware/Adware ({56336bcb-3d8a-11d6-a00b-0050da18de71})! Action taken: No Action Taken.
Tue Sep 13 18:45:31 2005 => System found infected with SAHAgent Spyware/Adware (C:\WINDOWS\system32\lsp.dll)! Action taken: No Action Taken.
Tue Sep 13 18:45:32 2005 => System found infected with SAHAgent Spyware/Adware (lsp.dll)! Action taken: No Action Taken.
Tue Sep 13 18:45:32 2005 => System found infected with Tencent QQ Spyware/Adware (acodec.dll)! Action taken: No Action Taken.
Tue Sep 13 18:56:36 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Tue Sep 13 20:01:19 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Mon Sep 12 22:42:39 2005 => Scanning Folder: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\yahoo!\ytaggedbm\*.*
Mon Sep 12 22:42:39 2005 => Scanning File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\yahoo!\ytaggedbm\Globaltags.ybm
Mon Sep 12 22:59:09 2005 => Scanning File C:\Programme\Kodak\Kodak EasyShare software\bin\Tagged.chm
Tue Sep 13 18:52:06 2005 => Scanning Folder: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\yahoo!\ytaggedbm\*.*
Tue Sep 13 18:52:06 2005 => Scanning File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\yahoo!\ytaggedbm\Globaltags.ybm
Tue Sep 13 19:09:05 2005 => Scanning File C:\Programme\Kodak\Kodak EasyShare software\bin\Tagged.chm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Mon Sep 12 22:36:06 2005 => Offending file found: C:\WINDOWS\system32\lsp.dll
Mon Sep 12 22:36:06 2005 => Offending file found: C:\WINDOWS\System32\lsp.dll
Mon Sep 12 22:36:07 2005 => Offending file found: C:\WINDOWS\System32\acodec.dll
Mon Sep 12 23:51:24 2005 => Total Virus(es) Found: 5
Tue Sep 13 18:45:31 2005 => Offending file found: C:\WINDOWS\system32\lsp.dll
Tue Sep 13 18:45:32 2005 => Offending file found: C:\WINDOWS\System32\lsp.dll
Tue Sep 13 18:45:32 2005 => Offending file found: C:\WINDOWS\System32\acodec.dll
Tue Sep 13 20:01:19 2005 => Total Virus(es) Found: 5
Mon Sep 12 23:51:24 2005 => Total Errors: 65
Tue Sep 13 20:01:19 2005 => Total Errors: 65
Mon Sep 12 23:51:24 2005 => Time Elapsed: 01:16:07
Tue Sep 13 20:01:19 2005 => Time Elapsed: 01:16:27
Mon Sep 12 23:51:24 2005 => Total Objects Scanned: 67059
Tue Sep 13 20:01:19 2005 => Total Objects Scanned: 69385
Mon Sep 12 22:33:58 2005 => Virus Database Date: 2005/09/12
Mon Sep 12 23:51:24 2005 => Virus Database Date: 2005/09/12
Mon Sep 12 23:53:24 2005 => Virus Database Date: 2005/09/12
Tue Sep 13 00:12:58 2005 => Virus Database Date: 2005/09/12
Tue Sep 13 18:43:21 2005 => Virus Database Date: 2005/09/13
Tue Sep 13 20:01:19 2005 => Virus Database Date: 2005/09/13
Tue Sep 13 20:50:10 2005 => Virus Database Date: 2005/09/13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~


Vielen Dank für Eure Mühe und Zeit!

Tanja

Hey Leute!

Ich hab jetzt alles, was von Cidre vorgeschlagen wurde, versucht, um die Spyware zu löschen!

Total Commander: Woran soll ich denn da sehen, was ich löschen muss? Das ist echt nur für Experten!

Killbox: Ich hab keine Ahnung, was ich aus dem eScan-logfile eintragen soll - die Namen wie 'alexa' etc. sind zwar genannt, aber dahinter stehen nur Zahlen...

eScan-Checkb9: Da wird immer eine bestimmte Datei nicht mitgeladen, "... file is missing"...

Und was kommt jetzt?

Lieben Gruss,

Tanja