HILFE! Trojaner gefangen! Google Weiterleitung auf unseriöse Seiten -

Aviator82 · 19.12.2009, 17:13

Hallo Leute,

ich habe vorgestern das erstmal festgestellt das meine Google suchen zwar alle richtig gefunden werden aber dann beim anklicken der Links ich auf irgendwelche unseriösen Movie, Kauf oder sowas was seiten meist aus dem Ausland umgleitet werde, beim betreten dieser Seiten werde ich dann immer angeriffen was mein Noton AntiVirus bisher gott sei dank abwehren konnte.

ich habe aber schon ein bischen hier gelesen aber bisher kein Lösung für mein Problem gefunden, folgendes:

Malwarebytes scan mit neustem Update von heute gemacht, bei 3 scans wurde immer wieder was gefunden, insgesamt ca. 7 trojaner /würmer diverser art + 5 schädliche Reg Einträge. Alle konnten nachhaltig gelöscht werden nur 2 bleiben bzw werden gelöscht und nach dem Reboot sobald ich den Inet Explorer öffne sind sie wieder da (sonst nicht!)

1. Flags.ini (lässt sich manuell nicht löschen)
2. Uses32.dat (lässt sich manuell löschen kommt aber nach IE8 Benutzung wieder)

Die Neusten Windows updates sind drauf (stand heute) habe XP Prof
Norton Antivirus findet garnichts.

habe mal eine HijackThis file erstellen lassen. mehr fällt mir auch nicht mehr ein, kann jemand helfen diese lästigen Umleitungen weg zu bekommen? Kenne mich leider nicht gensu aus.

Gruß
sascha

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:34, on 19.12.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\TuneUp Utilities 2006\MemOptimizer.exe
C:\Programme\nHancer\nHancer.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\OnlineControl\ocontrol.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Programme\kikin\ie_kikin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nHancer] "C:\Programme\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: OnlineControl.lnk = C:\Programme\OnlineControl\ocontrol.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Programme\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://express.foto.com/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261161411468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261161404937
O16 - DPF: {792E349D-4844-4F53-A660-3F1E00234138} (CVXChatControl Object) - http://visit-x.de/downloads/applet/90/9,0,0,5/cP-Client-90.cab
O16 - DPF: {853B7AC5-1DC9-484C-972B-479E790D4A4D} (CVxChatControl Object) - http://www.visit-x.de/downloads/applet/853B7AC5-1DC9-484c-972B-479E790D4A4D/8,0,0,14/cP-Client-80-light.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://82.151.42.188:443/activex/AMC.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Steuerung des DownloadManager ) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatisches LiveUpdate - Scheduler (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Just Flight Limited License Service - Just Flight Limited - C:\Programme\Gemeinsame Dateien\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Programme\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11256 bytes

timo.beil · 20.12.2009, 00:25

Dein HijackThis logfile bringt ne Menge Zeuch was nicht eindeutig ist und entfernt werden sollte: kikin, visit-x.de ActiveX, und dieser downloadmanager...

Aviator82 · 20.12.2009, 15:21

Hallo,

welches Active x meinst du? Visitx ist Ok, kenne ich, Kikin ist ein teil des Programms Jdownlaoder sollte auch Ok sein, kann es aber mal vorsorglich löschen.

gibts noch Tips was ich machen kann? Programm Tips zum scannen, weitere log files?

weiß jenad was die bieden dateien uses32.dat und flags.ini sind die immer wieder mit den Inet explorer auftauchen nach dem sie gelöscht wurden von Malwarebytes? habe bisher im netz keien brauchbaren hniweise auf die dateien gefunden.

neuster Stand:

habe nach dem Tipp aus einem anderen forum Spybot geladen, hat insgesamt 15 einträge gefunden wovon 13 schädlich waren und gelöscht wurden.

Und jetzt da komsiche. Scan danach mit Malwarebytes =0 Infekte Dann update von heute installiert und nochmal gescannt= 47 Infekte!!!!

Und immer wieder diese uses32.dat und flags.ini.

Gruß

Aviator82 · 20.12.2009, 17:27

Hallo,

hier nochmal ein aktueller Stand von HijacThis nachdem malwarebyte wohl alles gefunden und löschen konnte: und die Reports aus Malwarebytes!

Zur info, die Google Umleitung ist jetzt WEG nachdem die ganzen unten stehenden schädliche gelöscht wurden, allerdings glaube ich das sich noch mehr auf den PC verstecken könnte: Von den Spybot program ,der 13-15 andere gefunden hatte gibts wohl leider keine Berichte!

Malwarebytes: (in der Reihenfolge wie bei verschiedenen Scans mit verschiedenen Datenbank Versionen seit dem 17.12. aufgetaucht)
Immer wieder waren die files flags.ini und uses32.dat dabei, ALLE anderen Schädlinge konnten immer laut dem Programm entfernt werden.

Infizierte Verzeichnisse:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.

Infizierte Registrierungsschlüssel:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000015.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000021.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000024.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000048.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000018.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\system32\curslib.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\wincert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000014.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000016.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000019.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000020.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000022.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000023.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000025.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000047.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000098.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000099.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000100.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000101.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000102.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000103.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000104.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000017.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000126.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP1\A0000127.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000196.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000197.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000198.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000199.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000200.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000201.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000211.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000212.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000213.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000214.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000215.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000216.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000217.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000218.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000219.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000220.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000221.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000222.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000230.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP2\A0000231.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP3\A0001267.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP3\A0001268.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP3\A0001269.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP3\A0001270.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP3\A0001271.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP3\A0001272.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP3\A0001273.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP4\A0001417.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D75F7CA2-6D3A-4983-BB31-D27A1112AD14}\RP4\A0001418.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:04, on 20.12.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\TuneUp Utilities 2006\MemOptimizer.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programme\nHancer\nHancer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\OnlineControl\ocontrol.exe
C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Programme\kikin\ie_kikin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton-Symbolleiste anzeigen - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nHancer] "C:\Programme\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: OnlineControl.lnk = C:\Programme\OnlineControl\ocontrol.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Programme\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://express.foto.com/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261161411468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261161404937
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://82.151.42.188:443/activex/AMC.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Steuerung des DownloadManager ) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.2.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\curslib.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatisches LiveUpdate - Scheduler (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Just Flight Limited License Service - Just Flight Limited - C:\Programme\Gemeinsame Dateien\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Programme\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe

timo.beil · 20.12.2009, 17:53

Wenn ein System so "defekt" ist, empfehle ich gerne ein LiveLinux zum Testen. Schau dich mal nach Knopicillin um - oder eben das System neu aufsetzen. Linux hat den Vorteil, dass es nicht im Windows hängt und scant.

HILFE! Trojaner gefangen! Google Weiterleitung auf unseriöse Seiten -

Plagegeister aller Art und deren Bekämpfung: HILFE! Trojaner gefangen! Google Weiterleitung auf unseriöse Seiten -