Hallo zusammen. Habe folgendes Problem:

1) Suchen mit Google im IE, erstes Suchergebnis wird auf www.styleclickinc.com umgeleitet
2) in unregelmäßigen Abständen kommen Porno Popups inklusive Dialer
3) in unregelmäßigen Abständen findet Antivir einen Virus, OHNE dass ich etwas gedownloadet habe oder sonst irgendwas angeklickt habe (keine Email o.ä.)

Beispiel der Viren:
TR/IstBar.Am1 und Am2
TR/Donn.R.Dwnload2

System: Win2k mit IE

Virenkiller (Antivir) aktuell, Ad-Aware & Spybot aktuell und finden alle NICHTS!
Wann das ganze anfing kann ich nicht sagen, da es nicht um meinen Rechner geht...

Danke für Hilfe, Florian

Hi,

1) lass mal cwshredder (Links überall im Forum) und onlinescanner von www.ravantivirus.com und www.trendmicro.com drüber laufen

2) poste mal ein Log von Hijackthis (Links überall im Forum)

sind alle ServicePacks/Updates drauf ?

suche mal bei trendmicro oder virusbtn->vgrep
nach den virennamen

[ 23. Januar 2004, 02:12: Beitrag editiert von: whocares ]

cwshredder findet nichts.
Onlinekiller werde ich versuchen, Hijack Protokoll wirde nachgeliefert, habe den Rechner leider nicht hier...
Zu dem Donn.R finde ich nichts, der andere scheint es auch nicht zu sein (keine typ. Reg-Einträge).
Diese Viren werden ja aber auch immer sofort entdeckt und gelöscht.

Sorry, cwshredder hatte ich noch gar nicht ausprobiert. Werde morgen (ups - heute) das log posten.
Danke!

Also, trenmicro findet sofort JS_FORTNIGHT und entfernt ihn (findet ihn aber beim nächste Scan wieder)
Ansonsten wird 7* Troj_ISTBAR.K und .I gefunden.
Die typischen Reg einträge für diese Trojaner sind aber NICHT vorhanden!

Hier das CWShredder Log und das Hijack Log.
Beide haben soviele Einträge, dass ich nur Bahnhof verstehe:

CWShredder v1.46.3 scan only report
Windows 2000 (5.00.2195 SP2)
Windows dir: C:\WINNT
Windows system dir: C:\WINNT\system32

AppData folder: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten

Username: Administrator

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://about-blank.biz/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://www.2020search.com/search/9884/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://about-blank.biz/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL
Infected data: http://about-blank.biz/
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://about-blank.biz/
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://www.2020search.com/search/9884/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://about-blank.biz/
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page,about:blank
Infected data: http://about-blank.biz/
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL
Infected data: http://about-blank.biz/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Local Page,C:\WINNT\system32\blank.htm
Infected data: http://about-blank.biz/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak
Infected data: http://about-blank.biz/
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page,C:\WINNT\system32\blank.htm
Infected data: http://about-blank.biz/
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak
Infected data: http://about-blank.biz/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: http://www.2020search.com/search/9884/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: http://www.2020search.com/search/9884/search.html
Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (3714 bytes, RHS)
Hosts file: 69.56.223.196 t.rack.cc
Hosts file: 69.56.223.196 www.alfa-search.com
Hosts file: 69.56.223.196 webcoolsearch.com
Hosts file: 69.56.223.196 in.webcounter.cc
Hosts file: 69.56.223.196 i-lookup.com
Hosts file: 69.56.223.196 www.hand-book.com
Hosts file: 69.56.223.196 www.maxxxhosters.com
Hosts file: 69.56.223.196 allneedsearch.com
Hosts file: 69.56.223.196 nativehardcore.com
Hosts file: 69.56.223.196 teen-biz.com
Hosts file: 69.56.223.196 tits.hardcore4ever.net
Hosts file: 69.56.223.196 best.royalsearch.net
Hosts file: 69.56.223.196 default-homepage-network.com
Hosts file: 69.56.223.196 xwebsearch.biz
Hosts file: 69.56.223.196 www.rightfinder.net
Hosts file: 69.56.223.196 www.search-1.net
Hosts file: 69.56.223.196 www.searchv.com
Hosts file: 69.56.223.196 www.websearch.com
Hosts file: 69.56.223.196 mysearchnow.com
Hosts file: 69.56.223.196 www.therealsearch.com
Hosts file: 69.56.223.196 www.find-itnow.com
Hosts file: 69.56.223.196 find.microgirls.com
Hosts file: 69.56.223.196 super-spider.com
Hosts file: 69.56.223.196 www.searching-the-net.com
Hosts file: 69.56.223.196 www.firstbookmark.com
Hosts file: 69.56.223.196 just.find-itnow.com
Hosts file: 69.56.223.196 www.find-itnow.com
Hosts file: 69.56.223.196 qwertysearch123.biz
Hosts file: 69.56.223.196 www.search-space.com
Hosts file: 69.56.223.196 www.windowws.cc
Hosts file: 69.56.223.196 aifind.info
Hosts file: 69.56.223.196 www.find4u.net
Hosts file: 69.56.223.196 find4u.net
Hosts file: 69.56.223.196 www.lookfor.cc
Hosts file: 69.56.223.196 www.008i.com
Hosts file: 69.56.223.196 www.viewpornkey.com
Hosts file: 69.56.223.196 www.hugesearch.net
Hosts file: 69.56.223.196 www.novafuck.com
Hosts file: 69.56.223.196 www.seznam.cz
Hosts file: 69.56.223.196 aifind.cc
Hosts file: 69.56.223.196 www.onet.pl
Hosts file: 69.56.223.196 teenhqpics.com
Hosts file: 69.56.223.196 www.ttjj.com
Hosts file: 69.56.223.196 www.search-dot.com
Hosts file: 69.56.223.196 www.search-and-go.com
Hosts file: 69.56.223.196 www.slotch.com
Hosts file: 69.56.223.196 www.2fastsearch.net
Hosts file: 69.56.223.196 awebfind.biz
Hosts file: 69.56.223.196 www.power-search.info
Hosts file: 69.56.223.196 www.naver.com
Hosts file: 69.56.223.196 www.daum.net
Hosts file: 69.56.223.196 www.ohcorea.com
Hosts file: 69.56.223.196 www.hao123.com
Hosts file: 69.56.223.196 58q.com
Hosts file: 69.56.223.196 www.hotwebsearch.com
Hosts file: 69.56.223.196 www.startium.com
Hosts file: 69.56.223.196 www.gajai.com
Hosts file: 69.56.223.196 www.wazzupnet.com
Hosts file: 69.56.223.196 freshvideogals.com
Hosts file: 69.56.223.196 www.xgmm.com
Hosts file: 69.56.223.196 searchmyrequest.com
Hosts file: 69.56.223.196 yourbookmarks.ws
Hosts file: 69.56.223.196 wmmse.com
Hosts file: 69.56.223.196 link.startmake.com
Hosts file: 69.56.223.196 www.boredlife.com
Hosts file: 69.56.223.196 approvedlinks.com
Hosts file: 69.56.223.196 www.nkvd.us
Hosts file: 69.56.223.196 www.8095.com
Hosts file: 69.56.223.196 www.dreamwiz.com
Hosts file: 69.56.223.196 ie-search.com
Hosts file: 69.56.223.196 auto.ie.searchforge.om
Hosts file: 69.56.223.196 search.psn.cn
Hosts file: 69.56.223.196 www.couldnotfind.com
Hosts file: 69.56.223.196 www.iquicksearch.com
Hosts file: 69.56.223.196 1-se.com
Hosts file: 69.56.223.196 www.spidersearch.com
Hosts file: 69.56.223.196 search.ieplugin.com
Hosts file: 69.56.223.196 itseasy.us
Hosts file: 69.56.223.196 searchbar.findthewebsiteyouneed.com
Hosts file: 69.56.223.196 www.searchxl.com
Hosts file: 69.56.223.196 www.hotsearchbox.com
Hosts file: 69.56.223.196 www.searchforge.com
Hosts file: 69.56.223.196 www.omega-search.com
Hosts file: 69.56.223.196 searchcentrix.com
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe

UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,

CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com[*] dword:2

CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com[*] dword:2

Found Win.ini file: C:\WINNT\win.ini (1086 bytes, A)

Found System.ini file: C:\WINNT\system.ini (276 bytes, -)

Found CWS.Googlems.4 file: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Office\Excel10.dll (39936 bytes, A)



- END OF REPORT ?


Logfile of HijackThis v1.97.7
Scan saved at 13:10:19, on 23.01.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\RunDll32.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\DeTeWe\OpenCom 30\Capictrl.exe
C:\WINNT\SYSTEM32\ICON.EXE
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Programme\RVS\WCOM\SYSTEM\ccui.exe
C:\Programme\RVS\WCOM\SYSTEM\ccsrv.exe
C:\Programme\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://about-blank.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
O1 - Hosts: 69.56.223.196 t.rack.cc
O1 - Hosts: 69.56.223.196 www.alfa-search.com
O1 - Hosts: 69.56.223.196 webcoolsearch.com
O1 - Hosts: 69.56.223.196 in.webcounter.cc
O1 - Hosts: 69.56.223.196 i-lookup.com
O1 - Hosts: 69.56.223.196 www.hand-book.com
O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
O1 - Hosts: 69.56.223.196 allneedsearch.com
O1 - Hosts: 69.56.223.196 nativehardcore.com
O1 - Hosts: 69.56.223.196 teen-biz.com
O1 - Hosts: 69.56.223.196 tits.hardcore4ever.net
O1 - Hosts: 69.56.223.196 best.royalsearch.net
O1 - Hosts: 69.56.223.196 default-homepage-network.com
O1 - Hosts: 69.56.223.196 xwebsearch.biz
O1 - Hosts: 69.56.223.196 www.rightfinder.net
O1 - Hosts: 69.56.223.196 www.search-1.net
O1 - Hosts: 69.56.223.196 www.searchv.com
O1 - Hosts: 69.56.223.196 www.websearch.com
O1 - Hosts: 69.56.223.196 mysearchnow.com
O1 - Hosts: 69.56.223.196 www.therealsearch.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 find.microgirls.com
O1 - Hosts: 69.56.223.196 super-spider.com
O1 - Hosts: 69.56.223.196 www.searching-the-net.com
O1 - Hosts: 69.56.223.196 www.firstbookmark.com
O1 - Hosts: 69.56.223.196 just.find-itnow.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 qwertysearch123.biz
O1 - Hosts: 69.56.223.196 www.search-space.com
O1 - Hosts: 69.56.223.196 www.windowws.cc
O1 - Hosts: 69.56.223.196 aifind.info
O1 - Hosts: 69.56.223.196 www.find4u.net
O1 - Hosts: 69.56.223.196 find4u.net
O1 - Hosts: 69.56.223.196 www.lookfor.cc
O1 - Hosts: 69.56.223.196 www.008i.com
O1 - Hosts: 69.56.223.196 www.viewpornkey.com
O1 - Hosts: 69.56.223.196 www.hugesearch.net
O1 - Hosts: 69.56.223.196 www.novafuck.com
O1 - Hosts: 69.56.223.196 www.seznam.cz
O1 - Hosts: 69.56.223.196 aifind.cc
O1 - Hosts: 69.56.223.196 www.onet.pl
O1 - Hosts: 69.56.223.196 teenhqpics.com
O1 - Hosts: 69.56.223.196 www.ttjj.com
O1 - Hosts: 69.56.223.196 www.search-dot.com
O1 - Hosts: 69.56.223.196 www.search-and-go.com
O1 - Hosts: 69.56.223.196 www.slotch.com
O1 - Hosts: 69.56.223.196 www.2fastsearch.net
O1 - Hosts: 69.56.223.196 awebfind.biz
O1 - Hosts: 69.56.223.196 www.power-search.info
O1 - Hosts: 69.56.223.196 www.naver.com
O1 - Hosts: 69.56.223.196 www.daum.net
O1 - Hosts: 69.56.223.196 www.ohcorea.com
O1 - Hosts: 69.56.223.196 www.hao123.com
O1 - Hosts: 69.56.223.196 58q.com
O1 - Hosts: 69.56.223.196 www.hotwebsearch.com
O1 - Hosts: 69.56.223.196 www.startium.com
O1 - Hosts: 69.56.223.196 www.gajai.com
O1 - Hosts: 69.56.223.196 www.wazzupnet.com
O1 - Hosts: 69.56.223.196 freshvideogals.com
O1 - Hosts: 69.56.223.196 www.xgmm.com
O1 - Hosts: 69.56.223.196 searchmyrequest.com
O1 - Hosts: 69.56.223.196 yourbookmarks.ws
O1 - Hosts: 69.56.223.196 wmmse.com
O1 - Hosts: 69.56.223.196 link.startmake.com
O1 - Hosts: 69.56.223.196 www.boredlife.com
O1 - Hosts: 69.56.223.196 approvedlinks.com
O1 - Hosts: 69.56.223.196 www.nkvd.us
O1 - Hosts: 69.56.223.196 www.8095.com
O1 - Hosts: 69.56.223.196 www.dreamwiz.com
O1 - Hosts: 69.56.223.196 ie-search.com
O1 - Hosts: 69.56.223.196 auto.ie.searchforge.com
O1 - Hosts: 69.56.223.196 search.psn.cn
O1 - Hosts: 69.56.223.196 www.couldnotfind.com
O1 - Hosts: 69.56.223.196 www.iquicksearch.com
O1 - Hosts: 69.56.223.196 1-se.com
O1 - Hosts: 69.56.223.196 www.spidersearch.com
O1 - Hosts: 69.56.223.196 search.ieplugin.com
O1 - Hosts: 69.56.223.196 itseasy.us
O1 - Hosts: 69.56.223.196 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 69.56.223.196 www.searchxl.com
O1 - Hosts: 69.56.223.196 www.hotsearchbox.com
O1 - Hosts: 69.56.223.196 www.searchforge.com
O1 - Hosts: 69.56.223.196 www.omega-search.com
O1 - Hosts: 69.56.223.196 searchcentrix.com
O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - C:\DOKUME~1\ADMINI~1\ANWEND~1\MICROS~1\Office\Excel10.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Programme\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-aware] "C:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [YAW starten] "C:\Programme\YAW 3.5\yawguard.exe"
O4 - HKCU\..\Run: [ArchiCrypt Stealth] C:\Programme\ArchiCrypt Stealth\ACStealth.exe -HIDE
O4 - HKCU\..\RunOnce: [CommCenter] C:\Programme\RVS\WCOM\SYSTEM\ccui.exe
O4 - Global Startup: CAPIControl.lnk = C:\Programme\DeTeWe\OpenCom 30\Capictrl.exe
O4 - Global Startup: PocketCam 3Mega Monitor.lnk = C:\WINNT\SYSTEM32\ICON.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .UVR: %programfiles%\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...43/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://housecall.trendmicro-europe.c...ll/Xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://195.219.21.134/tools/Flipside...herControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Moin Florian,

'nette' Sammlung, die du da hast...
Du hast scheinbar bei dem CWShredder 'nur' auf Scan geklickt?!?
Bitte starte CWShredder noch einmal und klicke dann auf Fix ->. Das bedeutet so viel wie reparieren.
Bitte beachten: Damit das fixen funktioniert, müssen alle Instanzen des InternetExplorers geschlossen sein.

Poste uns danach bitte ein neues Log von HijackThis, damit wir sehen können, was übrig geblieben ist und ggf. noch entfernt werden muss...

BTW: Es gab heute scheinbar eine aktualisierte Version von CWShredder (V1.46.3). Wenn Du noch eine ältere Version hast, mach bitte zunächst ein Update.

tschööö, DerBilk

So eine Log habe ich noch net gesehen ...

CWSHredder findet keine neue Version. Muss ich wohl direkt runterladen!?
Hab mit der alten FIX ausgeführt und hier kommt das neue Hijack Log:


Logfile of HijackThis v1.97.7
Scan saved at 14:12:15, on 23.01.2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\RunDll32.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\DeTeWe\OpenCom 30\Capictrl.exe
C:\WINNT\SYSTEM32\ICON.EXE
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Programme\RVS\WCOM\SYSTEM\ccui.exe
C:\Programme\RVS\WCOM\SYSTEM\ccsrv.exe
C:\WINNT\System32\cidaemon.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe
C:\Programme\Windows NT\Zubehör\WORDPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 69.56.223.196 t.rack.cc
O1 - Hosts: 69.56.223.196 www.alfa-search.com
O1 - Hosts: 69.56.223.196 webcoolsearch.com
O1 - Hosts: 69.56.223.196 in.webcounter.cc
O1 - Hosts: 69.56.223.196 i-lookup.com
O1 - Hosts: 69.56.223.196 www.hand-book.com
O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
O1 - Hosts: 69.56.223.196 allneedsearch.com
O1 - Hosts: 69.56.223.196 nativehardcore.com
O1 - Hosts: 69.56.223.196 teen-biz.com
O1 - Hosts: 69.56.223.196 tits.hardcore4ever.net
O1 - Hosts: 69.56.223.196 best.royalsearch.net
O1 - Hosts: 69.56.223.196 default-homepage-network.com
O1 - Hosts: 69.56.223.196 xwebsearch.biz
O1 - Hosts: 69.56.223.196 www.rightfinder.net
O1 - Hosts: 69.56.223.196 www.search-1.net
O1 - Hosts: 69.56.223.196 www.searchv.com
O1 - Hosts: 69.56.223.196 www.websearch.com
O1 - Hosts: 69.56.223.196 mysearchnow.com
O1 - Hosts: 69.56.223.196 www.therealsearch.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 find.microgirls.com
O1 - Hosts: 69.56.223.196 super-spider.com
O1 - Hosts: 69.56.223.196 www.searching-the-net.com
O1 - Hosts: 69.56.223.196 www.firstbookmark.com
O1 - Hosts: 69.56.223.196 just.find-itnow.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 qwertysearch123.biz
O1 - Hosts: 69.56.223.196 www.search-space.com
O1 - Hosts: 69.56.223.196 www.windowws.cc
O1 - Hosts: 69.56.223.196 aifind.info
O1 - Hosts: 69.56.223.196 www.find4u.net
O1 - Hosts: 69.56.223.196 find4u.net
O1 - Hosts: 69.56.223.196 www.lookfor.cc
O1 - Hosts: 69.56.223.196 www.008i.com
O1 - Hosts: 69.56.223.196 www.viewpornkey.com
O1 - Hosts: 69.56.223.196 www.hugesearch.net
O1 - Hosts: 69.56.223.196 www.novafuck.com
O1 - Hosts: 69.56.223.196 www.seznam.cz
O1 - Hosts: 69.56.223.196 aifind.cc
O1 - Hosts: 69.56.223.196 www.onet.pl
O1 - Hosts: 69.56.223.196 teenhqpics.com
O1 - Hosts: 69.56.223.196 www.ttjj.com
O1 - Hosts: 69.56.223.196 www.search-dot.com
O1 - Hosts: 69.56.223.196 www.search-and-go.com
O1 - Hosts: 69.56.223.196 www.slotch.com
O1 - Hosts: 69.56.223.196 www.2fastsearch.net
O1 - Hosts: 69.56.223.196 awebfind.biz
O1 - Hosts: 69.56.223.196 www.power-search.info
O1 - Hosts: 69.56.223.196 www.naver.com
O1 - Hosts: 69.56.223.196 www.daum.net
O1 - Hosts: 69.56.223.196 www.ohcorea.com
O1 - Hosts: 69.56.223.196 www.hao123.com
O1 - Hosts: 69.56.223.196 58q.com
O1 - Hosts: 69.56.223.196 www.hotwebsearch.com
O1 - Hosts: 69.56.223.196 www.startium.com
O1 - Hosts: 69.56.223.196 www.gajai.com
O1 - Hosts: 69.56.223.196 www.wazzupnet.com
O1 - Hosts: 69.56.223.196 freshvideogals.com
O1 - Hosts: 69.56.223.196 www.xgmm.com
O1 - Hosts: 69.56.223.196 searchmyrequest.com
O1 - Hosts: 69.56.223.196 yourbookmarks.ws
O1 - Hosts: 69.56.223.196 wmmse.com
O1 - Hosts: 69.56.223.196 link.startmake.com
O1 - Hosts: 69.56.223.196 www.boredlife.com
O1 - Hosts: 69.56.223.196 approvedlinks.com
O1 - Hosts: 69.56.223.196 www.nkvd.us
O1 - Hosts: 69.56.223.196 www.8095.com
O1 - Hosts: 69.56.223.196 www.dreamwiz.com
O1 - Hosts: 69.56.223.196 ie-search.com
O1 - Hosts: 69.56.223.196 auto.ie.searchforge.com
O1 - Hosts: 69.56.223.196 search.psn.cn
O1 - Hosts: 69.56.223.196 www.couldnotfind.com
O1 - Hosts: 69.56.223.196 www.iquicksearch.com
O1 - Hosts: 69.56.223.196 1-se.com
O1 - Hosts: 69.56.223.196 www.spidersearch.com
O1 - Hosts: 69.56.223.196 search.ieplugin.com
O1 - Hosts: 69.56.223.196 itseasy.us
O1 - Hosts: 69.56.223.196 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 69.56.223.196 www.searchxl.com
O1 - Hosts: 69.56.223.196 www.hotsearchbox.com
O1 - Hosts: 69.56.223.196 www.searchforge.com
O1 - Hosts: 69.56.223.196 www.omega-search.com
O1 - Hosts: 69.56.223.196 searchcentrix.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Programme\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-aware] "C:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [YAW starten] "C:\Programme\YAW 3.5\yawguard.exe"
O4 - HKCU\..\Run: [ArchiCrypt Stealth] C:\Programme\ArchiCrypt Stealth\ACStealth.exe -HIDE
O4 - HKCU\..\RunOnce: [CommCenter] C:\Programme\RVS\WCOM\SYSTEM\ccui.exe
O4 - Global Startup: CAPIControl.lnk = C:\Programme\DeTeWe\OpenCom 30\Capictrl.exe
O4 - Global Startup: PocketCam 3Mega Monitor.lnk = C:\WINNT\SYSTEM32\ICON.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Programme\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .UVR: %programfiles%\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: *.offshoreclicks.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...43/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://housecall.trendmicro-europe.c...ll/Xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://195.219.21.134/tools/Flipside...herControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Sorry, dass das immer dauert, aber bin mit dem Bestizer des Rechners auch nur telfonisch verbunden...

</font><blockquote>Zitat:</font><hr />Original erstellt von *Christian*:
So eine Log habe ich noch net gesehen ... </font>[/QUOTE]... du müsstest erst mal am Rechner selbst sitzten!
Mir sind gestern die Pornoseiten, Dialer und Viren nur so um die Ohren geflogen.

@Florian:

Hast du eine Aiptek PacketCam?

Eigentlich hätte der Shredder mehr finden sollen, aber gut, dann wollen wir mal...

Bitte mit HijackThis folgendes 'fix'en:
Alle 01 - HOSTS
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O15 - Trusted Zone: *.offshoreclicks.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...43/yacscom.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.146.72.210:8111/AxisCamControl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://195.219.21.134/tools/Flipside...herControl.cab

Diese Liste erhebt noch keinen Anspruch auf Vollständigkeit! Ich schaue es mir teilweise noch genauer an.

Auf jeden Fall sollte dringend ein Update bei windowsupdate.microsoft.com gemacht werden. Das System ist ziemlich veraltet (Win2000 SP2)

tschööö, DerBilk

</font><blockquote>Zitat:</font><hr />Original erstellt von mmk:
@Florian:

Hast du eine Aiptek PacketCam? </font>[/QUOTE]Der Besitzer dieser Virensammlung hat so ein Ding, ja!

Was mir noch auffällt:
</font><blockquote>Zitat:</font><hr />C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe</font>[/QUOTE]Der/die jenige surft scheinbar mit Adminrechten im Internet. Das sollte man tunlichst vermeiden! Besser hierfür einen Benutzer mit eingeschränkten Rechten anlegen.

</font><blockquote>Zitat:</font><hr />
Found CWS.Googlems.4 file: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Microsoft\Office\Excel10.dll (39936 bytes, A)</font>[/QUOTE]Falls diese Datei nach dem 'shreddern' noch vorhanden ist, bitte einmal bei http://www.kaspersky.com/remoteviruschk.html überprüfen.

Anmerkungen zum Log:

Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

-&gt; Das System befindet sich auf einem ziemlich alten Patchlevel. Das sollte dringend behoben werden!


C:\WINNT\system32\ZoneLabs\vsmon.exe

-&gt; Keine geeigente Schutzlösung.


Zu löschen sind bei geschlossenem IE folgende Einträge (links von diesen jeweils ein Häkchen setzen, dann "Fix checked" wählen):


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 69.56.223.196 t.rack.cc
O1 - Hosts: 69.56.223.196 www.alfa-search.com
O1 - Hosts: 69.56.223.196 webcoolsearch.com
O1 - Hosts: 69.56.223.196 in.webcounter.cc
O1 - Hosts: 69.56.223.196 i-lookup.com
O1 - Hosts: 69.56.223.196 www.hand-book.com
O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
O1 - Hosts: 69.56.223.196 allneedsearch.com
O1 - Hosts: 69.56.223.196 nativehardcore.com
O1 - Hosts: 69.56.223.196 teen-biz.com
O1 - Hosts: 69.56.223.196 tits.hardcore4ever.net
O1 - Hosts: 69.56.223.196 best.royalsearch.net
O1 - Hosts: 69.56.223.196 default-homepage-network.com
O1 - Hosts: 69.56.223.196 xwebsearch.biz
O1 - Hosts: 69.56.223.196 www.rightfinder.net
O1 - Hosts: 69.56.223.196 www.search-1.net
O1 - Hosts: 69.56.223.196 www.searchv.com
O1 - Hosts: 69.56.223.196 www.websearch.com
O1 - Hosts: 69.56.223.196 mysearchnow.com
O1 - Hosts: 69.56.223.196 www.therealsearch.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 find.microgirls.com
O1 - Hosts: 69.56.223.196 super-spider.com
O1 - Hosts: 69.56.223.196 www.searching-the-net.com
O1 - Hosts: 69.56.223.196 www.firstbookmark.com
O1 - Hosts: 69.56.223.196 just.find-itnow.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 qwertysearch123.biz
O1 - Hosts: 69.56.223.196 www.search-space.com
O1 - Hosts: 69.56.223.196 www.windowws.cc
O1 - Hosts: 69.56.223.196 aifind.info
O1 - Hosts: 69.56.223.196 www.find4u.net
O1 - Hosts: 69.56.223.196 find4u.net
O1 - Hosts: 69.56.223.196 www.lookfor.cc
O1 - Hosts: 69.56.223.196 www.008i.com
O1 - Hosts: 69.56.223.196 www.viewpornkey.com
O1 - Hosts: 69.56.223.196 www.hugesearch.net
O1 - Hosts: 69.56.223.196 www.novafuck.com
O1 - Hosts: 69.56.223.196 www.seznam.cz
O1 - Hosts: 69.56.223.196 aifind.cc
O1 - Hosts: 69.56.223.196 www.onet.pl
O1 - Hosts: 69.56.223.196 teenhqpics.com
O1 - Hosts: 69.56.223.196 www.ttjj.com
O1 - Hosts: 69.56.223.196 www.search-dot.com
O1 - Hosts: 69.56.223.196 www.search-and-go.com
O1 - Hosts: 69.56.223.196 www.slotch.com
O1 - Hosts: 69.56.223.196 www.2fastsearch.net
O1 - Hosts: 69.56.223.196 awebfind.biz
O1 - Hosts: 69.56.223.196 www.power-search.info
O1 - Hosts: 69.56.223.196 www.naver.com
O1 - Hosts: 69.56.223.196 www.daum.net
O1 - Hosts: 69.56.223.196 www.ohcorea.com
O1 - Hosts: 69.56.223.196 www.hao123.com
O1 - Hosts: 69.56.223.196 58q.com
O1 - Hosts: 69.56.223.196 www.hotwebsearch.com
O1 - Hosts: 69.56.223.196 www.startium.com
O1 - Hosts: 69.56.223.196 www.gajai.com
O1 - Hosts: 69.56.223.196 www.wazzupnet.com
O1 - Hosts: 69.56.223.196 freshvideogals.com
O1 - Hosts: 69.56.223.196 www.xgmm.com
O1 - Hosts: 69.56.223.196 searchmyrequest.com
O1 - Hosts: 69.56.223.196 yourbookmarks.ws
O1 - Hosts: 69.56.223.196 wmmse.com
O1 - Hosts: 69.56.223.196 link.startmake.com
O1 - Hosts: 69.56.223.196 www.boredlife.com
O1 - Hosts: 69.56.223.196 approvedlinks.com
O1 - Hosts: 69.56.223.196 www.nkvd.us
O1 - Hosts: 69.56.223.196 www.8095.com
O1 - Hosts: 69.56.223.196 www.dreamwiz.com
O1 - Hosts: 69.56.223.196 ie-search.com
O1 - Hosts: 69.56.223.196 auto.ie.searchforge.com
O1 - Hosts: 69.56.223.196 search.psn.cn
O1 - Hosts: 69.56.223.196 www.couldnotfind.com
O1 - Hosts: 69.56.223.196 www.iquicksearch.com
O1 - Hosts: 69.56.223.196 1-se.com
O1 - Hosts: 69.56.223.196 www.spidersearch.com
O1 - Hosts: 69.56.223.196 search.ieplugin.com
O1 - Hosts: 69.56.223.196 itseasy.us
O1 - Hosts: 69.56.223.196 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 69.56.223.196 www.searchxl.com
O1 - Hosts: 69.56.223.196 www.hotsearchbox.com
O1 - Hosts: 69.56.223.196 www.searchforge.com
O1 - Hosts: 69.56.223.196 www.omega-search.com
O1 - Hosts: 69.56.223.196 searchcentrix.com
O15 - Trusted Zone: *.offshoreclicks.com


Diese Datei kann ich momentan leider nicht eindeutig zuordnen:

O12 - Plugin for .UVR: %programfiles%\Internet Explorer\Plugins\NPUPano.dll

</font><blockquote>Zitat:</font><hr />Original erstellt von DerBilk:
Falls diese Datei nach dem 'shreddern' noch vorhanden ist, [...] </font>[/QUOTE]Laut zweitem Log ist sie zumindest nicht mehr vorhanden.