Antivir hat Malware gefunden - Explorer.exe weg!!!

Jenue · 25.07.2008, 14:28

Hallo! Bin neu hier und versteh noch nicht ganz was ich machen soll damit man mir helfen kann abe ich versuchs einfach mal.

Am Mittwoch hatte ich eine Warnung von Antivir und zwar:In der Datei 'F:\DOKUME~1\Jenny\LOKALE~1\Temp\twe72.tmp'
wurde ein Virus oder unerwünschtes Programm 'TR/Spy.Gen' [trojan] gefunden.
Ausgeführte Aktion: Zugriff verweigern

Was ich gemacht hab sieht man ja. Doch seit dem ist mein explorer weg.
Ich kann ihn zwar kurz aufrufen so für ne Minute aber danach verabschiedet er sich wieder. So ich hab mal einen Logfile erstellt (ich hoffe richtig) und wäre wirklich dankbar wenn ir jemand helfen könnte.

Ich hab schon selbst in vielen Foren gesucht ob andere dieses Problem auch haben aber dann wird meistens eine Reperaturnstallation empfohlen was mit meiner Windows CD leider nicht geht.

Achso ich habs auch schon mit sfc /scannow probiert aber das hat auch nicht geholfen.

Lg
Jenue

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:00:17, on 25.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
F:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
F:\Programme\Bonjour\mDNSResponder.exe
F:\WINDOWS\system32\slserv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Programme\Mozilla Firefox\firefox.exe
F:\WINDOWS\hh.exe
F:\Programme\Avira\AntiVir PersonalEdition Classic\avcenter.exe
F:\Programme\Microsoft Office\Office10\WINWORD.EXE
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www.egisca.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://icq.oberon-media.com//online/...code=112330860
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - {EDA081CA-C809-49F0-B2D8-151DA26A6CF8} - (no file)
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - F:\Programme\SYSTRAN\5.0\Personal\IEPlugIn.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Egisca Toolbar - {C1E68079-1B2C-41D7-A3C2-BE82E570251E} - F:\Programme\Egisca Toolbar\EgiscaToolbar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - F:\Programme\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Programme\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "F:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = F:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - F:\Programme\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - F:\Programme\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - F:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - F:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - F:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/.../GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/online/online2...ploader_v6.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01BB2664-BB15-4F05-9C80-49F8F64AD1AA}: NameServer = 217.237.151.205 217.237.148.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{01BB2664-BB15-4F05-9C80-49F8F64AD1AA}: NameServer = 217.237.151.205 217.237.148.70
O23 - Service: Adobe LM Service - Adobe Systems - F:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - F:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - F:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - F:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - F:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SmartLinkService (SLService) - - F:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7524 bytes

Silent sharK · 25.07.2008, 14:34

Hallo Jenue,
bitte führe die Anleitung von Malwarebytes aus, Link in meiner Signatur. (Log posten)

mfg

Jenue · 27.07.2008, 12:29

So ich hoffe das ich das so richtig gemacht hab...
Bis jetzt läuft auch wieder alles einwandfrei. Vielen dank für de Tipp!
Ich poste den Bericht trotzdem mal vllt scheints ja nur so als wär alles ok ich hab ja keine Ahnung...

Malwarebytes' Anti-Malware 1.23
Datenbank Version: 990
Windows 5.1.2600 Service Pack 2

00:44:15 26.7.2008
mbam-log-7-26-2008 (00-44-15).txt

Scan-Methode: Vollständiger Scan (F:\|)
Durchsuchte Objekte: 116272
Laufzeit: 3 hour(s), 42 minute(s), 53 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 2
Infizierte Registrierungsschlüssel: 19
Infizierte Registrierungswerte: 2
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 0
Infizierte Dateien: 10

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
F:\WINDOWS\system32\byXRIcDW.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\ddcbyWoN.dll (Trojan.Vundo) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2819f0b-6ae2-4ecd-8aa0-ca5118de60da} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a2819f0b-6ae2-4ecd-8aa0-ca5118de60da} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbywon (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{4509d3cc-b642-4745-b030-645b79522c6d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\f:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9b904910-78a4-489d-a825-5111b883a5b2} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\F:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: f:\windows\system32\byxricdw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: f:\windows\system32\byxricdw -> Delete on reboot.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
F:\WINDOWS\system32\byXRIcDW.dll (Trojan.Vundo) -> Delete on reboot.
F:\WINDOWS\system32\WDcIRXyb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\WDcIRXyb.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\ddcbyWoN.dll (Trojan.Vundo) -> Delete on reboot.
F:\Programme\Egisca Toolbar\tbhelper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
F:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
F:\Dokumente und Einstellungen\Jenny\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FOGMEOYO\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\Dokumente und Einstellungen\Jenny\Lokale Einstellungen\Temporary Internet Files\Content.IE5\QL9SM4LC\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{A715483A-ED44-4FCD-9766-03F9CFFE3EF3}\RP139\A0020841.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\qoMdDtqo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Antivir hat Malware gefunden - Explorer.exe weg!!!

Log-Analyse und Auswertung: Antivir hat Malware gefunden - Explorer.exe weg!!!