Trojaner-Board - PC mit Winfixer inffiziert

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - PC mit Winfixer inffiziert (https://www.trojaner-board.de/24626-pc-winfixer-inffiziert.html)

PC mit Winfixer inffiziert

also, hier mein Log-File:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:19, on 17.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\winfast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
c:\progra~1\softwin\bitdef~2\bdmcon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\SetUp Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\cbxyv.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\rqrrs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: GameKnot Chess - {61B5B39F-0750-4637-9D70-A63A79978B5D} - C:\WINDOWS\gameknot_toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\programme\softwin\bitdefender free edition\bdnagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [_WinProc] C:\WINDOWS\winfast.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: In &neuem Fenster öffnen - C:\Dokumente und Einstellungen\***\Anwendungsdaten\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - h**p://download.ebay.com/turbo_lister/DE/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - h**p://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - h**p://software-dl.real.com/27ab26bcabf1c8158e16/netzip/RdxIE601_de.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://www.bitdefender.de/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095873084960
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - h**p://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - h**p://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - h**p://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cbxyv - cbxyv.dll (file missing)
O20 - Winlogon Notify: rqrrs - C:\WINDOWS\system32\rqrrs.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Kann hier noch geholfen werden? :dummguck:

Hi,
bitte erst mal vorgehen, wie hier beschrieben.
Dann bitte wieder melden.
cacatoa

Hallo,
also ich bin mir nicht ganz sicher ob ich etwas übersehe, aber wo ist da der Hinweis auf Spyaxe? Vundo.B und weiteres ja.

Grüße Wildone

@ cactoa

so da, fertig

und jetz? wie gehts weiter?

@ wildone:
O20 - Winlogon Notify: rqrrs - C:\WINDOWS\system32\rqrrs.dll (muß nicht von spyaxe sein; aber wenn er gemäß dem Link verfährt, hat er automatisch auch probleme von spysheriff im Griff)

@Thròr:
Wenn du das alles so schnell geschafft hast, dann neues Logfile posten.
cacatoa

Hallo,
naja Schaden kann es ja nicht, aber ich bin mir sehr sicher das der (die) O20 Einträge von Vundo.B kommen, siehe auch z.B. hier.

Grüße Wildone

tja, ich habs eilig denn sch*** los zu werden! ;)

also, hier der neue Log-File

Logfile of HijackThis v1.99.1
Scan saved at 22:52:50, on 17.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\SetUp Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.at
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.at
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\cbxyv.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ATLDistrib Object - {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} - C:\WINDOWS\system32\rqrrs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: GameKnot Chess - {61B5B39F-0750-4637-9D70-A63A79978B5D} - C:\WINDOWS\gameknot_toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\programme\softwin\bitdefender free edition\bdnagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: In &neuem Fenster öffnen - C:\Dokumente und Einstellungen\***\Anwendungsdaten\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - h**p://download.ebay.com/turbo_lister/DE/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - h**p://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - h**p://software-dl.real.com/27ab26bcabf1c8158e16/netzip/RdxIE601_de.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://www.bitdefender.de/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095873084960
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - h**p://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - h**p://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - h**p://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cbxyv - cbxyv.dll (file missing)
O20 - Winlogon Notify: rqrrs - C:\WINDOWS\system32\rqrrs.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Jo, wildone hat recht; ich hab einen Eintrag übersehen.
So gehst du als nächstes vor.
cacatoa

meint Ihr ich kann die zu löschenden Einträge selber rausfiltern?

Glaub ich nicht. Geh so vor, wie im Link bechrieben. Druck´s dir auf jeden Fall aus!
cacatoa

So, hab hier mal den Log-File vom VitumundoBeGone, scheint nix zu finden, was nun?

[12/17/2005, 23:38:22] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\***\Desktop\VirtumundoBeGone.exe" )
[12/17/2005, 23:38:32] - Detected System Information:
[12/17/2005, 23:38:32] - Windows Version: 5.1.2600, Service Pack 2
[12/17/2005, 23:38:32] - Current Username: *** (Admin)
[12/17/2005, 23:38:32] - Windows is in SAFE mode with Networking.
[12/17/2005, 23:38:32] - Searching for Browser Helper Objects:
[12/17/2005, 23:38:32] - BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} ()
[12/17/2005, 23:38:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/17/2005, 23:38:32] - Checking for HKLM\...\Winlogon\Notify\cbxyv
[12/17/2005, 23:38:32] - Found: HKLM\...\Winlogon\Notify\cbxyv - This is probably Virtumundo.
[12/17/2005, 23:38:32] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[12/17/2005, 23:38:32] - BHO list has been changed! Starting over...
[12/17/2005, 23:38:32] - BHO 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} (MSEvents Object)
[12/17/2005, 23:38:32] - ALERT: Found MSEvents Object!
[12/17/2005, 23:38:32] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/17/2005, 23:38:32] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/17/2005, 23:38:32] - BHO 4: {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE} (ATLDistrib Object)
[12/17/2005, 23:38:32] - ALERT: Found ATLDistrib Object!
[12/17/2005, 23:38:32] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/17/2005, 23:38:32] - BHO 6: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/17/2005, 23:38:32] - Finished Searching Browser Helper Objects
[12/17/2005, 23:38:32] - *** Detected ATLDistrib Object
[12/17/2005, 23:38:32] - *** Detected MSEvents Object
[12/17/2005, 23:38:32] - Trying to remove ATLDistrib Object...
[12/17/2005, 23:38:33] - Terminating Process: IEXPLORE.EXE
[12/17/2005, 23:38:33] - Terminating Process: RUNDLL32.EXE
[12/17/2005, 23:38:33] - Disabling Automatic Shell Restart
[12/17/2005, 23:38:33] - Terminating Process: EXPLORER.EXE
[12/17/2005, 23:38:33] - Suspending the NT Session Manager System Service
[12/17/2005, 23:38:34] - Terminating Windows NT Logon/Logoff Manager
[12/17/2005, 23:38:34] - Re-enabling Automatic Shell Restart
[12/17/2005, 23:38:34] - File to disable: C:\WINDOWS\system32\rqrrs.dll
[12/17/2005, 23:38:34] - Renaming C:\WINDOWS\system32\rqrrs.dll -> C:\WINDOWS\system32\rqrrs.dll.vir
[12/17/2005, 23:38:34] - File successfully renamed!
[12/17/2005, 23:38:34] - Removing HKLM\...\Browser Helper Objects\{7A1A109F-58B3-414B-9829-5F4D9BE5FEDE}
[12/17/2005, 23:38:34] - Removing HKCR\CLSID\{7A1A109F-58B3-414B-9829-5F4D9BE5FEDE}
[12/17/2005, 23:38:34] - Adding Kill Bit for ActiveX for GUID: {7A1A109F-58B3-414B-9829-5F4D9BE5FEDE}
[12/17/2005, 23:38:34] - Deleting ATLEvents/MSEvents Registry entries
[12/17/2005, 23:38:34] - Removing HKLM\...\Winlogon\Notify\rqrrs
[12/17/2005, 23:38:34] - Trying to remove MSEvents Object...
[12/17/2005, 23:38:35] - Terminating Process: IEXPLORE.EXE
[12/17/2005, 23:38:35] - Terminating Process: RUNDLL32.EXE
[12/17/2005, 23:38:35] - Disabling Automatic Shell Restart
[12/17/2005, 23:38:35] - Terminating Process: EXPLORER.EXE
[12/17/2005, 23:38:35] - Suspending the NT Session Manager System Service
[12/17/2005, 23:38:35] - Terminating Windows NT Logon/Logoff Manager
[12/17/2005, 23:38:35] - Re-enabling Automatic Shell Restart
[12/17/2005, 23:38:35] - File to disable: C:\WINDOWS\system32\cbxyv.dll
[12/17/2005, 23:38:35] - Removing HKLM\...\Browser Helper Objects\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[12/17/2005, 23:38:35] - Removing HKCR\CLSID\{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[12/17/2005, 23:38:35] - Adding Kill Bit for ActiveX for GUID: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[12/17/2005, 23:38:35] - Deleting ATLEvents/MSEvents Registry entries
[12/17/2005, 23:38:35] - Removing HKLM\...\Winlogon\Notify\cbxyv
[12/17/2005, 23:38:35] - Searching for Browser Helper Objects:
[12/17/2005, 23:38:35] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/17/2005, 23:38:35] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/17/2005, 23:38:35] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/17/2005, 23:38:35] - BHO 4: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/17/2005, 23:38:35] - Finished Searching Browser Helper Objects
[12/17/2005, 23:38:35] - Finishing up...
[12/17/2005, 23:38:35] - A restart is needed.
[12/17/2005, 23:38:59] - Attempting to Restart via STOP error (Blue Screen!)

[12/18/2005, 0:12:13] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\***\Desktop\VirtumundoBeGone.exe" )
[12/18/2005, 0:12:20] - Detected System Information:
[12/18/2005, 0:12:20] - Windows Version: 5.1.2600, Service Pack 2
[12/18/2005, 0:12:20] - Current Username: *** (Admin)
[12/18/2005, 0:12:20] - Windows is in SAFE mode with Networking.
[12/18/2005, 0:12:20] - Searching for Browser Helper Objects:
[12/18/2005, 0:12:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/18/2005, 0:12:20] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/18/2005, 0:12:20] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/18/2005, 0:12:20] - BHO 4: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/18/2005, 0:12:20] - Finished Searching Browser Helper Objects
[12/18/2005, 0:12:20] - Finishing up...
[12/18/2005, 0:12:20] - Nothing found! Exiting...

[12/18/2005, 0:13:02] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\***\Desktop\VirtumundoBeGone.exe" )
[12/18/2005, 0:13:03] - Detected System Information:
[12/18/2005, 0:13:03] - Windows Version: 5.1.2600, Service Pack 2
[12/18/2005, 0:13:03] - Current Username: *** (Admin)
[12/18/2005, 0:13:03] - Windows is in SAFE mode with Networking.
[12/18/2005, 0:13:03] - Searching for Browser Helper Objects:
[12/18/2005, 0:13:03] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[12/18/2005, 0:13:03] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[12/18/2005, 0:13:03] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/18/2005, 0:13:03] - BHO 4: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[12/18/2005, 0:13:03] - Finished Searching Browser Helper Objects
[12/18/2005, 0:13:04] - Finishing up...
[12/18/2005, 0:13:04] - Nothing found! Exiting...

Hallo,

Zitat:

So, hab hier mal den Log-File vom VitumundoBeGone, scheint nix zu finden, was nun?

Wie kommst du darauf, sieht eher so aus als ob alles entfernt worden wäre, kommen die Popups noch? Poste mal wieder ein neues HijackThis log.

Grüße Wildone

nein, momentan gibts keine Pop-Up`s

hier mal der HJT-Log:

Logfile of HijackThis v1.99.1
Scan saved at 00:30:04, on 18.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\SetUp Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.google.com/ie?hl={SUB_RFC1766}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.at
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = h**p://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.at
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www.google.com/ie?hl={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = h**p://www.google.com/preferences?hl={SUB_RFC1766}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: GameKnot Chess - {61B5B39F-0750-4637-9D70-A63A79978B5D} - C:\WINDOWS\gameknot_toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] c:\programme\softwin\bitdefender free edition\bdnagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: In &neuem Fenster öffnen - C:\Dokumente und Einstellungen\***\Anwendungsdaten\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - h**p://download.ebay.com/turbo_lister/DE/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - h**p://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - h**p://software-dl.real.com/27ab26bcabf1c8158e16/netzip/RdxIE601_de.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://www.bitdefender.de/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095873084960
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - h**p://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - h**p://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - h**p://messenger.zone.msn.com/binary/Chess.cab31267.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

und? sauber?

Hallo,
ja sieht jetzt sauber aus. Schau mal das du noch deinen IE sicherer konfigurierst oder einen alternativen Browser verwendest (Firefox, Mozilla, Opera), außerdem solltest du dir mal das Konzept des surfens unter eingeschränkten Rechten anschauen, näheres hier.

Grüße Wildone

juppiiee :huepp:

danke nochmals!

was es IE angeht, hab schon auf Mozilla Firefox gewechselt, ist doch sicherer?!