TrojanDownloader

Barbier · 24.04.2008, 10:38

Hallo Trojaner-Board,

bin neu hier und möchte erst mal alle begrüßen. Benötige natürlich auch dringend Hilfe.
Problem:
Windows-Defender (Betriebssystem: Windows-Vista) meldet mir folgendes,
TrojanDownloader: Win32/OpenStream.C
dringend entfernen. Habe das versucht und bekomme folgende Fehlermeldung: Code 0x8050800f. Unerwartetes Problem….. Bekomme ihn so nicht weg. Ist lt. Defender sehr gefährlich!!!
Habe die aktuelle Version von Spybot geladen. Notbook gescannt, einige
Viren wurden gefunden und hab sie beseitigen lassen. Weiterhin habe ich Norton 360 laufen lassen, nichts gefunden. Erneut Spybot gestartet, laut Bericht, nichts gefunden. Windows-Defender meldet mir immer wieder zwischendurch obigen Trojaner.
Was kann oder muss ich tun um das Problem zu beheben.
Ich bin kein Computerfreak sondern nur Otto Normaluser und bitte daher um eine leichtverständliche Beschreibung zur Behebung des Problems.
Im Voraus Vielen Dank für die Mühe.

Grüße Barbier

Chris4You · 24.04.2008, 10:44

Hi,

bitte folge dem HJ-Link in meiner Signatur und poste das HJ-Log sowie ein Silentrunner-Log:

Loadingpoints von Programmen.
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip

chris

Barbier · 25.04.2008, 13:29

Hallo Chris4You,

danke für die schnelle Antwort. Bei mir hat es etwas gedauert, sorry.
Hier nun mein HJ-Log.

Logfile of HijackThis v1.99.1
Scan saved at 14:07:56, on 25.04.2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Media Share Software\Viivmonitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WEB.DE\WEB.DE MultiMessenger\MESSENGR.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Tobit ClipInc\Player\ClipIncTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Caplio Software\RGateLXP.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\helppane.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\****\Downloads\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.1und1.de/links/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = h**tp://sedoparking.com/domparking.php?id=827484&q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer bereitgestellt von 1&1 Internet AG
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: 1&&1 Internet AG Browser Configuration by mquadr.at - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\Windows\System32\ieconfig_1und1.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [Play AVStation TV Scheduler] C:\Program Files\Samsung\Play AVStation\TvScheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViivMonitor] C:\Program Files\Intel\Intel Media Share Software\ViivMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WEB.DE_WEB.DE MultiMessenger] "C:\Program Files\WEB.DE\WEB.DE MultiMessenger\MESSENGR.EXE" /hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ClipIncSrvTray] "C:\Program Files\Tobit ClipInc\Player\ClipIncTray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: RICOH Gate La.lnk = ?
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ccEvtMgr - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ccSetMgr - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: ClipInc 002 (ClipInc002) - Unknown owner - C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: ClipInc 003 (ClipInc003) - Unknown owner - C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Media Share Synch Service (IMSSync) - Intel® Corporation - C:\Program Files\Intel\Intel Media Share Software\IMSSync.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: IEConfig 1und1 Edition (serviceIEConfig) - Unknown owner - C:\Windows\System32\ieconfig_1und1_svc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Danke für die Mühe
Gruß Barbier

Chris4You · 25.04.2008, 13:48

Hi,

askbar->About Adware.MyWebSearch.az - Spyware Terminator Anti-Spyware Database

Versuche sie zu deinstallieren bzw. zu löschen...
Zuerst Spybot und Teatimer deaktivieren!
(About Adware.MyWebSearch.az - Spyware Terminator Anti-Spyware Database)
Wenn das nicht hilft, hier weiter:

Combofix
Zuerst Spybot und Teatimer deaktivieren!
Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.

chris

Barbier · 25.04.2008, 13:59

Hi,

hier auch der Silent-Log.

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"WEB.DE_WEB.DE MultiMessenger" = ""C:\Program Files\WEB.DE\WEB.DE MultiMessenger\MESSENGR.EXE" /hide" ["WEB.DE GmbH"]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"" ["Nero AG"]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"ClipIncSrvTray" = ""C:\Program Files\Tobit ClipInc\Player\ClipIncTray.exe"" ["Tobit.Software"]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"IaNvSrv" = "C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" ["Intel Corporation"]
"Play AVStation TV Scheduler" = "C:\Program Files\Samsung\Play AVStation\TvScheduler.exe" ["SAMSUNG ELECTRONICS CO., LTD."]
"NvSvc" = "RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"(Default)" = (empty string) [file not found]
"ViivMonitor" = "C:\Program Files\Intel\Intel Media Share Software\ViivMonitor.exe" ["Intel(R) Corporation"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NBKeyScan" = ""C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"" ["Nero AG"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll" ["Symantec Corporation"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9CB65201-89C4-402c-BA80-02D8C59F9B1D}\(Default) = "Ask Search Assistant BHO"
-> {HKLM...CLSID} = "Ask Search Assistant BHO"
\InProcServer32\(Default) = "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" ["Ask.com"]
{D48FF4B4-E68F-47D1-8E25-81A0F0EEB341}\(Default) = (no title provided)
-> {HKLM...CLSID} = "1&&1 Internet AG Browser Configuration by mquadr.at"
\InProcServer32\(Default) = "C:\Windows\System32\ieconfig_1und1.dll" ["mquadr.at software engineering und consulting GmbH"]
{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\(Default) = "Ask Toolbar BHO"
-> {HKLM...CLSID} = "Ask Toolbar BHO"
\InProcServer32\(Default) = "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" ["Ask.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"
-> {HKLM...CLSID} = "Monitor Class"
\InProcServer32\(Default) = "C:\Windows\system32\btncopy.dll" ["Broadcom Corporation."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile"
<<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\"%1" %*" [file not found]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"NoHotStart" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\Pictures\100RICOH\RIMG0198.JPG"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Nobbi\Pictures\100RICOH\RIMG0198.JPG"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS]

Startup items in "Nobbi" & "All Users" startup folders:
-------------------------------------------------------

C:\Users\Nobbi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
"OneNote 2007 Bildschirmausschnitt- und Startprogramm" -> shortcut to: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
"RICOH Gate La" -> shortcut to: "C:\Program Files\Caplio Software\RGateLXP.exe" ["Ricoh Company, Ltd."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000007\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 23

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Norton-Symbolleiste anzeigen"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll" ["Symantec Corporation"]
"{FE063DB9-4EC0-403E-8DD8-394C54984B2C}" = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" ["Ask.com"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{72FE8681-0BFA-471B-9B2A-B37ED68DD09E}\(Default) = "Ask PopSwatter"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Windows\system32\shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-12650"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{9CB65206-89C4-402c-BA80-02D8C59F9B1D}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" ["Ask.com"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Agere Modem Call Progress Audio, AgereModemAudio, "C:\Windows\system32\agrsmsvc.exe" ["Agere Systems"]
Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
Bluetooth-Unterstützungsdienst, BthServ, "C:\Windows\system32\svchost.exe -k bthsvcs" {"C:\Windows\System32\bthserv.dll" [MS]}
ccEvtMgr, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
ccSetMgr, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
ClipInc 001, ClipInc001, "C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe 001" [null data]
ClipInc 002, ClipInc002, "C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe 002" [null data]
ClipInc 003, ClipInc003, "C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe 003" [null data]
CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Computerbrowser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
IEConfig 1und1 Edition, serviceIEConfig, "C:\Windows\System32\ieconfig_1und1_svc.exe /startedbyscm:016FE01B-40E31F2D-serviceIEConfig" [empty string]
Intel® Media Share Synch Service, IMSSync, ""C:\Program Files\Intel\Intel Media Share Software\IMSSync.exe"" ["Intel® Corporation"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
PLFlash DeviceIoControl Service, PLFlash DeviceIoControl Service, "C:\Windows\system32\IoctlSvc.exe" ["Prolific Technology Inc."]
SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."]
SQL Server VSS Writer, SQLWriter, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
SQL Server-Browser, SQLBrowser, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"" [MS]
SQL Server-Startdienst für Business Contact Manager, BcmSqlStartupSvc, ""C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe"" [MS]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Windows-Sofortverbindung - Konfigurationsregistrierungsstelle, wcncsvc, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\wcncsvc.dll" [MS]}
Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}

Accessibility Tools:
--------------------

HKCU\Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp\
"narrator" = dword:0x00000000
"magnifierpane" = dword:0x00000000

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\Narrator\
"Description" = "Screen Reader"
"StartExe" = "C:\Windows\System32\Narrator.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\magnifierpane\
"Description" = "Screen Magnifier"
"StartExe" = "C:\Windows\System32\Magnify.exe" [MS]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor3_1\Driver = "CNBLM3_1.DLL" ["CANON INC."]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

---------- (launch time: 2008-04-25 14:50:33)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 51 seconds, including 18 seconds for message boxes)

Nochmals Danke

Barbier · 25.04.2008, 14:26

Hallo Chris4You,

hilfe, ich finde den Deaktivierungspunkt von Teatimer nicht.

Und bitte was soll ich löschen. Verstehe das nicht.

Sorry

Chris4You · 25.04.2008, 16:45

Hallo,

Du hast einen Browser-Highjacker, die Askbar:

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{9CB65206-89C4-402c-BA80-02D8C59F9B1D}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" ["Ask.com"]

Und die müssen wir jetzt entfernen!
Der Teatimer läuft nicht, falls beim Entfernen (am Besten offline durchführen)
Meldungen vom Spybot kommen, die Änderungen akzeptieren;

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Zitat:

Files to delete:
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

Folders to delete:
C:\Program Files\AskTBar\bar\1.bin
C:\Program Files\AskTBar\bar
C:\Program Files\AskTBar\

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!

Zitat:

O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

Combofix:
Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop. Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.

Chris

Barbier · 25.04.2008, 17:31

Hallo,

habe Avenger ausgeführt und hier ist der Logfile.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" not found!
Deletion of file "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL"
Deletion of file "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Folder "C:\Program Files\AskTBar\bar\1.bin" deleted successfully.
Folder "C:\Program Files\AskTBar\bar" deleted successfully.
Folder "C:\Program Files\AskTBar" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

werde jetzt fixen.

Chris4You · 25.04.2008, 17:35

Hi,

hmmm, seltsam in den vorangegangen Logs waren die Files noch da und beim Avenger-Lauf sind sie plötzlich weg....

Hier noch ein Leitfaden für Combofix:
http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird

chris

Barbier · 25.04.2008, 17:58

Hi,

habe beim HJ-fixen diese Zitateinträge nicht gefunden.

Hatte ja geschrieben das ich das nicht ganz verstanden habe, aber trotzdem
(askbar->About Adware.MyWebSearch.az - Spyware Terminator Anti-Spyware Database)
diesen Spyware Terminator installiert und auch laufen lassen. Der hatte auch was gefunden, was dann beseitigt wurde.
Besteht da ein Zusammenhang ?

Soll ich jetzt noch Combofix laden und starten?

Gruß Barbier

Barbier · 26.04.2008, 09:25

Hallo Chris4You,

hab ich da etwa Mist gebaut mit dem herunterladen und scannen des Betriebssystems mit "Spyware Terminator Anti-Spyware Database"?
Hab jetzt etwas den Mut verloren und bin mir unsicher ob ich mit Combofix weiter machen soll?

Bitte gib mir einen Rat.

MfG Barbier

Chris4You · 26.04.2008, 21:16

Hi,

lass mal den Combofix laufen und poste das Log...

chris

Barbier · 27.04.2008, 15:01

Hallo Chris4you,

hat etwas gedauert weil ich mich nicht getraut hatte.

Nun aber das Combo-Logfile.

ComboFix 08-04-26.3 - Nobbi 2008-04-27 15:39:44.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.1124 [GMT 2:00]
ausgeführt von:: C:\Users\Nobbi\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\msetup
C:\Windows\msetup\BASW-00500A09\Install.exe
C:\Windows\msetup\BASW-00500A09\install.ini
C:\Windows\msetup\BASW-00500A09\setup.exe
C:\Windows\msetup\BASW-00500A09\SWDesc.txt
C:\Windows\msetup\BASW-00503A34\data1.cab
C:\Windows\msetup\BASW-00503A34\data1.hdr
C:\Windows\msetup\BASW-00503A34\data2.cab
C:\Windows\msetup\BASW-00503A34\engine32.cab
C:\Windows\msetup\BASW-00503A34\layout.bin
C:\Windows\msetup\BASW-00503A34\mpg4c32.dll
C:\Windows\msetup\BASW-00503A34\msgsm32.acm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Click.wav
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_chs_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_cht_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_deu_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_eng_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_esp_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_fra_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_ita_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_kor_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_ptg_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_rus_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\Help\PlayCamera_ukr_s.chm
C:\Windows\msetup\BASW-00503A34\PlayCamera\HookDllPS2.dll
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\Back_Big.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\Back_Small.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbCancel.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbHelp.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbOk.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbOpen.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbPreviewOff.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbPreviewOn.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbRecordOff.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbRecordOn.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\gbSnap.bmp
C:\Windows\msetup\BASW-00503A34\PlayCamera\Images\PlayCamera.ico
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_chs.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_cht.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_deu.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_eng.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_esp.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_fra.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_ita.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_kor.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_ptg.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_rus.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\Language\PlayCamera_ukr.txt
C:\Windows\msetup\BASW-00503A34\PlayCamera\PlayCamera.exe
C:\Windows\msetup\BASW-00503A34\PlayCamera\SSHook.dll
C:\Windows\msetup\BASW-00503A34\PlayCamera\Uninst.ico
C:\Windows\msetup\BASW-00503A34\setup.exe
C:\Windows\msetup\BASW-00503A34\setup.ibt
C:\Windows\msetup\BASW-00503A34\setup.ini
C:\Windows\msetup\BASW-00503A34\setup.iss
C:\Windows\msetup\BASW-00503A34\SWDesc.txt
C:\Windows\msetup\MSetup.exe

.
((((((((((((((((((((((( Dateien erstellt von 2008-03-27 bis 2008-04-27 ))))))))))))))))))))))))))))))
.

2008-04-27 15:24 . 2008-04-27 15:24 1,776,621 --a------ C:\Users\Nobbi\ComboFix.exe
2008-04-25 18:20 . 2008-04-25 18:21 731,136 --a------ C:\Users\Nobbi\avenger.exe
2008-04-25 17:21 . 2008-04-25 17:21 <DIR> d-------- C:\searchplugins
2008-04-25 17:21 . 2008-04-25 17:21 <DIR> d-------- C:\Program Files\Crawler
2008-04-25 17:20 . 2008-04-27 15:03 <DIR> d-------- C:\Users\Nobbi\AppData\Roaming\Spyware Terminator
2008-04-25 17:20 . 2008-04-26 10:04 <DIR> d-------- C:\Users\All Users\Spyware Terminator
2008-04-25 17:20 . 2008-04-26 10:04 <DIR> d-------- C:\ProgramData\Spyware Terminator
2008-04-25 17:20 . 2008-04-26 10:03 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-04-25 17:20 . 2008-04-25 17:20 141,312 --a------ C:\Windows\System32\drivers\sp_rsdrv2.sys
2008-04-25 17:15 . 2008-04-25 17:15 7,786,016 --a------ C:\Users\Nobbi\spywareterminatorsetup.exe
2008-04-15 12:02 . 2008-04-15 12:02 101 --a------ C:\Windows\wininit.ini
2008-04-15 11:40 . 2008-04-15 12:04 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-15 11:40 . 2008-04-15 12:04 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-15 11:40 . 2008-04-15 11:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-15 11:40 . 2008-04-15 12:07 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{953b4e94-0ac5-11dd-a280-00027873c311}.TMContainer00000000000000000002.regtrans-ms
2008-04-15 11:40 . 2008-04-15 12:07 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{953b4e94-0ac5-11dd-a280-00027873c311}.TMContainer00000000000000000001.regtrans-ms
2008-04-15 11:40 . 2008-04-15 12:07 524,288 --ahs---- C:\Users\Administrator\NTUSER.DAT{953b4e90-0ac5-11dd-a280-00027873c311}.TMContainer00000000000000000002.regtrans-ms
2008-04-15 11:40 . 2008-04-15 12:07 524,288 --ahs---- C:\Users\Administrator\NTUSER.DAT{953b4e90-0ac5-11dd-a280-00027873c311}.TMContainer00000000000000000001.regtrans-ms
2008-04-15 11:40 . 2008-04-15 12:07 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{953b4e94-0ac5-11dd-a280-00027873c311}.TM.blf
2008-04-15 11:40 . 2008-04-15 12:07 65,536 --ahs---- C:\Users\Administrator\NTUSER.DAT{953b4e90-0ac5-11dd-a280-00027873c311}.TM.blf
2008-04-14 12:35 . 2008-04-15 12:34 <DIR> d-a------ C:\Users\All Users\TEMP
2008-04-14 12:35 . 2008-04-15 12:34 <DIR> d-a------ C:\ProgramData\TEMP
2008-04-09 17:06 . 2008-04-09 17:06 <DIR> d-------- C:\Users\Nobbi\EurekaLog
2008-04-09 16:52 . 1997-11-11 22:33 317,440 --a------ C:\Windows\IsUninst.exe
16 Datei(en), . 29,354,069 C:\ComboFix\Bytes
10 Datei(en), . 2,495,662 C:\ComboFix\Bytes
9 Datei(en), . 2,495,488 C:\ComboFix\Bytes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 12:20 27,335 ----a-w C:\Users\Nobbi\AppData\Roaming\nvModes.dat
2008-04-26 12:17 --------- d-----w C:\Program Files\Java
2008-04-15 10:33 --------- d-----w C:\ProgramData\Symantec
2008-04-09 08:20 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 08:19 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-03 13:45 1,541,896 ----a-w C:\Windows\CICUnins.exe
2008-03-28 15:37 --------- d-----w C:\Users\Nobbi\AppData\Roaming\gtk-2.0
2008-03-12 14:58 --------- d-----w C:\Program Files\NeroInstall.bak
2008-03-12 14:54 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-12 14:51 --------- d-----w C:\ProgramData\Nero
2008-03-11 13:42 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 3
2008-03-07 12:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-06 20:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-06 20:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-06 20:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-03-03 10:20 --------- d-----w C:\Users\Nobbi\AppData\Roaming\Ahead
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-28 16:38 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2008-02-26 15:14 972,072 ----a-w C:\Windows\UNRecode.exe
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-18 15:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-14 15:57 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-14 15:51 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-14 15:51 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-14 15:50 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 15:50 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 15:50 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 15:50 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 15:50 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 15:50 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-14 15:50 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 15:50 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 15:50 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-14 15:50 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-11-07 10:58 13,411,824 ----a-w C:\Users\Nobbi\Google_Earth_BZXD.exe
2007-10-24 11:33 174 --sha-w C:\Program Files\desktop.ini
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D48FF4B4-E68F-47D1-8E25-81A0F0EEB341}]
2007-10-24 10:51 978576 --a------ C:\Windows\System32\ieconfig_1und1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 10:23 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"WEB.DE_WEB.DE MultiMessenger"="C:\Program Files\WEB.DE\WEB.DE MultiMessenger\MESSENGR.exe" [2008-04-09 19:08 4613552]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 18:07 132392]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]
"ClipIncSrvTray"="C:\Program Files\Tobit ClipInc\Player\ClipIncTray.exe" [2008-04-03 14:57 579072]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-20 04:43 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 08:50 4399104 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-06 11:17 839680]
"IaNvSrv"="C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-05-08 10:45 33048]
"Play AVStation TV Scheduler"="C:\Program Files\Samsung\Play AVStation\TvScheduler.exe" [2007-01-08 11:09 73728]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-22 15:35 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-22 15:35 8433664]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-22 15:35 81920]
"@"="" []
"ViivMonitor"="C:\Program Files\Intel\Intel Media Share Software\ViivMonitor.exe" [2007-03-10 13:41 69632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2221352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-04-25 17:20 1809408]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Users\Nobbi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 05:27:40 719664]
RICOH Gate La.lnk - C:\Program Files\Caplio Software\RGateLXP.exe [2007-10-30 15:13:50 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoHotStart"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= C:\Windows\system32\l3codecp.acm
"msacm.l3codec"= C:\Windows\system32\l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3634CC51-FC94-43B8-B5FC-ACF7AE0621D5}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{E87D52E2-AA4F-47F0-A6E8-930A4CBDA6DE}"= TCP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{CCA60AC0-D63B-47D1-8256-04C46C27662F}"= UDP:C:\Program Files\Intel\Intel Media Share Software\IMSS.exe:Intel® Media Share Software
"{36152CB7-BA3A-432F-BDBB-D97B601BE0CB}"= TCP:C:\Program Files\Intel\Intel Media Share Software\IMSS.exe:Intel® Media Share Software
"{FB812C06-E730-4747-A236-0AA723415C7A}"= UDP:C:\Program Files\Intel\Intel Media Share Software\IMSSync.exe:Intel® Media Share Synch Service
"{E1033919-3D77-420B-891D-17D4357004E4}"= TCP:C:\Program Files\Intel\Intel Media Share Software\IMSSync.exe:Intel® Media Share Synch Service
"{3CC58AC8-04F8-4056-8F7B-3CC224BBF958}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7BF29927-8A79-4337-A3D5-D7EB27A2679C}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{0DA1C104-283E-4DA1-BB13-C196A5746EA6}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{3955653A-F0E4-4ECE-A1E4-8EDA84B42C87}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{BEC28174-CEFE-479E-8B9A-DD9F9A867421}C:\\program files\\caplio software\\rgatelxp.exe"= Disabled:UDP:C:\program files\caplio software\rgatelxp.exe:RICOH Gate La for DSC
"UDP Query User{25F3E225-5E86-41E3-AB41-B59F695C7506}C:\\program files\\caplio software\\rgatelxp.exe"= Disabled:TCP:C:\program files\caplio software\rgatelxp.exe:RICOH Gate La for DSC

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 iaNvStor;Intel(R) Turbo Memory Technology NAND Controller;C:\Windows\system32\DRIVERS\iaNvStor.sys [2007-05-04 04:21]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080425.001\IDSvix86.sys [2008-02-13 18:18]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\Windows\system32\drivers\sp_rsdrv2.sys [2008-04-25 17:20]
R2 BcmSqlStartupSvc;SQL Server-Startdienst für Business Contact Manager;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-16 10:51]
R2 ClipInc001;ClipInc 001;C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe 001 []
R2 ClipInc002;ClipInc 002;C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe 002 []
R2 ClipInc003;ClipInc 003;C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe 003 []
R2 IMSSync;Intel® Media Share Synch Service;"C:\Program Files\Intel\Intel Media Share Software\IMSSync.exe" [2007-03-10 13:40]
R2 KMDFMEMIO;SAMSUNG Kernel Driver;C:\Windows\system32\DRIVERS\kmdfmemio.sys [2007-06-20 04:29]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 serviceIEConfig;IEConfig 1und1 Edition;C:\Windows\System32\ieconfig_1und1_svc.exe [2007-10-24 10:51]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R3 btwaudio;Bluetooth-Audiogerät;C:\Windows\system32\drivers\btwaudio.sys [2006-12-20 04:08]
R3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-12-20 04:04]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-12-20 04:07]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-10 00:32]
R3 VMC302;Vimicro Camera Service VMC302;C:\Windows\system32\Drivers\VMC302.sys [2007-10-17 16:48]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-15 02:12]
S3 mod7700;DiBcom DIB7700 based TV tuner device;C:\Windows\system32\Drivers\dvb7700all.sys [2007-04-19 08:02]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
S3 NETw2v32;Intel(R) PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 09:30]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 09:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Inhalt des "geplante Tasks" Ordners
"2008-04-26 11:48:33 C:\Windows\Tasks\User_Feed_Synchronization-{26295C06-729A-4B0C-9C48-C2657AB03310}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 15:44:11
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-04-27 15:45:22
ComboFix-quarantined-files.txt 2008-04-27 13:45:03

13 Verzeichnis(se), 64,393,400,320 Bytes frei
21 Verzeichnis(se), 65,762,164,736 Bytes frei

264 --- E O F --- 2008-04-25 07:50:06

Hoffe das es jetzt Erfolg hatte.

Gruß Barbier

Chris4You · 28.04.2008, 13:26

Hi,

habe mich durch das Log gewühlt, aber leider nichts auffälliges gefunden...
Außer bei der Sicherheits-SW das Monitoring ausgeschaltet wurde/ist...?

Was ist dass für eine SW, die der ComboFix gelöscht hat(C:\Windows\msetup\BASW-00500A09)?

chris

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Barbier · 28.04.2008, 15:44

Hi,
zuerst nochmal Danke für Deine Unterstützung, weiß nicht wie ich ohne weitergekommen wäre. Ich verstehe das auch nicht was mit der Sicherheits- SW los ist. Nach Deiner Empfehlung hatte ich den Spyware-Terminator geladen und habe festgestellt, dass sich auch eine sogenannte „Crawler-Toolbar“ installiert hat. Könnte da ein Zusammenhang bestehen?? Nachdem Combofix gelaufen war, habe ich dann mehrere scans durchgeführt, mit Norton360, kein Befund, Spyware-Terminator, kein Befund, Spybot , kein Befund, Windows-Defender ,Befund: Win32/Openstream. Was nun??????? verzweifle bald.

Gruß Barbier

TrojanDownloader

Plagegeister aller Art und deren Bekämpfung: TrojanDownloader