Hi Leute,

ich habe seit einigen Tagen das Problem, dass sich in unregelmäßigen Abständen die Dos-Eingabe(CMD.exe) kurz öffnet und anschließend öffnen sich einige Werbeseiten mit dem IE. Hier mal ein Log, vielleicht kann mir Jemand weiterhelfen.

--------------------------------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 16:26:23, on 21.11.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\cisvc.exe
C:\Programme\FSI\F-Prot\fpavupdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\oodag.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programme\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\FSI\F-Prot\F-Sched.exe
C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\LXSUPMON.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\Gcc.exe
C:\Programme\little_helper2\little_helper2.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\OdHost.exe
C:\WINNT\System32\cidaemon.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
D:\***\Programme\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tsv03-urbach.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programme\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [DataLayer] C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ALDI_NORD_FotoSuite_Download] "C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: IEEE 802.11g Wireless USB Adapter Utility.lnk = C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\Gcc.exe
O4 - Global Startup: little_helper2.lnk = C:\Programme\little_helper2\little_helper2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF5835F0-6585-4149-A330-04146FB49B4E}: NameServer = 85.237.87.161,217.20.114.127
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFA3BB98-E535-4480-B98D-E29B21924D87}: NameServer = 85.237.87.161,217.20.114.127
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6CBC873-387C-4072-8E01-A0A996D52A6E}: NameServer = 85.237.87.161,217.20.114.127
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Programme\FSI\F-Prot\fpavupdm.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Programme\RealVNC\WinVNC\WinVNC.exe

----------------------------------------------------------

Hallo,

zuerst habe ich mal ein paar Fragen.
Hast du VNC absichtlich installiert?
Kennst du das Programm "little_helper2"? Überprüfe die Datei C:\Programme\little_helper2\little_helper2.exe im Zweifelsfall online auf http://virusscan.jotti.org/de und poste das Ergebnis.

Zitat:

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

Das gehört dazu. Möglicherweise befindet sich die Schadsoftware aber nicht mehr auf dem Rechner (-> no file).

Scanne dein System mit Spybot Search&Destroy und Ad-Aware.

Poste dann bitte ein Silent Runners-Logfile.

Hallo Haui45,

also:
VNC ist mit absicht installiert.

Das Programm "little_helper" kenne ich nicht und es kam mir auch schon suspekt vor. Mit dem Online scan fand ich folgendes raus:
------------------------------------------------------
Kaspersky Anti-Virus
not-a-virus:AdWare.Win32.Helper.b gefunden
------------------------------------------------------

Spybot fand: Avenue A, Inc. UND Doubleclick

------------------------------------------------------
Und hier das Silent-Runners Logfile:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"RemoteControl" = "C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."]
"FRISK FP-Scheduler" = "C:\Programme\FSI\F-Prot\F-Sched.exe STARTUP" ["FRISK Software International"]
"DataLayer" = "C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray" ["Nokia"]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"WorksFUD" = "C:\Programme\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Microsoft Works Portfolio" = "C:\Programme\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Nokia Connection Monitor" = ""C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe"" ["Nokia Corporation"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"LXSUPMON" = "C:\WINNT\system32\LXSUPMON.EXE RUN" ["Lexmark International Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"little_helper.exe" = (empty string)
"little_helper2.exe" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{1474F601-9B4B-4EB0-81FA-20F753C0E1A4}" = "FRISK extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\FSI\F-Prot\shexthk.dll" [empty string]
"{E443A8D5-D905-4401-8789-16AE23A8A96D}" = "FRISK extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\FSI\F-Prot\shexthk.dll" [empty string]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1031\UNBIND.DLL" [MS]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
FRISK\(Default) = "{1474F601-9B4B-4EB0-81FA-20F753C0E1A4}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\FSI\F-Prot\shexthk.dll" [empty string]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "(Kein)" [file not found]


Startup items in "*****" & "******" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Acrobat Assistant" -> shortcut to: "C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
"IEEE 802.11g Wireless USB Adapter Utility" -> shortcut to: "C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\Gcc.exe" [empty string]
"little_helper2" -> shortcut to: "C:\Programme\little_helper2\little_helper2.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"Datenträgerbereinigung" -> launches: "C:\WINNT\System32\cleanmgr.exe" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

COM+-Ereignissystem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}
F-Prot Antivirus Update Monitor, F-Prot Antivirus Update Monitor, ""C:\Programme\FSI\F-Prot\fpavupdm.exe"" ["FRISK Software"]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]
O&O Defrag, O&O Defrag, "C:\WINNT\system32\oodag.exe" ["O&O Software GmbH"]
VNC Server, winvnc, ""C:\Programme\RealVNC\WinVNC\WinVNC.exe" -service" ["RealVNC Ltd."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor S450\Driver = "CNMLM2R.DLL" ["CANON INC."]
Canon MP Language Monitor MP360\Driver = "CNMLMyd.DLL" ["CANON INC."]
PDF Port\Driver = "C:\WINNT\system32\pdfports.dll" ["Adobe Systems Incorporated."]
USB Remote print port\Driver = "Printer Server\demo.dll" ["UNknown Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 60 seconds, including 11 seconds for message boxes)