Trojaner-Board - Bitte um Hilfe!!!

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Bitte um Hilfe!!! (https://www.trojaner-board.de/22350-bitte-um-hilfe.html)

Bitte um Hilfe!!!

Ich (AntiVir) hab Trojanische Pferd TR/Dldr.IstBar.LU gefunden :crazy:
Und gelöscht:
D:\SYSTEM VOLUME INFORMATION\_RESTORE{C77DCCFA-F80F-4FF6-8B4C-2CBED45873D5}\RP224\A0034850.EXE

Logfile of HijackThis v1.99.1
Scan saved at 17:55:41, on 01.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ANTIVIR PERSONAL\AVGUARD.EXE
D:\AntiVir Personal\AVWUPSRV.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
D:\AntiVir Personal\AVGNT.EXE
D:\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\LevelOne\LevelOne WPC-0301 11g Wireless PCMCIA Adapter\Installer\WINXP\LevelOneConfig0301.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] D:\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVGCtrl] "D:\AntiVir Personal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LevelOne Utility.lnk = C:\Programme\LevelOne\LevelOne WPC-0301 11g Wireless PCMCIA Adapter\Installer\WINXP\LevelOneConfig0301.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - h**p://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103799375406
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sysbot.biologie.uni-muenchen.de
O17 - HKLM\Software\..\Telephony: DomainName = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFA4A7FE-3634-4272-9236-2A329D6A8F3E}: Domain = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFA4A7FE-3634-4272-9236-2A329D6A8F3E}: NameServer = 129.187.115.12,129.187.10.25
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sysbot.biologie.uni-muenchen.de
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - D:\Invitrogen\Vector NTI Advance 9\Ncbi.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\ANTIVIR PERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\AntiVir Personal\AVWUPSRV.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Was soll ich machen?
Danke

[edit]
links entfernt
[/edit]

@Ilka
im logfile sehe ich nichts besonderes.
wie hast du dem gelöscht
D:\SYSTEM VOLUME INFORMATION\_RESTORE{C77DCCFA-F80F-4FF6-8B4C-2CBED45873D5}\RP224\A0034850.EXE

chaosman

Zitat:

Zitat von chaosman

@Ilka
im logfile sehe ich nichts besonderes.
wie hast du dem gelöscht
D:\SYSTEM VOLUME INFORMATION\_RESTORE{C77DCCFA-F80F-4FF6-8B4C-2CBED45873D5}\RP224\A0034850.EXE

chaosman

Mit AntiVir

@Ilka
ok, dann deaktiviere die systemwiederherstellung, boote neu, aktiviere die systemwiederherstellung.

chaosman :D

Zitat:

Zitat von chaosman

@Ilka
ok, dann deaktiviere die systemwiederherstellung, boote neu, aktiviere die systemwiederherstellung.

chaosman :D

o, ja, danke :crazy: leider bin ich eine biologin ;)

@Ilka
poste das doch gleich ;)
guckst du hier
http://www.bsi.bund.de/av/texte/wiederher_xp.htm

chaosman

der bildschirm meines laptops flattert schon seit 4-5 tagen. ich frage mich ob das an einem trojaner liegt. :)

@Ilka
poste bitte ein HJT logfile
http://www.trojaner-board.de/showthread.php?t=17493

chaosman

@chaosman

Logfile of HijackThis v1.99.1
Scan saved at 19:16:43, on 01.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ANTIVIR PERSONAL\AVGUARD.EXE
D:\AntiVir Personal\AVWUPSRV.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
D:\AntiVir Personal\AVGNT.EXE
D:\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\LevelOne\LevelOne WPC-0301 11g Wireless PCMCIA Adapter\Installer\WINXP\LevelOneConfig0301.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wscntfy.exe
D:\ICQ\Icq.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CfgWiz.exe
C:\Programme\Norton AntiVirus\NAVW32.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] D:\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVGCtrl] "D:\AntiVir Personal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programme\Gemeinsame Dateien\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LevelOne Utility.lnk = C:\Programme\LevelOne\LevelOne WPC-0301 11g Wireless PCMCIA Adapter\Installer\WINXP\LevelOneConfig0301.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - h**p://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103799375406
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sysbot.biologie.uni-muenchen.de
O17 - HKLM\Software\..\Telephony: DomainName = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFA4A7FE-3634-4272-9236-2A329D6A8F3E}: Domain = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFA4A7FE-3634-4272-9236-2A329D6A8F3E}: NameServer = 129.187.115.12,129.187.10.25
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sysbot.biologie.uni-muenchen.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sysbot.biologie.uni-muenchen.de
O18 - Protocol: ncbi8 - {2B576DD3-0B3E-4718-BCBF-B15E4FB8009D} - D:\Invitrogen\Vector NTI Advance 9\Ncbi.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\ANTIVIR PERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\AntiVir Personal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe

danke ;)

[edit]
links entfernt
[/edit]