Trojaner-Board - Trojaner, die Norton nicht löscht

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Trojaner, die Norton nicht löscht (https://www.trojaner-board.de/15560-trojaner-norton-loescht.html)

Trojaner, die Norton nicht löscht

Hallo!

Norton hat es nicht geschafft, folgende "Threats" zu löschen:

C:\WINNT\NDNuninstall4_85.exe
C:\WINNT\NDNuninstall5_48
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

Ich weiss nicht genau, wie man diese Trojaner vom Computer beseitigt und stelle daher gleich einmal ein komplettes HiJack-Log ins Forum. Vielleicht kann mir jemand sagen, was ich machen muss, damit mein Computer wieder sauber ist...

Vielen Dank schon mal

Gruss /Felix

Logfile of HijackThis v1.97.2
Scan saved at 12:14:23 AM, on 3/19/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\System32\internat.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.biofokus.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [HVDNXFSAK] C:\WINNT\HVDNXFSAK.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20069c2a...p/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.getteron.varberg.se/activ...CamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash/cabs/swflash.cab

Hallo,

führe bitte dies mal aus:
1. Downloade Dir escan und befolge benau diese Anleitung (Scan im abgesicherten Modus dauert etwa eine Stunde),http://www.systemwiederherstellung-d...indows-xp.html
2. starte nach dem Scan wieder in den normalen Modus,
3. öffne die Datei "mwav.log", klicke auf "bearbeiten" danach auf "suchen"
4. gebe dann "infected" ein,
5. suche weiter bei Treffern, markiere diese und kopiere sie ins Forum,
6. neben den Treffern auch das Gesamtergebnis (befindet sich ganz unter im Logfile) posten.

Beispiel:
Wed Feb 02 19:48:56 2005 => Total Files Scanned:
Wed Feb 02 19:48:56 2005 => Total Virus(es) Found:
.
.
.
.

dartus

Hallo Dartus!

Vielen Dank fuer die schnelle Hilfe. Hier kommt das Ergebnis von Escan. Ich hoffe, ich habe jetzt alles richtig gemacht....

Sat Mar 19 13:43:26 2005 => File C:\WINNT\NDNuninstall4_85.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
Sat Mar 19 13:43:26 2005 => File C:\WINNT\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
Sat Mar 19 14:02:10 2005 => File C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\WT6BS5QZ\SmileyCentralInitialSetup1.0.0.8[1].exe infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 14:02:10 2005 => File C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\WT6BS5QZ\SmileyCentralInitialSetup1.0.0.8[2].exe infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 14:55:04 2005 => File C:\WINNT\NDNuninstall4_85.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
Sat Mar 19 14:55:04 2005 => File C:\WINNT\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
Sat Mar 19 14:55:29 2005 => File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KB6T87YV\WksPatch[7].exe infected by "Net-Worm.Win32.Welchia.b" Virus. Action Taken: No Action Taken.
Sat Mar 19 14:55:29 2005 => File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KB6T87YV\WksPatch[8].exe infected by "Net-Worm.Win32.Welchia.b" Virus. Action Taken: No Action Taken.
Sat Mar 19 14:55:29 2005 => File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KB6T87YV\WksPatch[12].exe infected by "Net-Worm.Win32.Welchia.b" Virus. Action Taken: No Action Taken.
Sat Mar 19 15:12:52 2005 => File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WT6BS5QZ\SmileyCentralInitialSetup1.0.0.8[1].exe infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 15:12:52 2005 => File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WT6BS5QZ\SmileyCentralInitialSetup1.0.0.8[2].exe infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:04:06 2005 => File C:\Documents and Settings\Administrator\Desktop\Mina dokument\Gullstrand hårddisk\Heintzenberg\new\setupmp3towav.exe infected by "not-a-virus:AdWare.BargainBuddy.a" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:04:15 2005 => File C:\Documents and Settings\Administrator\Desktop\Mina dokument\Gullstrand hårddisk\Heintzenberg\programs\setupmp3towav.exe infected by "not-a-virus:AdWare.Gator.1050" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:04:15 2005 => File C:\Documents and Settings\Administrator\Desktop\Mina dokument\Gullstrand hårddisk\Heintzenberg\programs\setupwavtomp3.exe infected by "not-a-virus:AdWare.Gator.1050" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:08:18 2005 => File C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-588fab9e-321fac11.zip infected by "Trojan.Java.ClassLoader.k" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:12:16 2005 => File C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:12:16 2005 => File C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:12:16 2005 => File C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:12:16 2005 => File C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL infected by "not-a-virus:AdWare.ToolBar.MyWebSearch" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:16:13 2005 => File C:\Program Files\Lycos\IEagent\CSIEINST.DLL infected by "not-a-virus:AdWare.ClearSearch.b" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:16:13 2005 => File C:\Program Files\Lycos\IEagent\CSSSINST.DLL infected by "not-a-virus:AdWare.ClearSearch.b" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:16:13 2005 => File C:\Program Files\Lycos\IEagent\CSBIINST.DLL infected by "not-a-virus:AdWare.ClearSearch.b" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:21:05 2005 => File E:\backup 031211\Mina dokument\Gullstrand hårddisk\Heintzenberg\programs\setupmp3towav.exe infected by "not-a-virus:AdWare.Gator.1050" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:21:06 2005 => File E:\backup 031211\Mina dokument\Gullstrand hårddisk\Heintzenberg\programs\setupwavtomp3.exe infected by "not-a-virus:AdWare.Gator.1050" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:21:16 2005 => File E:\backup 031211\Mina dokument\Gullstrand hårddisk\Heintzenberg\new\setupmp3towav.exe infected by "not-a-virus:AdWare.BargainBuddy.a" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:28:54 2005 => File C:\WINNT\NDNuninstall4_85.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
Sat Mar 19 16:28:54 2005 => File C:\WINNT\NDNuninstall5_48.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.

Sat Mar 19 16:29:11 2005 => Total Files Scanned: 402572
Sat Mar 19 16:29:11 2005 => Total Virus(es) Found: 32
Sat Mar 19 16:29:11 2005 => Total Disinfected Files: 0
Sat Mar 19 16:29:11 2005 => Total Files Renamed: 0
Sat Mar 19 16:29:12 2005 => Total Deleted Files: 0
Sat Mar 19 16:29:12 2005 => Total Errors: 37
Sat Mar 19 16:29:12 2005 => Time Elapsed: 02:46:22
Sat Mar 19 16:29:12 2005 => Virus Database Date: 2005/03/17
Sat Mar 19 16:29:12 2005 => Virus Database Count: 122324

Gruss /Felix

Wechsle in den abgesicherten Modus und deinstalliere unter Systemsteuerung -> Software MyWeb oder ähnlich.

Fixe diese Einträge (Haken setzen und auf Fix Checked klicken):
Alle R0 und R1
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\Lycos\IEagent\CSIE.DLL (file missing)
O4 - HKLM\..\Run: [HVDNXFSAK] C:\WINNT\HVDNXFSAK.exe

Lösche diese Dateien:
C:\WINNT\NDNuninstall4_85.exe
C:\WINNT\NDNuninstall5_48.exe
Ordner C:\Program Files\MyWebSearch
C:\Program Files\Lycos\IEagent\CSIEINST.DLL
E:\backup 031211\Mina dokument\Gullstrand hårddisk\Heintzenberg\programs\setupwavtomp3.exe

Leere das Cache vom IE und Java™ Plug-in. Aktualisiere letzteres -> http://www.java.com/de/download/windows_xpi.jsp

- Neustart
- dein System updaten http://v5.windowsupdate.microsoft.co...r/default.aspx
- IE sicherer konfigurieren und nur noch für das Windows Update benutzen http://www.datenschutzzentrum.de/sel...sie/config.htm
- Sichere und komfortablere Browser wie z.B. Mozilla oder Firefox verwenden http://www.mozilla.org
- neues Log-File von HiJackThis (Version 1.99.1) posten