Hallo an alle.
Kämpfe seit heut morgen mit dem PC meiner Freundin, ihr Antivirus (Avast Antivirus) war schon länger abgelaufen und sie hat sich anscheinend Win32BackdoorAgent/TrojanSpy eingefangen. Eset Nod32(Trial Version,gleich aktualisiert) hat diese gefunden und dann auch als gelöscht gemeldet.Ich habs zur Sicherheit nochmal probiert,keine Meldung. Lavasoft Adaware findet sie allerdings noch.Auch nachdem es sie gelöscht hat und auch nachdem ich das ganze im Safe Mode wiederholt habe.Ich bin mit meinem Latein am Ende also hier mein HJT-Log und der von Adaware,hoffe wirklich Ihr könnt helfen.

Vielen Dank im Voraus.

Logfile of HijackThis v1.99.1
Scan saved at 02:50:24, on 27.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
F:\WINDOWS\system32\wdfmgr.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Kabelloser Labtec-Desktop\MagicKey.exe
F:\Program Files\DDC\LevelOne_USB_802.11g_Utility\LevelOneWla n.exe
F:\Program Files\Kabelloser Labtec-Desktop\MulMouse.exe
F:\Program Files\Kabelloser Labtec-Desktop\OSD.EXE
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Documents and Settings\sarah\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebtown.com/freesec/thankyou.htm
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,F:\WINDO WS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "F:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kabellosen Labtec-Desktop aktivieren.lnk = F:\Program Files\Kabelloser Labtec-Desktop\MagicKey.exe
O4 - Global Startup: LevelOne 11g Wireless USB.lnk = F:\Program Files\DDC\LevelOne_USB_802.11g_Utility\LevelOneWla n.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - F:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138351640315
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Boonty Games - BOONTY - F:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - F:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - F:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - F:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - F:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe







Ad-Aware 2007 Build
Log File Created on: 2008-02-27 02:00:15
Using Definitions File: F:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\core.aawdef
Computer name: COMPANY
Name of user performing scan: SYSTEM

System information
===========================
Number of processors: 1
Processor type: AMD Sempron(tm) Processor 2800+
Memory Available: 41%
Total Physical Memory: 1005830144 Bytes
Available Physical Memory: 408403968 Bytes
Total Page File Size: 2426859520 Bytes
Available On Page File: 1978789888 Bytes
Total Virtual Memory: 2147352576 Bytes
Available Virtual Memory: 1929936896 Bytes
OS: Microsoft Windows XP Service Pack 2 (Build 2600)

Ad-Aware 2007 Settings
===========================
Skipping files larger than 1048576 kB
Ignoring infections with lower TAI than: 3


Extended Ad-Aware 2007 Settings
===========================
Unloading known modules during scan
Ignoring spanned files when scanning cab archives
Reanalyzing results after scanning before displaying results
Trying to unload modules prior to removal
Let Windows remove files currently in use at next reboot
Removing quarantined objects after restore
Deactivating Ad-Watch during scans
Writeprotecting system files after repairs
Include info about ignored objects in log file
Including basic settings in log file
Including advanced settings in log file
Including user and computer name in log file
Notify when Definitions File is outdated
Create and save WebUpdate log file

Databaseinfo
===========================
Version number: 54
Build Number: 0
Build Date and Time: 2008/02/25 11:05:27

Scan Statistics
===========================
Method: Custom
Scan active processes.............................: On
Registry scan.....................................: On
Deep-scan registry................................: On
Scan my IE favorites..............................: Off
Scan my hosts file................................: On
Scan tracking cookies.............................: On
Unload known processes and modules................: On
Run scan as background process....................: Off
Ignore spanned files when scanning cab archives...: On
Deactivate Ad-Watch...............................: On
Reanalyze scan result.............................: On
Scan within archives..............................: On
Scan only .exe-files..............................: Off
Skip files larger than............................: 1048576 Bytes
Remove LSP function...............................: On
Scan ADS filestreams..............................: On
Ignore infections with lower TAI than.............: 3
Specific folders to scan..........................: 0

Item Scanned: 137597
Infections Detected: 9
Infections Ignored: 0

Scan detailed statistics
===========================
Type Critical Total
Process Scan....: 0 0
Registry Scan...: 4 4
Registry PE Scan: 0 0
Hosts File Scan.: 0 0
File Scan.......: 0 0
Folder Scan.....: 2 2
LSP Scan........: 0 0
ADS Scan........: 0 0
Cookie Scan.....: 3 3
File Hash Scan..: 0 0

Infections Found
===========================
Family Id: 799 Name: Win32.Backdoor.Agent Category: Virus TAI:10
Item Id: 300017021 Value: Root: HKU Path: .DEFAULT\software\microsoft\windows\currentversion \explorer Value: {f710fa10-2031-3106-8872-93a2b5c5c620}
Item Id: 300017021 Value: Root: HKU Path: S-1-5-18\software\microsoft\windows\currentversion\explo rer Value: {f710fa10-2031-3106-8872-93a2b5c5c620}
Item Id: 400001463 Value: Folder: F:\WINDOWS\system32\wsnpoem
Family Id: 1066 Name: Win32.TrojanSpy.Peed Category: Malware TAI:10
Item Id: 300023930 Value: Root: HKU Path: .DEFAULT\software\microsoft\windows\currentversion \explorer Value: {f710fa10-2031-3106-8872-93a2b5c5c620}
Item Id: 300023930 Value: Root: HKU Path: S-1-5-18\software\microsoft\windows\currentversion\explo rer Value: {f710fa10-2031-3106-8872-93a2b5c5c620}
Item Id: 400001653 Value: Folder: F:\WINDOWS\system32\wsnpoem
Family Id: 725 Name: Tracking Cookie Category: DataMiner TAI:3
Item Id: 600000542 Value: Browser: Firefox Cookie: F:\Documents and Settings\sarah\Application Data\Mozilla\Firefox\Profiles/iwymqhrn.default\cookies.txt ivwbox.de i00 /
Item Id: 600000144 Value: Browser: Firefox Cookie: F:\Documents and Settings\sarah\Application Data\Mozilla\Firefox\Profiles/iwymqhrn.default\cookies.txt doubleclick.net id /
Item Id: 600000190 Value: Browser: Firefox Cookie: F:\Documents and Settings\sarah\Application Data\Mozilla\Firefox\Profiles/iwymqhrn.default\cookies.txt www.googleadservices.com Conversion /pagead/conversion/1070847646/

Items Ignored During Scan
===========================


Listing of running processes
===========================
F:\WINDOWS\SYSTEM32\SMSS.EXE


F:\WINDOWS\SYSTEM32\CSRSS.EXE


F:\WINDOWS\SYSTEM32\WINLOGON.EXE


F:\WINDOWS\SYSTEM32\SERVICES.EXE


F:\WINDOWS\SYSTEM32\LSASS.EXE


F:\WINDOWS\SYSTEM32\SVCHOST.EXE










F:\WINDOWS\EXPLORER.EXE


F:\WINDOWS\SYSTEM32\SPOOLSV.EXE


F:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\EKRN.EXE


F:\WINDOWS\SYSTEM32\NVSVC32.EXE


F:\WINDOWS\SYSTEM32\SVCHOST.EXE


F:\PROGRAM FILES\COMMON FILES\ULEAD SYSTEMS\DVD\ULCDRSVR.EXE


F:\WINDOWS\SYSTEM32\WDFMGR.EXE


F:\WINDOWS\SYSTEM32\ALG.EXE


F:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\JUSCHED.EXE


F:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\EGUI.EXE


F:\WINDOWS\SYSTEM32\CTFMON.EXE


F:\PROGRAM FILES\KABELLOSER LABTEC-DESKTOP\MAGICKEY.EXE


F:\PROGRAM FILES\DDC\LEVELONE_USB_802.11G_UTILITY\LEVELONEWLA N.EXE


F:\PROGRAM FILES\KABELLOSER LABTEC-DESKTOP\MULMOUSE.EXE


F:\PROGRAM FILES\KABELLOSER LABTEC-DESKTOP\OSD.EXE


F:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE


F:\PROGRAM FILES\MORETV.353\MORETV.EXE


F:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE


F:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AD-AWARE2007.EXE


End of Scan Section
===========================

Quarantined Infections
===========================

End Quarantine / Cleaned Infection Log
===========================

Quarantined Infections
===========================
Root: HKU Path: .DEFAULT\software\microsoft\windows\currentversion \explorer Value: {f710fa10-2031-3106-8872-93a2b5c5c620} belonging to Win32.Backdoor.Agent
Root: HKU Path: S-1-5-18\software\microsoft\windows\currentversion\explo rer Value: {f710fa10-2031-3106-8872-93a2b5c5c620} belonging to Win32.Backdoor.Agent
Folder: F:\WINDOWS\system32\wsnpoem belonging to Win32.Backdoor.Agent
Root: HKU Path: .DEFAULT\software\microsoft\windows\currentversion \explorer Value: {f710fa10-2031-3106-8872-93a2b5c5c620} belonging to Win32.TrojanSpy.Peed
Root: HKU Path: S-1-5-18\software\microsoft\windows\currentversion\explo rer Value: {f710fa10-2031-3106-8872-93a2b5c5c620} belonging to Win32.TrojanSpy.Peed
Folder: F:\WINDOWS\system32\wsnpoem belonging to Win32.TrojanSpy.Peed
Root: HKU Path: .DEFAULT\software\microsoft\windows\currentversion \explorer Value: {f710fa10-2031-3106-8872-93a2b5c5c620}, Belonging to Win32.Backdoor.Agent

End Quarantine / Cleaned Infection Log
===========================

Cleaned Infections
===========================

End of Cleaned Infections
===========================

Cleaned Infections
===========================

End of Cleaned Infections
===========================

Cleaned Infections
===========================
Browser: Firefox Cookie: F:\Documents and Settings\sarah\Application Data\Mozilla\Firefox\Profiles/iwymqhrn.default\cookies.txt ivwbox.de i00 /, Belonging to Tracking Cookie
Browser: Firefox Cookie: F:\Documents and Settings\sarah\Application Data\Mozilla\Firefox\Profiles/iwymqhrn.default\cookies.txt doubleclick.net id /, Belonging to Tracking Cookie
Browser: Firefox Cookie: F:\Documents and Settings\sarah\Application Data\Mozilla\Firefox\Profiles/iwymqhrn.default\cookies.txt www.googleadservices.com Conversion /pagead/conversion/1070847646/, Belonging to Tracking Cookie

End of Cleaned Infections
===========================

Warum zweimal? Einmal reicht doch!!

http://www.trojaner-board.de/49944-w...te-helfen.html

Nun um ehrlich zu sein bin ich nach dem durchlesen der Antwort etwas paranoid geworden und hab auch gedacht am falschen Ort gepostet zu haben...Hoffe das war nett gegen die Regeln?
Trotzdem brauche ich dringend Hilfe und ich muss wissen wie sehr es nötig ist meinen Passwörter zu ändern(Onlinebanking usw.) da ich immer auch Zonealarm Firewall nutze.Kann dieser Backdoor eine FW umgehen?

Ich verstehe nicht deinen widerwillen gegen ein Neu aufsetzen. Was die Firewall betrifft, gibt es hier einen Thread: die-wahrheit-ueber-personal-firewalls