wie oben genannt verschickt sich dieser virus AUTOMATISCH über skype

hier ein hijack
HiJackthis Logfile:

Code: Alles auswählenAufklappen

ATTFilter

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:52:13, on 26.08.2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Mobile Master\MMAgent.exe
C:\Users\Tim nys\AppData\Roaming\lsass.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mobile Master\MMScan.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Windows\system32\conhost.exe
C:\Users\Tim nys\AppData\Local\Apps\2.0\8CEWROTD.LYK\0KG8A557.M0Q\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\CurseClient.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://fullarticles.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: Shell=Explorer.exe "C:\Users\Tim nys\AppData\Roaming\lsass.exe"
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\TP-LINK\TP-LINK Wireless N Client Utility\jswtrayutil.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [NBAgent] "C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Java developer Script Browse] C:\Windows\jusched.exe
O4 - HKLM\..\Run: [MSWUpdate] "C:\Users\Tim nys\AppData\Roaming\lsass.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [MMAgent] C:\Program Files\Mobile Master\MMAgent.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [MSWUpdate] "C:\Users\Tim nys\AppData\Roaming\lsass.exe"
O4 - Startup: CurseClientStartup.ccip
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\Tim nys\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\Programme\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7 - {88EB38EF-4D2C-436D-ABD3-56B232674062} - C:\Program Files\ICQ7.0\ICQ.exe
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - TP-LINK TECHNOLOGIES CO., LTD. - C:\Program Files\TP-LINK\TP-LINK Wireless N Client Utility\jswpsapi.exe
O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
 
--
End of file - 9733 bytes
         

--- --- ---






habe sämtliche programme wie avira & trojanremover durchlaufen lassen , ohne erfolg

bitte um schnelle hilfe!

Hallo timbo16 und

Zitat:

habe sämtliche programme wie avira & trojanremover durchlaufen lassen

Ziemlich sinnlos, die kennen den noch gar nicht.

Code: Alles auswählenAufklappen

ATTFilter

File name: 
PHOTO-10075.JPG-www.facebook.com.scr
Submission date: 
2010-08-26 20:36:02 (UTC)
Current status: 
finished
Result: 
6/ 41 (14.6%)	VT Community

not reviewed
 Safety score: - 

Compact 
Print results  Antivirus	Version	Last Update	Result
AhnLab-V3	2010.08.26.00	2010.08.25	-
AntiVir	8.2.4.46	2010.08.26	-
Antiy-AVL	2.0.3.7	2010.08.26	-
Authentium	5.2.0.5	2010.08.26	-
Avast	4.8.1351.0	2010.08.26	-
Avast5	5.0.594.0	2010.08.26	-
AVG	9.0.0.851	2010.08.26	-
BitDefender	7.2	2010.08.26	-
CAT-QuickHeal	11.00	2010.08.24	-
ClamAV	0.96.2.0-git	2010.08.26	-
Comodo	5866	2010.08.26	-
DrWeb	5.0.2.03300	2010.08.26	-
Emsisoft	5.0.0.37	2010.08.26	-
eSafe	7.0.17.0	2010.08.26	-
eTrust-Vet	36.1.7818	2010.08.26	-
F-Prot	4.6.1.107	2010.08.26	-
F-Secure	9.0.15370.0	2010.08.26	-
Fortinet	4.1.143.0	2010.08.26	-
GData	21	2010.08.26	-
Ikarus	T3.1.1.88.0	2010.08.26	-
Jiangmin	13.0.900	2010.08.26	-
Kaspersky	7.0.0.125	2010.08.26	-
McAfee	5.400.0.1158	2010.08.26	Artemis!D6AF905C9C8F
Microsoft	1.6103	2010.08.26	Trojan:Win32/Meredrop
NOD32	5400	2010.08.26	IRC/SdBot
Norman	6.05.11	2010.08.26	-
nProtect	2010-08-26.01	2010.08.26	-
Panda	10.0.2.7	2010.08.26	Suspicious file
PCTools	7.0.3.5	2010.08.26	-
Prevx	3.0	2010.08.26	High Risk Cloaked Malware
Rising	22.62.03.01	2010.08.26	-
Sophos	4.56.0	2010.08.26	W32/Palevo-AD
Sunbelt	6798	2010.08.26	-
SUPERAntiSpyware	4.40.0.1006	2010.08.26	-
Symantec	20101.1.1.7	2010.08.26	-
TheHacker	6.5.2.1.356	2010.08.26	-
TrendMicro	9.120.0.1004	2010.08.26	-
TrendMicro-HouseCall	9.120.0.1004	2010.08.26	-
VBA32	3.12.14.0	2010.08.25	-
ViRobot	2010.8.26.4009	2010.08.26	-
VirusBuster	5.0.27.0	2010.08.26	-
Additional information
Show all 
MD5   : d6af905c9c8fc0f0933b34312afe20a5
SHA1  : 87a8f34b77074bd149cee1aea0222262902afb6a
SHA256: 84aa1b490a4af367629493189ca399aab87bbeb40f05a96b62e2d1e2a42c7a12
ssdeep: 3072:DEiKtjDkCwoKtPJRB3t1vH9cziWQL1CjuvEQV/1S:giEkC/8PJz95H9cz8L11X
File size : 159744 bytes
First seen: 2010-08-25 21:23:25
Last seen : 2010-08-26 20:36:02
TrID: 
Win32 Executable Microsoft Visual Basic 6 (96.9%)
Generic Win/DOS Executable (1.5%)
DOS Executable Generic (1.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck: 
publisher....: RSKrC
copyright....: n/a
product......: FnB7yZ
description..: n/a
original name: 82310ac.exe
internal name: 82310ac
file version.: 10.890.0802
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1630
timedatestamp....: 0x4C733174 (Tue Aug 24 02:41:56 2010)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0xBDEC, 0xC000, 5.75, 43902520cafb5c0863dc3807b53eac34
.data, 0xD000, 0xC64, 0x1000, 0.00, 620f0b67a91f7f74151bc5be745b7110
.rsrc, 0xE000, 0x18A50, 0x19000, 7.73, 191ea88dbe67f37c993f4953e022abe7

[[ 1 import(s) ]]
MSVBVM60.DLL: _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, -, _adj_fprem1, __vbaCopyBytes, __vbaStrCat, __vbaLsetFixstr, __vbaHresultCheckObj, -, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, -, __vbaVarIndexLoad, _CIsin, -, __vbaErase, __vbaVarZero, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaFixstrConstruct, __vbaRedim, __vbaUI1ErrVar, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, -, __vbaFPException, -, __vbaStrVarVal, __vbaUbound, __vbaVarCat, -, -, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, Zombie_AddRef, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaAryLock, __vbaFpI2, -, _CIatan, __vbaStrMove, __vbaStrVarCopy, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaMidStmtBstr, __vbaI4ErrVar, __vbaFreeStr
Prevx Info: 
http://info.prevx.com/aboutprogramtext.asp?PX5=4B569F8C00A77510706302328363D2009A3DD3ED
         

Klicke auf "Für alle Neuen" in meiner Signatur, lies alles aufmerksam und arbeite die Liste unter Punkt 2 (Alternative B) ab. Trenne immer die Internetverbindung, falls du sie nicht unbedingt benötigst.

ciao, andreas

soll ich sofort mit alternative B anfangen oder zuerst mit A?


mit freundlichem grüß

Nur B.

ciao, andreas

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4486

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

26.08.2010 23:05:02
mbam-log-2010-08-26 (23-05-02).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 128004
Laufzeit: 5 Minute(n), 57 Sekunde(n)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 4
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 0
Infizierte Dateien: 4

Infizierte Speicherprozesse:
C:\Users\Tim nys\AppData\Roaming\lsass.exe (Trojan.Delf) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java developer script browse (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mswupdate (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mswupdate (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\java developer script browse (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Delf) -> Data: c:\users\tim nys\appdata\roaming\lsass.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe "C:\Users\Tim nys\AppData\Roaming\lsass.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Windows\jusched.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Public\jusched.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Tim nys\downloads\PHOTO-10075.JPG-www.facebook.com.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Tim nys\AppData\Roaming\lsass.exe (Trojan.Delf) -> Quarantined and deleted successfully.

so wie das für mich aussieht hat er den trojaner gefunden & gelöscht?

mfg

so habe den pc neu gestartet & es erschien eine fehlermeldung : Diese aktion kann nur von installieren programmen ausgeführt werden.

hat diese eine besondere bedeutung?

Er hat ihn zum Glück schon gekannt => ThreatExpert Report

Poste trotzdem noch die beiden Logs von OTL.

ciao, andreas

Edit: Da ist noch mehr.