Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Winfixer und andere popups (https://www.trojaner-board.de/22807-winfixer-andere-popups.html)

nae2003 16.10.2005 17:35
Winfixer und andere popups
 
Hallo habe folgendes problem mein rechner macht sich ständig selbständig ! entweder kommt winfixer oder es öffnen sich einfach irgend welche firefox pop ups mit komischen casino seiten etc. ! hoffe ihr könnt mir irgend wie helfen !

gruß


Logfile of HijackThis v1.99.1
Scan saved at 18:29:28, on 16.10.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\eScan\avpm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\locator.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Messenger Plus! 3\MsgPlus.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\eScan\MAILSCAN.EXE
C:\PROGRA~1\eScan\kavss.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\wuauclt.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\Dokumente und Einstellungen\Al1\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://google.icq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {C259B1CC-E686-9070-EF7E-3398AF65A679} - C:\WINNT\system32\psafwowu.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Programme\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Programme\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - h**p://www.cult3d.com/download/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - h**p://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - h**p://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/de/win/QuickTimeInstaller.exe
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - h**p://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - h**p://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1DF3B66-9CE4-473B-9781-EA5A1B045E4F}: NameServer = 217.237.150.225 217.237.150.141
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\aza2le5o1h.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MWTI2 - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Haui45 16.10.2005 17:51
Hallo,

da du eScan ja schon auf dem Pc hast, solltest du zunächst ein Upate durchführen.

Lade dir ClearProg herunter.

Starte den PC im abgesicherten Modus und deinstalliere den MessengerPus inklusive der Sponsorenprogramme!

Lösche alle Temp-Files von Windows und vom Internet-Explorer.

Fixe mit HijackThis:
O2 - BHO: (no name) - {C259B1CC-E686-9070-EF7E-3398AF65A679} - C:\WINNT\system32\psafwowu.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\aza2le5o1h.dll die Datei heißt nach dem Neustart wahrscheinlich anders, aber sie steht an der gleichen Stelle in HijackThis)

Scanne mit eScan.

Neustart

Kopiere die Datei C:\Programme\eScan\mwav.log in den von dir erstellten Ordner C:\bases_x und poste die Funde bitte, wie hier beschrieben (Find.bat).
Poste zusätzlich ein neues HjT-Log und ein Silentrunners-Logfile.

nae2003 16.10.2005 19:18
eScan_neu
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "offending"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Oct 16 19:39:13 2005 => Virus Database Date: 2005/10/16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~


"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"MailScan Dispatcher" = ""C:\Programme\eScan\LAUNCH.EXE"" ["MicroWorld Technologies Inc."]
"eScan Updater" = "C:\PROGRA~1\eScan\TRAYICOS.EXE /App" ["MicroWorld Technologies Inc."]
"eScan Monitor" = "C:\PROGRA~1\eScan\AVPMWrap.EXE" ["MicroWorld Technologies Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C259B1CC-E686-9070-EF7E-3398AF65A679}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\psafwowu.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{92085AD4-F48A-450D-BD93-B28CC7DF67CE}" = "eBay Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\eBay\eBay Toolbar2\eBayTB.dll" [null data]
"{7C3473A3-40D8-414E-A8E6-7AA2E0E71841}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\sPpula791d.dll" [null data]
"{0DB8461F-5EFD-415F-A2B5-071BF6D22CD8}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mS640ijqe8oe0.dll" [null data]
"{B1C31F5C-5584-470F-B9FC-85128DFDEA2A}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mzr.dll" [null data]
"{D5B2FBE5-8E6D-4CBD-85C3-64B6D422CB33}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\NYDEAPI.DLL" [null data]
"{1667F4DC-A97C-429F-8728-10CA845FD4A7}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\oE840elqehqe0.dll" [null data]
"{F19AFD4B-B325-47B1-BD13-90AC927B8769}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\gg8sl3l71.dll" [null data]
"{7FCCEFE5-85F0-43CB-8DB9-8CAABF887CA5}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\qX680cjuefo80.dll" [null data]
"{DBF3F24F-7D78-4F2E-9371-C9FE9D5E3BFC}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dx0m01d1e.dll" [null data]
"{2A2A25B2-3483-47DF-A654-F50358C58BDA}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\qB680cjuefo80.dll" [null data]
"{1E4F5D43-2170-4C70-98C2-DFE03142679E}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mndxmlc.dll" [null data]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zipn.dll" ["Igor Pavlov"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! IPConfMSP\DLLName = "C:\WINNT\system32\en06l1ds1.dll" [null data]
INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zipn.dll" ["Igor Pavlov"]
Guardian Of Data\(Default) = "{4ADFA4B8-84BA-4FA5-A21D-33A8210C21BF}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ASCOMP Software\Guardian Of Data\context.dll" [null data]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zipn.dll" ["Igor Pavlov"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Guardian Of Data\(Default) = "{4ADFA4B8-84BA-4FA5-A21D-33A8210C21BF}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ASCOMP Software\Guardian Of Data\context.dll" [null data]
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Al1" & "All Users" startup folders:
-----------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"A6FD366C918AAF40" -> launches: "c:\dokume~1\al1\anwend~1\axispure\linkdefydata.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
mwtsp.dll ["MicroWorld Technologies Inc."], 01 - 23, 49
C:\WINNT\system32\dolsp.dll [file not found], 24, 31
%SystemRoot%\system32\msafd.dll [MS], 25 - 28, 32 - 48
%SystemRoot%\system32\rsvpsp.dll [MS], 29 - 30


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = "EPSON Web-To-Page" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Client Service für NetWare, NWCWorkstation, "C:\WINNT\System32\services.exe" [MS]
COM+-Ereignissystem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}
eScan Monitor Service, KAVMonitorService, "C:\PROGRA~1\eScan\avpm.exe /service" ["Kaspersky Labs."]
eScan Server-Updater, eScan-trayicos, "C:\PROGRA~1\eScan\TRAYSSER.EXE" ["MWTI2"]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus CX6600 Series 2KMonitor5E\Driver = "E_FLM9EE.DLL" ["SEIKO EPSON CORPORATION"]
Lexmark InkJet Monitor\Driver = "LEXLELM.DLL" [null data]






Hijackthis


Logfile of HijackThis v1.99.1

[edit]
bitte editiere deine links wie es dir u.a. hier angezeigt wird:

http://www.trojaner-board.de/showpost.php?p=171957&postcount=1
danke
GUA
[/edit]

Haui45 16.10.2005 22:06
Hat eScan wirklich gar nichts gefunden, auch nicht im "Virus-Log-Information-Fenster"?
Wenn dem so ist, führe später einen Scan nach Cidres Anleitung aus.

Starte im abgesicherten Modus.

Lösche mit Clearprog alle Temp-Files.

Start-> Ausführen -> "regedit" -> [Eingabetaste]-> Navigiere zu HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ und lösche rechts jeweils die unten aufgeführten Einträge (z.B. {0DB8461F-5EFD-415F-A2B5-071BF6D22CD8})
Zitat:
"{7C3473A3-40D8-414E-A8E6-7AA2E0E71841}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\sPpula791d.dll" [null data]
"{0DB8461F-5EFD-415F-A2B5-071BF6D22CD8}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mS640ijqe8oe0.dll" [null data]
"{B1C31F5C-5584-470F-B9FC-85128DFDEA2A}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mzr.dll" [null data]
"{D5B2FBE5-8E6D-4CBD-85C3-64B6D422CB33}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\NYDEAPI.DLL" [null data]
"{1667F4DC-A97C-429F-8728-10CA845FD4A7}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\oE840elqehqe0.dll" [null data]
"{F19AFD4B-B325-47B1-BD13-90AC927B8769}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\gg8sl3l71.dll" [null data]
"{7FCCEFE5-85F0-43CB-8DB9-8CAABF887CA5}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\qX680cjuefo80.dll" [null data]
"{DBF3F24F-7D78-4F2E-9371-C9FE9D5E3BFC}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dx0m01d1e.dll" [null data]
"{2A2A25B2-3483-47DF-A654-F50358C58BDA}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\qB680cjuefo80.dll" [null data]
"{1E4F5D43-2170-4C70-98C2-DFE03142679E}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\mndxmlc.dll" [null data]
Lösche diese Dateien, z.B. mittels Killbox (s. eScan-Anleitung):
C:\WINNT\system32\sPpula791d.dll
C:\WINNT\system32\mS640ijqe8oe0.dll
C:\WINNT\system32\mzr.dll
C:\WINNT\system32\NYDEAPI.DLL
C:\WINNT\system32\oE840elqehqe0.dll
C:\WINNT\system32\gg8sl3l71.dll
C:\WINNT\system32\qX680cjuefo80.dll
C:\WINNT\system32\dx0m01d1e.dll
C:\WINNT\system32\qB680cjuefo80.dll
C:\WINNT\system32\mndxmlc.dll
C:\WINNT\system32\en06l1ds1.dll

Fixe den zufällig benannten O18-Eintrag in HijackThis und lösche die zugehörige Datei manuell.

Start-> Alle Programme-> Zubehör-> Systemprogramme-> Geplante Tasks -> lösche "A6FD366C918AAF40"

Lösche den Ordner c:\dokume~1\al1\anwend~1\axispure

Start -> Ausführen -> "regedit"-> Navigiere jeweils zu HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
und
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000031
Jeweils "PackedCatalogueItem" markieren -> Datei-> Exportieren und abspeichern. Sollte etwas nicht mehr funktionieren, kannst du die Sicherung (die *.reg-Datei) wieder zurückspielen.
Lösche danach jeweils den Eintrag "PackedCatalogueItem" (nur bei den o.g. Schlüsseln!)

Scanne mit eScan, Spybot Search&Destroy und Ad-Aware.

BTW: Es scheint, als hättest du die von mit genannten Einträge mit HijackThis nicht gefixt. Hole dies nach!

Neustart.

Ein Scan mit ewido könnte nicht schaden.

Neues HjT-Log, die eScan und ewido-Ergebnisse sowie ein neues Silentrunners-Log posten. Editiere diesmal alle Links!


P.S.: Ein Neuaufsezen wäre vielleicht doch effektiver..


Alle Zeitangaben in WEZ +1. Es ist jetzt 01:58 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131