Trojaner-Board - trojaner und so n scheiss

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - trojaner und so n scheiss (https://www.trojaner-board.de/10213-trojaner-so-n-scheiss.html)

trojaner und so n scheiss

moin.
normalerweise stelle ich mich bei pcs nicht so blöd an aber diesesmal bin ich echt überfordert :-)
nachfolgend mal mein logfile it den hinweisen das der rechner sich völlig unmotoviert runterfährt und mir trotz div. softwares immer noch seltsame dinge passieren.

Logfile of HijackThis v1.98.2
Scan saved at 17:27:57, on 29.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Programme\Medionkeyboard\1.3\MMKEYBD.EXE
C:\Programme\Browser mouse\1.3\mouse32a.exe
C:\Programme\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\system32\mfcxo.exe
C:\Programme\ICQPlus\vplus.exe
C:\Programme\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\nthc32.exe
C:\Programme\ICQ\ICQ.exe
C:\Programme\McAfee\McAfee VirusScan\VsStat.exe
C:\Programme\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe
C:\Programme\McAfee\McAfee VirusScan\Avconsol.exe
C:\Programme\Internet Explorer\iexplore.exe
E:\downloadz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {EEC5E97D-FEE9-10E0-CADD-92CA1BBC7A64} - C:\WINDOWS\system32\ntpp32.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Programme\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Medionkeyboard\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMMEDIONMOUSE] C:\Programme\Browser mouse\1.3\mouse32a.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programme\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programme\Quick Time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Programme\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINDOWS\System32\kdpupd.dll
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater (required)] regsvr32 /s C:\WINDOWS\System32\KDP544c.dll
O4 - HKLM\..\Run: [mfcxo.exe] C:\WINDOWS\system32\mfcxo.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Programme\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Programme\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Programme\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\RunOnce: [ICQ] C:\Programme\ICQ\ICQ.exe -trayboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O12 - Plugin for .mpg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab

ich hab den eindruck als könntet ihr mir helfen, wirkt alles sehr kompetent hier.
Danke schonmal.
Lars

Hi,

beende diesen Prozess und lösche ihn anschließen manuell:

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

Fixe diese Einträge:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ildfq.dll/sp.html#29126

R3 - Default URLSearchHook is missing

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

hab noch n escan machen lassen....:

File C:\WINDOWS\nthc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfcxo.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfcxo.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\nthc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dcdidx.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\zsqpcj.dat infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
ile C:\WINDOWS\questmod.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\xkndgk.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\qkgiiv.log infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\egfzvf.dat infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\maexh.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Ta
File C:\WINDOWS\jnxani.log infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\odmcl.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\nthc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken
File C:\WINDOWS\n_xwthcs.txt infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\apici32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\n_kpppgs.dat infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\javafg.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\gnwiz.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\hixpy.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ildfq.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\ADMINI~1\LOKALE~1\TEMPOR~1\Content.IE5\HSVM77D3\f29126[1].hta infected by "TrojanDropper.VBS.Inor.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ivuvt.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\gnwiz.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\icyfd.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\yuqej.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\xubha.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\hixpy.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ildfq.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dcdidx.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\zsqpcj.dat infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken
File C:\WINDOWS\questmod.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\xkndgk.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\qkgiiv.log infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgDE10.exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\rdgDE10.exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\egfzvf.dat infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\qmeuty.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Take
File C:\WINDOWS\maexh.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\jnxani.log infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\danpy.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\bdeggn.log infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ffsae.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\odmcl.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ldjtq.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\daljz.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\nthc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\n_xwthcs.txt infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken
File C:\WINDOWS\apici32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\n_kpppgs.dat infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\nthc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No
File C:\WINDOWS\system32\mfcxo.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No
File C:\WINDOWS\system32\mfcxo.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action
File C:\WINDOWS\nthc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dcdidx.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\zsqpcj.dat infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\questmod.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\xkndgk.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken
File C:\WINDOWS\qkgiiv.log infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken
ile C:\WINDOWS\egfzvf.dat infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\qmeuty.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken
File C:\WINDOWS\maexh.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\jnxani.log infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\danpy.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\bdeggn.log infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken
File C:\WINDOWS\ffsae.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\odmcl.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
ile C:\WINDOWS\ldjtq.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\daljz.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action T
File C:\WINDOWS\n_xwthcs.txt infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\apici32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\n_kpppgs.dat infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.
File C:\DOKUME~1\ADMINI~1\LOKALE~1\TEMPOR~1\Content.IE5\HSVM77D3\f29126[1].hta infected by "TrojanDropper.VBS.Inor.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\questmod.dll infected by "Trojan.Win32.Dialer.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgDE10.exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\rdgDE10.exe infected by "Trojan.Win32.Dialer.ay" Virus. Action Taken: No Action Taken.
on Nov 29 18:18:18 2004 => ***** Scanning complete. *****

Mon Nov 29 18:18:18 2004 => Total Files Scanned: 20665
Mon Nov 29 18:18:18 2004 => Total Virus(es) Found: 72
Mon Nov 29 18:18:18 2004 => Total Disinfected Files: 0
Mon Nov 29 18:18:18 2004 => Total Files Renamed: 0
Mon Nov 29 18:18:18 2004 => Total Deleted Files: 0
Mon Nov 29 18:18:18 2004 => Total Errors: 6
Mon Nov 29 18:18:18 2004 => Time Elapsed: 00:18:48
Mon Nov 29 18:18:18 2004 => Virus Database Date: 2004/11/26
Mon Nov 29 18:18:18 2004 => Virus Database Count: 110568

Mon Nov 29 18:18:18 2004 => Scan Completed.
ich glaub ich dreh ab...einige der gen. dateien kann ich ncitmal aufm rechner finden...

Lars

Um alle zu sehn mach das:

Explorer-->Extras-->Ordneroptionen-->Ansicht-->Bei "Geschützte Systemdateien ausblenden (empfohlen)" Häckchen entfernen.

Lösch alle diese Trojaner von Hand.

@ElNino
sichere vorher auf diskette alle einträge wo dialer im namen steht, zwecks beweissicherung.
danach
Escan anweisungen löschen
"Öffne die mwav.log -> Bearbeiten -> Suchen -> infected eingeben -> Weitersuchen -> Treffer markieren/kopieren und in die Windows Suche übertragen -> löschen!" (Cidre). Systemwiederherstellung aktivieren, in den normalen Modus booten.

chaosman

Hi.
Danke erstmal für die Hilfe....
aber das Problem ist das selbst wenn ich die Sysemdateien anzeigen lasse, ich einige der Dateien icht finden kann.....
das mit safemode und so hab ich alles schon hinter mir..:-)
Lars

@ ElNino

Setze mal die alte Version von eScan ein, damit wird die Malware automatisch entfernt. ftp://mwti.matrix.lv/download/tools/