Trojaner-Board - Trojaner Spyware etc. (QUrl-3, Small.OF.F, Dldr.1296, Buddy.F)

Hallo!

Ich hab ein Problem mit einem Rechner in unserer Firma.

Der ist anschienend mit Spyware/Trojanern befallen.

Ich hab bereits mit Antivir gescannt. Der hat Small.OF.F, Dldr.1296 und Buddy.F gefunden, die ich dann gelöscht hab.

Mit McAfee Virenscanner hab ich den QUrl-3 gefunden und gelöscht.

Jetzt lass ich grade einen Online-Scanner laufen, der hat bis jetzt MedipassK.exe gefunden.

Das Hjt-logfile:

Code:

Logfile of HijackThis v1.99.1

Scan saved at 13:34:21, on 11.05.2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Programme\AVPersonal\AVGUARD.EXE

C:\Programme\Network Associates\VirusScan\Avsynmgr.exe

C:\Programme\AVPersonal\AVWUPSRV.EXE

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\Programme\Ahead\InCD\InCDsrv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Programme\AutoCAD 2005\crack\Autodesk Network License Manager\lmgrd.exe

C:\Programme\AutoCAD 2005\crack\Autodesk Network License Manager\adskflex.exe

C:\Programme\Network Associates\VirusScan\VsStat.exe

C:\Programme\Network Associates\VirusScan\Vshwin32.exe

C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe

C:\Programme\Network Associates\VirusScan\Avconsol.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\rundll32.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\system32\RunDll32.exe

C:\WINNT\Dit.exe

C:\WINNT\DitExp.exe

C:\WINNT\mHotkey.exe

C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe

C:\Programme\Ahead\InCD\InCD.exe

C:\Programme\TelefonCD\OtbStart.EXE

C:\Programme\Java\jre1.5.0_01\bin\jusched.exe

C:\WINNT\isrvs\desktop.exe

C:\Programme\Winamp\winampa.exe

C:\Programme\AVPersonal\AVGNT.EXE

C:\WINNT\system32\internat.exe

C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Corel\Graphics8\Programs\MFIndexer.exe

C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE

C:\arbeit\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches.com/search.php?v=6&aff=0

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=0

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINNT\system32\azesearch3.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Dit] Dit.exe

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppdis2a.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [OtbStart] C:\Programme\TelefonCD\OtbStart.EXE

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"

O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AutoCAD-Startbeschleuniger.lnk = C:\Programme\Gemeinsame Dateien\Autodesk Shared\acstart16.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://toolbar.azesearch.com/install/azesearch.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9045B00D-C08A-401D-86A8-6CE6A3F61572}: NameServer = 195.3.96.67,195.3.96.68

O18 - Protocol: bega - {A57721C9-B905-49B3-8BCA-B99FBB8C627E} - C:\Programme\Gemeinsame Dateien\BEGA\DatabaseTools.dll

O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Programme\DIALux\System\DLXToolBox.dll

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

O20 - Winlogon Notify: ExtShellViews - C:\WINNT\system32\ml4sdmod.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE

O23 - Service: Autodesk - Macrovision Corporation - C:\Programme\AutoCAD 2005\crack\Autodesk Network License Manager\lmgrd.exe

O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programme\Network Associates\VirusScan\Avsynmgr.exe

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE

O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe

O23 - Service: Intsrvdetm - Ahead Software AG - (no file)

O23 - Service: McShield - Network Associates, Inc. - C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe

O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

Ich hab sowohl Spybot als auch ad-aware ein paar mal laufen lassen und nie hat sich irgendwas geändert.

Die Probleme: Manchmal fährt sich der Computer während dem Arbeiten, scheinbar ohne Grund runter... zumindest kommt die Meldung "windows wird jetzt runtergefahren, nach ein paar sekundn geht wieder alles normal.

Wenn ich in Mozilla auf Links klicke/manuell adressen eingeben geht er manchmal nicht auf diese Seite/eine andere.
Wenn links in einem neuen Fenster geöffnet werden, schließt der Virus/trojaner sie manchmal selbstständig.

Ausserdem hat sich rechts über der Taskbar eine searchbar festgeankert, die bei mouse-over sichtbar wird.

Wäre für jede Hilfe dankbar.

HAb grade mvaw ausgeführt.

Das ist das ergebniss:

Code:

File C:\WINNT\system32\ngevtmsg.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\isrvs\desktop.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\azesearch3.dll infected by "not-a-virus:AdWare.ToolBar.Azesearch.b" Virus. Action Taken: No Action Taken.

File C:\WINNT\isrvs\desktop.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.

File C:\WINNT\svcproc.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "CoolWebSearch Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "ISearchTech Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINNT\Bolger.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

File C:\WINNT\icont.exe infected by "not-a-virus:AdWare.AdURL.c" Virus. Action Taken: No Action Taken.

File C:\WINNT\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\absnds.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\azesearch2.dll infected by "not-a-virus:AdWare.ToolBar.Azesearch.b" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\dnr4019qe.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\f20o0cd3ef0.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fBxocm.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fp8003lme.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fpjo0313e.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fppm0371e.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\iasadm.dll infected by "not-a-virus:AdWare.ToolBar.Azesearch.b" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\k880lilm18qa.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\kcdsw.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\lvr8099ue.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\mldrv.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\modimap.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\mv8sl9l71.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\ngevtmsg.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\tksrv99.exe infected by "Trojan-Downloader.Win32.Esepor.y" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\wincoreak.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.

File C:\DOKUME~1\projekt\LOKALE~1\Temp\WZC\aurareco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

File C:\DOKUME~1\projekt\LOKALE~1\TEMPOR~1\Content.IE5\UHFWHONI\MediaPassC[1].dll infected by "not-a-virus:AdWare.WinAD.ac" Virus. Action Taken: No Action Taken.

File C:\Dokumente und Einstellungen\projekt\Lokale Einstellungen\Temp\WZC\aurareco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

File C:\Dokumente und Einstellungen\projekt\Lokale Einstellungen\Temporary Internet Files\Content.IE5\UHFWHONI\MediaPassC[1].dll infected by "not-a-virus:AdWare.WinAD.ac" Virus. Action Taken: No Action Taken.

File C:\Program Files\Media Pass\MediaPassC.dll infected by "not-a-virus:AdWare.WinAD.ac" Virus. Action Taken: No Action Taken.

File C:\Programme\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar infected by "not-a-virus:AdWare.ToolBar.ISearch.e" Virus. Action Taken: No Action Taken.

File C:\WINNT\Bolger.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.

File C:\WINNT\icont.exe infected by "not-a-virus:AdWare.AdURL.c" Virus. Action Taken: No Action Taken.

File C:\WINNT\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.

File C:\WINNT\isrvs\isearch.xpi infected by "not-a-virus:AdWare.ToolBar.ISearch.e" Virus. Action Taken: No Action Taken.

File C:\WINNT\isrvs\mfiltis.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\absnds.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\azesearch2.dll infected by "not-a-virus:AdWare.ToolBar.Azesearch.b" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\dnr4019qe.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\f20o0cd3ef0.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fBxocm.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fp8003lme.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fpjo0313e.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\fppm0371e.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\iasadm.dll infected by "not-a-virus:AdWare.ToolBar.Azesearch.b" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\k880lilm18qa.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\kcdsw.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\lvr8099ue.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\mldrv.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\modimap.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\mv8sl9l71.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\ngevtmsg.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\tksrv99.exe infected by "Trojan-Downloader.Win32.Esepor.y" Virus. Action Taken: No Action Taken.

File C:\WINNT\system32\wincoreak.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.

File C:\WINNT\Temp\B92444398\build2.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.

File C:\WINNT\Temp\bw2.com infected by "not-a-virus:AdWare.AdURL.c" Virus. Action Taken: No Action Taken.

File C:\WINNT\Temp\upd203.exe infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

File C:\WINNT\Temp\wincoreak.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.