cmd geht nicht bitte um Auswertung HJT-File

Purzely · 17.07.2006, 22:14

Hi,

Meine eingabeaufforderung funktioniert nicht richtig, deshalb schaut euch mal das an:

Logfile of HijackThis v1.99.1
Scan saved at 23:04:05, on 17.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\AusLogics Visual Styler\themehelpersvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
E:\Programme\Sicherheit\ewido anti-spyware 4.0\guard.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
E:\Programme\Sicherheit\ewido anti-spyware 4.0\ewido.exe
E:\Programme\Fernsehen\TV Movie\TV Movie ClickFinder\tvtip.EXE
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
E:\Programme\Sicherheit\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = h**p://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C0B4A97D-E166-016C-9557-B10E1E67B6BD} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Programme\Drucker\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: TV Movie.de - {B50FCD28-C2CC-4f3b-B755-62B086EDE4D5} - C:\Programme\TV Movie\TV Movie Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "E:\Programme\Sicherheit\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [TVTip] E:\Programme\Fernsehen\TV Movie\TV Movie ClickFinder\tvtip.EXE /m
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Programme\Internet\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Programme\Internet\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - h**p://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - h**p://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127159640015
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - h**p://game02.zylom.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050E90AE-3177-4644-A40F-487101D8BC8B}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9807EA17-2131-4112-8802-0B140F18E87E}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{050E90AE-3177-4644-A40F-487101D8BC8B}: NameServer = 192.168.2.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AusLogics Windows Themes Helper (ALThemeHelper) - Unknown owner - C:\Programme\AusLogics Visual Styler\themehelpersvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Programme\Sicherheit\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: T-Online DSL-Manager (TODslService) - T-Systems International GmbH - C:\Programme\T-Online\DSL-Manager\TODslSvc.exe

Danke

CU Andrea

felix1 · 17.07.2006, 22:21

Ich denke mal, hier sollte ein escan angebracht sein. Hier ist mehr vorhanden.
http://www.trojaner-board.de/showthread.php?t=24192
Halte Dich genau an die Anleitung. Zur Auswertung lese die Hinweise zur find.bat (Rot 5).
Die erzeugte Datei hier posten.
Denke mal, morgen gehts weiter. Der Scan dauert mindestens eine Stunde, je nach Pattengrösse auch entschieden länger.

Purzely · 18.07.2006, 12:32

Hallo Felix,

so hier das Ergebniss
die gefundenen mit dem gesucht Wort "infected"

Tue Jul 18 09:12:26 2006 => System found
infected with zlob Trojan-Downloader
({7c43e35c-a398-7c5f-b1ba-7e87073be150})!
Action taken: No Action Taken.

Tue Jul 18 09:12:26 2006 => System found
infected with stylexp Spyware/Adware
({c333cf63-767f-4831-94ac-e683d962c63c})!
Action taken: No Action Taken.

Tue Jul 18 09:12:27 2006 => Offending Key
found: HKLM\Software\Microsoft\Windows\CurrentVersi
on\uninstall\hsa !!!

Tue Jul 18 09:12:27 2006 => Object "hsa
Spyware/Adware" found in File System! Action
Taken: No Action Taken.

Tue Jul 18 09:12:29 2006 => Offending file
found: C:\WINDOWS\system32\atlmr32.exe

Tue Jul 18 09:12:29 2006 => System found
infected with cws.homesearch Browser
Hijacker (atlmr32.exe)! Action taken: No
Action Taken.

Tue Jul 18 09:12:29 2006 => Offending Folder
found: C:\Programme\Gemeinsame Dateien\cmeii

Tue Jul 18 09:12:29 2006 => Object "cmesys
Spyware/Adware" found in File System! Action
Taken: No Action Taken.

Tue Jul 18 09:12:29 2006 => Offending Folder
found: C:\Programme\Gemeinsame Dateien\gmt

Tue Jul 18 09:12:29 2006 => Object
"gain.gator Spyware/Adware" found in File
System! Action Taken: No Action Taken.

Tue Jul 18 09:12:40 2006 => Offending Folder
found: C:\Dokumente und Einstellungen\**-PC\Favoriten\
sites about

Tue Jul 18 09:12:40 2006 => Object
"smartfinder Spyware/Adware" found in File
System! Action Taken: No Action Taken.

Tue Jul 18 09:14:02 2006 => Scanning Folder:
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\*.*

Tue Jul 18 09:14:02 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\4450ca1d.qua

Tue Jul 18 09:14:02 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\4450ca91.qua

Tue Jul 18 09:14:02 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\4450cab6.qua

Tue Jul 18 09:14:02 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\44550e6a.qua

Tue Jul 18 09:14:02 2006 => Scanning File
C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\4457931a.qua

Tue Jul 18 09:14:02 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\44b86aa5.qua

Tue Jul 18 09:14:02 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\44eac74e.qua

Tue Jul 18 09:14:03 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\451e6452.qua

Tue Jul 18 09:14:03 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\451e990c.qua

Tue Jul 18 09:14:03 2006 => Scanning File
C:\Dokumente und Einstellungen\All
Users.WINDOWS\Anwendungsdaten\AntiVir
PersonalEdition Classic\INFECTED\451f645a.qua

Tue Jul 18 10:21:12 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0201632.exe infected
by "Trojan-Downloader.Win32.INService.gen"
Virus! Action Taken: No Action Taken.

Tue Jul 18 10:21:14 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0201668.exe infected
by "VirTool.Win32.Patcher.a" Virus! Action
Taken: No Action Taken.

Tue Jul 18 10:21:14 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0201671.exe infected
by "VirTool.Win32.Patcher.a" Virus! Action
Taken: No Action Taken.

Tue Jul 18 11:35:56 2006 => File
E:\Programme\Säuberer\AVPersonal.zip
infected by "Email-Worm.Win32.Hybris.b"
Virus! Action Taken: No Action Taken.
--------------------------------------
und hier nach "tagged" gesucht:

Tue Jul 18 10:21:29 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0201872.exe tagged as
"not-a-virus:AdWare.Win32.SideSearch.g".
Action Taken: No Action Taken.

Tue Jul 18 10:21:37 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0202025.exe tagged as
not-a-virus:PSWTool.Win32.PassView.162. No
Action Taken.

Tue Jul 18 10:21:37 2006 => Scanning File
D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0202026.EXE

Tue Jul 18 10:21:37 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0202026.EXE tagged as
not-a-virus:PSWTool.Win32.PassView.160. No
Action Taken.

Tue Jul 18 10:21:37 2006 => Scanning File
D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0202027.exe

Tue Jul 18 10:21:37 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP386\A0202027.exe tagged as
not-a-virus:PSWTool.Win32.PassView.160. No
Action Taken.

Tue Jul 18 10:26:29 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP387\A0202167.exe tagged as
not-a-virus:PSWTool.Win32.ActMon.a. No
Action Taken.

Tue Jul 18 10:26:29 2006 => Scanning File
D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP387\A0202168.EXE

Tue Jul 18 10:26:29 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP387\A0202168.EXE tagged as
not-a-virus:PSWTool.Win32.ActMon.a. No
Action Taken.

Tue Jul 18 10:26:35 2006 => File D:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP387\A0202224.exe tagged as
"not-a-virus:AdWare.Win32.SaveNow.bo".
Action Taken: No Action Taken.

Tue Jul 18 10:53:58 2006 => File E:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP385\A0199234.exe tagged as
"not-a-virus:AdWare.Win32.EZula.z". Action
Taken: No Action Taken.

Tue Jul 18 10:53:58 2006 => Scanning File
E:\System Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP385\A0199235.exe

Tue Jul 18 10:53:59 2006 => File E:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP385\A0199235.exe tagged as
"not-a-virus:AdWare.Win32.Gator.3103".
Action Taken: No Action Taken.

Tue Jul 18 10:54:29 2006 => File E:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP385\A0199254.exe tagged as
"not-a-virus:AdWare.Win32.NewDotNet". Action
Taken: No Action Taken.

Tue Jul 18 10:54:29 2006 => Scanning File
E:\System Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP385\A0199255.exe

Tue Jul 18 10:54:30 2006 => File E:\System
Volume Information\_restore{4439A9AE-1590-45C6-B713
-193F12B17488}\RP385\A0199255.exe tagged as
"not-a-virus:AdWare.Win32.NewDotNet". Action
Taken: No Action Taken.
------------------------------------------
------------------------------------------
und hier die Auswertung über "find.bat"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jul 18 09:12:26 2006 => System found infected with zlob Trojan-Downloader ({7c43e35c-a398-7c5f-b1ba-7e87073be150})! Action taken: No Action Taken.
Tue Jul 18 09:12:26 2006 => System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken.
Tue Jul 18 09:12:29 2006 => System found infected with cws.homesearch Browser Hijacker (atlmr32.exe)! Action taken: No Action Taken.
Tue Jul 18 09:12:27 2006 => Object "hsa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 18 09:12:29 2006 => Object "cmesys Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 18 09:12:29 2006 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 18 09:12:40 2006 => Object "smartfinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Tue Jul 18 10:21:12 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP386\A0201632.exe infected by "Trojan-Downloader.Win32.INService.gen" Virus! Action Taken: No Action Taken.
Tue Jul 18 10:21:14 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP386\A0201668.exe infected by "VirTool.Win32.Patcher.a" Virus! Action Taken: No Action Taken.
Tue Jul 18 10:21:14 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP386\A0201671.exe infected by "VirTool.Win32.Patcher.a" Virus! Action Taken: No Action Taken.
Tue Jul 18 11:35:56 2006 => File E:\Programme\Säuberer\AVPersonal.zip infected by "Email-Worm.Win32.Hybris.b" Virus! Action Taken: No Action Taken.
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Tue Jul 18 09:12:29 2006 => Offending file found: C:\WINDOWS\system32\atlmr32.exe
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
und hier nach tagged gesucht:
Tue Jul 18 10:21:29 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP386\A0201872.exe tagged as "not-a-virus:AdWare.Win32.SideSearch.g". Action Taken: No Action Taken.
Tue Jul 18 10:21:37 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP386\A0202025.exe tagged as not-a-virus:PSWTool.Win32.PassView.162. No Action Taken.
Tue Jul 18 10:21:37 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP386\A0202026.EXE tagged as not-a-virus:PSWTool.Win32.PassView.160. No Action Taken.
Tue Jul 18 10:21:37 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP386\A0202027.exe tagged as not-a-virus:PSWTool.Win32.PassView.160. No Action Taken.
Tue Jul 18 10:26:29 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP387\A0202167.exe tagged as not-a-virus:PSWTool.Win32.ActMon.a. No Action Taken.
Tue Jul 18 10:26:29 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP387\A0202168.EXE tagged as not-a-virus:PSWTool.Win32.ActMon.a. No Action Taken.
Tue Jul 18 10:26:35 2006 => File D:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP387\A0202224.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.bo". Action Taken: No Action Taken.
Tue Jul 18 10:53:58 2006 => File E:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP385\A0199234.exe tagged as "not-a-virus:AdWare.Win32.EZula.z". Action Taken: No Action Taken.
Tue Jul 18 10:53:59 2006 => File E:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP385\A0199235.exe tagged as "not-a-virus:AdWare.Win32.Gator.3103". Action Taken: No Action Taken.
Tue Jul 18 10:54:29 2006 => File E:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP385\A0199254.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
Tue Jul 18 10:54:30 2006 => File E:\System Volume Information\_restore{4439A9AE-1590-45C6-B713-193F12B17488}\RP385\A0199255.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Tue Jul 18 09:12:29 2006 => Offending Folder found: C:\Programme\Gemeinsame Dateien\cmeii
Tue Jul 18 09:12:29 2006 => Offending Folder found: C:\Programme\Gemeinsame Dateien\gmt
Tue Jul 18 09:12:40 2006 => Offending Folder found: C:\Dokumente und Einstellungen\**PC\Favoriten\sites about
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Tue Jul 18 09:12:27 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\hsa !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------------------------------------
C:\mwav.log
--------------------------------------------------

Übrigens: hat 3 Std und 48 min gedauert
Was jetzt?

CU Andrea

felix1 · 18.07.2006, 13:53

Ein großer Teil ist im Restore. Er lässt sich entfernen über das Deaktivieren der Systemwiederherstellung bei allen Laufwerken und Neustart des PC. Siehe meine Signatur.

Zur Beseitigung des Zlob wäre diese Anleitung ratsam:
http://www.trojaner-board.de/showthread.php?t=30411

Weiterhin die Quarantäne des Antivirenprogrammes löschen.
Danach ein neues Log von HJT sowie ein neuer escan. Lösche dazu vorher die Datei mvaw.log in dem Verzeichnis, wo escan liegt.

Es könnte mühsam werden.

/edit by Felix/
Hast Du beim scan mit ewido auch alles löschen lassen?

Purzely · 18.07.2006, 15:32

So Hälfte erledigt: Erstens die rapport von Smit:

SmitFraudFix v2.73

Scan done at 16:06:18,01, 18.07.2006
Run from E:\Programme\Sicherheit\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

und hier die HJT-File:

Logfile of HijackThis v1.99.1
Scan saved at 16:28:10, on 18.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\AusLogics Visual Styler\themehelpersvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
E:\Programme\Sicherheit\ewido anti-spyware 4.0\ewido.exe
E:\Programme\Fernsehen\TV Movie\TV Movie ClickFinder\tvtip.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
E:\Programme\Sicherheit\ewido anti-spyware 4.0\guard.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
E:\Programme\Sicherheit\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {C0B4A97D-E166-016C-9557-B10E1E67B6BD} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Programme\Drucker\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: TV Movie.de - {B50FCD28-C2CC-4f3b-B755-62B086EDE4D5} - C:\Programme\TV Movie\TV Movie Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "E:\Programme\Sicherheit\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [TVTip] E:\Programme\Fernsehen\TV Movie\TV Movie ClickFinder\tvtip.EXE /m
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://E:\Programme\Drucker\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Programme\Internet\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Programme\Internet\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\spacklsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127159640015
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game02.zylom.com/activex/zylomgamesplayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{050E90AE-3177-4644-A40F-487101D8BC8B}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9807EA17-2131-4112-8802-0B140F18E87E}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{050E90AE-3177-4644-A40F-487101D8BC8B}: NameServer = 192.168.2.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AusLogics Windows Themes Helper (ALThemeHelper) - Unknown owner - C:\Programme\AusLogics Visual Styler\themehelpersvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Programme\Sicherheit\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: T-Online DSL-Manager (TODslService) - T-Systems International GmbH - C:\Programme\T-Online\DSL-Manager\TODslSvc.exe

Der EScan läuft gleich

CU Andrea

Purzely · 18.07.2006, 16:41

Hallo,

so hier der Escan nach find:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jul 18 16:35:07 2006 => System found infected with zlob Trojan-Downloader ({7c43e35c-a398-7c5f-b1ba-7e87073be150})! Action taken: No Action Taken.
Tue Jul 18 16:35:07 2006 => System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken.
Tue Jul 18 16:35:10 2006 => System found infected with cws.homesearch Browser Hijacker (atlmr32.exe)! Action taken: No Action Taken.
Tue Jul 18 16:35:08 2006 => Object "hsa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 18 16:35:10 2006 => Object "cmesys Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 18 16:35:10 2006 => Object "gain.gator Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 18 16:35:21 2006 => Object "smartfinder Spyware/Adware" found in File System! Action Taken: No Action Taken.
Tue Jul 18 16:35:25 2006 => Object "wareout Adware" found in File System! Action Taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Tue Jul 18 16:35:10 2006 => Offending file found: C:\WINDOWS\system32\atlmr32.exe
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Tue Jul 18 16:35:10 2006 => Offending Folder found: C:\Programme\Gemeinsame Dateien\cmeii
Tue Jul 18 16:35:10 2006 => Offending Folder found: C:\Programme\Gemeinsame Dateien\gmt
Tue Jul 18 16:35:21 2006 => Offending Folder found: C:\Dokumente und Einstellungen\**PC\Favoriten\sites about
Tue Jul 18 16:35:25 2006 => Offending Folder found: C:\Dokumente und Einstellungen\All Users.WINDOWS\Anwendungsdaten\cyberlink\powerdvd\ipower\images\hd
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Tue Jul 18 16:35:08 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\hsa !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jul 18 17:23:31 2006 => Total Errors: 26
Tue Jul 18 17:23:31 2006 => Time Elapsed: 00:49:02
Tue Jul 18 17:23:31 2006 => Total Objects Scanned: 56857
Tue Jul 18 16:33:25 2006 => Virus Database Date: 7/16/2006
Tue Jul 18 17:23:31 2006 => Virus Database Date: 7/16/2006
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------------------------------------
C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\downloads\Sicherheit\6MWAV\Find\MWAV.LOG
--------------------------------------------------

Kann ich die beschriebenen Dateien jetzt mit Hand löschen??? Ähm... welche genau??

CU Andrea

**Sunny** · 18.07.2006, 16:54

Hallo,

diese Datei kannst du definitiv löschen: (nutze eventuell die Killbox Haken bei "delete on reboot" und neustarten lassen!)

Zitat:

C:\WINDOWS\system32\atlmr32.exe

Ansonsten lade dir folgende Programme:
1.) Ad-Aware
2.) Spybot S&D
(immunisiere nach dem Scan zusätzlich dein System!)

Danach sollte dein System wieder sauber sein ..

Gruß
Daniel

cmd geht nicht bitte um Auswertung HJT-File

Log-Analyse und Auswertung: cmd geht nicht bitte um Auswertung HJT-File