Trojaner-Board - Home search Assistent and more

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Home search Assistent and more (https://www.trojaner-board.de/26945-home-search-assistent-more.html)

Home search Assistent and more

Hallo Leute,

bei mir in der Systemsteuerung finde ich unter Software unter anderem 'Home search Assistent' , 'search extender' und 'shopping wizzard'.

Leider kann ich diese Programme nicht löschen, ich weiss auch nicht, ob Sie viel Schaden anrichten. Könnt Ihr mir hier helfen?
Dankeschön.

Anbei die Log-File:

Logfile of HijackThis v1.99.1
Scan saved at 19:24:08, on 18.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LckFldService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Programme\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\eMule\eMule.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/activex/IPSUploader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: Network Security Service (O?’ŽrtñåÈ²$Ó) - Unknown owner - C:\WINDOWS\crsc32.exe

Hi,
diese Datei:
C:\WINDOWS\crsc32.exe
bitte mal bei Jotti online scannen und das Ergebnis posten.
Weiterhin mußt Du die "trusted zones" O15 -Einträge wegbringen. Hier, und zwar im post Nr. 31, findest Du eine Anleitung dazu.
Anschließend neues Logfile posten und berichten, ob Deine Probs noch da sind.
cacatoa

Hallo,
danke für die Antwort. Die Datei lässt sich leider nicht scannen. Obwohl ich die Firewall kurzzeitig deaktivierte kam folgende Meldung:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Die Anleitung habe ich befolgt, hier die neue Logfile:
(leider immer noch mit den trusted-zone-Einträgen)

Logfile of HijackThis v1.99.1
Scan saved at 19:54:54, on 19.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LckFldService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Programme\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\volker\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/activex/IPSUploader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: Network Security Service (O?’ŽrtñåÈ²$Ó) - Unknown owner - C:\WINDOWS\crsc32.exe

Schau mal, ob der Prozeß läuft; wenn ja, beende ihn und laß dann bei Jotti scannen.
Wieso sind die trusted zones noch da?
cacatoa

Hallo,
beim task Manager läuft unter Prozesse nur die csrss.exe.
Genannte exe kann ich jedochnicht finden.

Ich weiss nicht wieso die trusted zones noch da sind. Habe die DelDomains.inf wie beschrieben auf Desktop gespeichert und bin mit rechter Maustaste auf AUSFÜHREN gegangen.

..also ich meine ...ich habe INSTALLIEREN angeklickt.
Ist aber nichts "sichtbares" passiert.
Oder kommt dannach noch ein Schritt?

Bitte probiers nochmal genau so, wie es Lutz beschrieben hat. Warum sollte es gerade bei dir nicht funktionieren?
cacatoa

Hallo, ich habe es nocheinmal durchgeführt, wirklich haargenau so wie beschrieben! Von SPEICHERN UNTER/ALLE Dateien/Booten....Das einzige wo ich mir vorstellen könnte, dass da wa snicht stimmt:

Beim Abspeichern ist die voreingestellte Codierung: ANSI.

Das habe ich nicht verändert, da in der Beschreibung davon nichts stand.

Das Ergebnis ist dieses hier:

Logfile of HijackThis v1.99.1
Scan saved at 19:58:09, on 20.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LckFldService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Programme\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\iPod\bin\iPodService.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\volker\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/activex/IPSUploader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: Network Security Service (O?’ŽrtñåÈ²$Ó) - Unknown owner - C:\WINDOWS\crsc32.exe

Hi, fixe mal die Einträge mit HJT. Prüfe unter "Start > Einstellungen > Systemsteuerung > Internetoptionen" die einträge in den vertrauenswürdigen Seiten. Entferne alles, was nicht reingehört und passe die Sicherheitsstufe an.
cacatoa

Hallo,

also zum Beispiel alle 015 trusted zones einen Haken setzen und 'fix checked' klicken bei Hijack this??

Bei den vertrauenswürdigen sites ist bis jetzt nicht viel drinnen (1 Eintrag)

was ist eigentlich mit der 'C:\WINDOWS\crsc32.exe'?
Gehört die nicht dahin?

Gruss vubler

Ja, fixe die Einträge.
Führe weiterhin einen eScan genau nach der beschriebenen Anleitung durch und poste das Ergebnis.
Grund: die crsc32.exe gefällt mir nicht und ich möchte mehr drüber wissen.
cacatoa

Hi,

habe e-scan im abgesicherten Modus durchgeführt.
Die m-wav.log ist jedoch nun mehrere Meter lang,
da z.B. jeder Scan einzeln aufgeführt ist und meine ganzen Urlaubsbilderarchiev aufgeführt ist.
Wie also posten?

meine Log von Hijack ist
Warum ist die nun länger geworden?

Logfile of HijackThis v1.99.1
Scan saved at 19:10:27, on 25.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\volker\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Programme\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [uunumhjmac] C:\WINDOWS\System32\ugvynyea.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\volker\LOKALE~1\Temp\mwavscan.com" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\Run: [atlvv.exe] C:\WINDOWS\system32\atlvv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Uxrvenpr] C:\WINDOWS\System32\hdd.exe
O4 - HKCU\..\Run: [Rsed] C:\Dokumente und Einstellungen\volker\Anwendungsdaten\oueo.exe
O4 - Startup: Hardcopy.LNK = C:\Programme\Hardcopy\hardcopy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/activex/IPSUploader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: Network Security Service (O?’ŽrtñåÈ²$Ó) - Unknown owner - C:\WINDOWS\crsc32.exe

Hallo:
Hier die Virus Log information:
Wäre nett, wenn man da mal drüberschaut.
Ist was sehr gefährliches dabei?

Seltsamerweise sehe ich da Sachen dabei von längst nicht mehr vorhandenen Progranmmen oder es werden auch Tools genannt, die eigentlich zur Schädlingsbekämpfung da sind....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thu Mar 02 18:26:33 2006 => System found infected with funweb Spyware/Adware ({147a976f-eee1-4377-8ea7-4716e4cdd239})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with media tickets Spyware/Adware ({39da2444-065f-47cb-b27c-ccb1a39c06b7})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with cws.homesearch Browser Hijacker ({676575dd-4d46-911d-8037-9b10d6ee8bb5})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with clickspring Spyware/Adware ({9eb320ce-be1d-4304-a081-4b4665414bef})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with troj/taladra-f BackDoor ({e7bc34a3-ba86-11cf-84b1-cbc2da68bf6c})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with istbar Spyware/Adware ({10e42047-deb9-4535-a118-b3f6ec39b807})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with mywebsearch Spyware/Adware ({07b18ea0-a523-4961-b6bb-170de4475cca})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargain buddy Spyware/Adware ({4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargainbuddy Spyware/Adware ({4eb7bbe8-2e15-424b-9ddb-2cdb9516c2e3})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargainbuddy Spyware/Adware ({4eb7bbe8-2e15-424b-9ddb-2cdb9516e2a3})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with mywebsearch Spyware/Adware ({8e6f1830-9607-4440-8530-13be7c4b1d14})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with mywebsearch Spyware/Adware ({e47caee0-deea-464a-9326-3f2801535a4d})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with mywebsearch Spyware/Adware ({07b18eaa-a523-4961-b6bb-170de4475cca})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargainbuddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e1357})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargainbuddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e2468})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargain buddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e5678})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargainbuddy Spyware/Adware ({9388907f-82f5-434d-a941-bb802c6dd7c1})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with dyfuca Spyware/Adware ({aa4939c3-deca-4a48-a454-97cd587c0ef5})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargainbuddy Spyware/Adware ({c6906a23-4717-4e1f-b6fd-f06ebed11357})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargainbuddy Spyware/Adware ({c6906a23-4717-4e1f-b6fd-f06ebed12468})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with bargain buddy Spyware/Adware ({c6906a23-4717-4e1f-b6fd-f06ebed15678})! Action taken: No Action Taken.
Thu Mar 02 18:26:34 2006 => System found infected with dyfuca Spyware/Adware ({eee4a2e5-9f56-432f-a6ed-f6f625b551e0})! Action taken: No Action Taken.
Thu Mar 02 18:26:37 2006 => System found infected with abetterinternet Spyware/Adware (alchem.ini)! Action taken: No Action Taken.
Thu Mar 02 18:26:37 2006 => System found infected with ezula Spyware/Adware (conscorr.ini)! Action taken: No Action Taken.
Thu Mar 02 18:26:37 2006 => System found infected with mx-targeting Spyware/Adware (preinsmt.exe)! Action taken: No Action Taken.
Thu Mar 02 18:26:37 2006 => System found infected with altnet Spyware/Adware (smdat32a.sys)! Action taken: No Action Taken.
Thu Mar 02 18:26:37 2006 => System found infected with abetterinternet Spyware/Adware (susp.ini)! Action taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => System found infected with smitfraud variant Browser Hijacker (warnhp.html)! Action taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => System found infected with clickspring Spyware/Adware (mediaticketsinstaller.ocx)! Action taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => System found infected with windupdate Spyware/Adware (ide21201.vxd)! Action taken: No Action Taken.
Thu Mar 02 18:26:44 2006 => System found infected with ezula Spyware/Adware (movie.url)! Action taken: No Action Taken.
Thu Mar 02 18:26:48 2006 => System found infected with altnetbde Spyware/Adware (adm.exe)! Action taken: No Action Taken.
Thu Mar 02 18:26:48 2006 => System found infected with altnetbde Spyware/Adware (altnet signing module.exe)! Action taken: No Action Taken.
Thu Mar 02 18:26:48 2006 => System found infected with altnetbde Spyware/Adware (adm.exe)! Action taken: No Action Taken.
Thu Mar 02 18:26:48 2006 => System found infected with altnetbde Spyware/Adware (altnet signing module.exe)! Action taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "stoppop Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "hsa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "coolwebsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "sw Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "toprebates Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "180searchassistant Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "msbb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "my way speedbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "mwsoemon Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "bargainbuddy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "p2p networking Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "perfectnav Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "powerscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "msbb Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:36 2006 => Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => Object "topsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => Object "my way speedbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => Object "mwsoemon Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => Object "perfectnav Spyware/Adware" found in File System! Action Taken: No Action Taken.
Thu Mar 02 18:26:38 2006 => Object "toprebates Spyware/Adware" found in File System! Action Taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Thu Mar 02 18:26:54 2006 => File C:\\ClearProg_1.4.1_Beta9\ClearProg.exe infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:26:57 2006 => File C:\mwav.exe infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:49:08 2006 => File C:\SpHjfix.exe infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:52:27 2006 => File C:\Dokumente und Einstellungen\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\jara.jar-13e538ef-75b73414.zip infected by "Trojan.Java.Femad" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:55:48 2006 => File C:\neuer Ordner\IsoBuster.exe infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:55:56 2006 => File C:\Program Files\TextBridge Classic\Bin\ICRSRV32.EXE infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:55:56 2006 => File C:\Program Files\TextBridge Classic\Bin\IMAGEWIN.EXE infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:55:56 2006 => File C:\Program Files\TextBridge Classic\Bin\PagisUser.exe infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:55:59 2006 => File C:\Program Files\TextBridge Classic\Bin\TBMenu.exe infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:56:01 2006 => File C:\Program Files\TextBridge Classic\Bin\XSETSCAN.EXE infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 18:56:07 2006 => File C:\Program Files\Winad Client\WinClt.exe infected by "Virus.Win32.Tenga.a" Virus! Action Taken: No Action Taken.
Thu Mar 02 19:39:04 2006 => File C:\WINDOWS\system32\oleext32(2).dll infected by "Virus.Win32.Nsag.b" Virus! Action Taken: No Action Taken.
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Thu Mar 02 18:26:37 2006 => Offending file found: C:\WINDOWS\alchem.ini
Thu Mar 02 18:26:37 2006 => Offending file found: C:\WINDOWS\conscorr.ini
Thu Mar 02 18:26:37 2006 => Offending file found: C:\WINDOWS\preinsmt.exe
Thu Mar 02 18:26:37 2006 => Offending file found: C:\WINDOWS\smdat32a.sys
Thu Mar 02 18:26:37 2006 => Offending file found: C:\WINDOWS\susp.ini
Thu Mar 02 18:26:38 2006 => Offending file found: C:\WINDOWS\warnhp.html
Thu Mar 02 18:26:38 2006 => Offending file found: C:\WINDOWS\DOWNLO~1\mediaticketsinstaller.ocx
Thu Mar 02 18:26:38 2006 => Offending file found: C:\WINDOWS\system32\ide21201.vxd
Thu Mar 02 18:26:44 2006 => Offending file found: C:\Dokumente und Einstellungen\volker\Favoriten\2-homepages\movie.url
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
Thu Mar 02 19:06:52 2006 => Scanning File C:\Programme\Kodak\Kodak EasyShare software\bin\Tagged.chm
Thu Mar 02 19:12:00 2006 => File C:\Programme\MyWay\myBar\1.bin\MY2NS.EXE tagged as "not-a-virus:AdWare.Win32.MyWay.b". Action Taken: No Action Taken.
Thu Mar 02 19:12:00 2006 => File C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL tagged as "not-a-virus:AdWare.Win32.MyWay.g". Action Taken: No Action Taken.
Thu Mar 02 19:12:01 2006 => File C:\Programme\MyWebSearch\bar\1.bin\MWSBAR.DLL tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
Thu Mar 02 19:12:01 2006 => File C:\Programme\MyWebSearch\bar\1.bin\MWSOEMON.EXE tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
Thu Mar 02 19:12:01 2006 => File C:\Programme\MyWebSearch\bar\1.bin\MWSOEPLG.DLL tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
Thu Mar 02 19:12:01 2006 => File C:\Programme\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL tagged as "not-a-virus:AdWare.Win32.MyWebSearch". Action Taken: No Action Taken.
Thu Mar 02 19:13:17 2006 => File C:\Programme\Web_Rebates\disp1150.exe tagged as "not-a-virus:AdWare.Win32.WebRebates.c". Action Taken: No Action Taken.
Thu Mar 02 19:22:02 2006 => File C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx tagged as "not-a-virus:AdWare.Win32.MediaTickets.d". Action Taken: No Action Taken.
Thu Mar 02 19:29:29 2006 => File C:\WINDOWS\preInMPP.exe tagged as "not-a-virus:AdWare.Win32.BiSpy.q". Action Taken: No Action Taken.
Thu Mar 02 19:29:29 2006 => File C:\WINDOWS\preInsMt.exe tagged as "not-a-virus:AdWare.Win32.BiSpy.q". Action Taken: No Action Taken.
Thu Mar 02 19:41:36 2006 => File C:\WINDOWS\Temp\Altnet\adm.exe tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:36 2006 => File C:\WINDOWS\Temp\Altnet\adm25.dll tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:36 2006 => File C:\WINDOWS\Temp\Altnet\adm4.dll tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:36 2006 => File C:\WINDOWS\Temp\Altnet\admdata.dll tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:37 2006 => File C:\WINDOWS\Temp\Altnet\admdloader.dll tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:37 2006 => File C:\WINDOWS\Temp\Altnet\admfdi.dll tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:37 2006 => File C:\WINDOWS\Temp\Altnet\admprog.dll tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:37 2006 => File C:\WINDOWS\Temp\Altnet\dmfiles.cab tagged as "not-a-virus:AdWare.Win32.Altnet.b". Action Taken: No Action Taken.
Thu Mar 02 19:41:37 2006 => File C:\WINDOWS\Temp\Altnet\mysearch.cab tagged as "not-a-virus:AdWare.Win32.MyWay.g". Action Taken: No Action Taken.
Thu Mar 02 19:41:38 2006 => File C:\WINDOWS\Temp\Altnet\pmexe.cab tagged as "not-a-virus:AdWare.Win32.Altnet.h". Action Taken: No Action Taken.
Thu Mar 02 19:41:38 2006 => File C:\WINDOWS\Temp\Altnet\pmfiles.cab tagged as "not-a-virus:AdWare.Win32.BrilliantDigital.1007". Action Taken: No Action Taken.
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Thu Mar 02 18:26:38 2006 => Offending Folder found: C:\Programme\myway
Thu Mar 02 18:26:38 2006 => Offending Folder found: C:\Programme\mywebsearch
Thu Mar 02 18:26:38 2006 => Offending Folder found: C:\Programme\perfectnav
Thu Mar 02 18:26:38 2006 => Offending Folder found: C:\Programme\web_rebates
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\dhost !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\hsa !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\se !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\sw !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\Microsoft\Windows\CurrentVersion\uninstall\untopr1150 !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\180solutions !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\msbb !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\myway !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\mywebsearch !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\navisearch !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\p2p networking !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\perfectnav !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\powerscan !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKCU\Software\msbb !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKLM\Software\policies\avenue media !!!
Thu Mar 02 18:26:36 2006 => Offending Key found: HKCU\Software\policies\avenue media !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thu Mar 02 20:36:45 2006 => Total Errors: 64
Thu Mar 02 20:36:45 2006 => Time Elapsed: 02:10:41
Thu Mar 02 20:36:45 2006 => Total Objects Scanned: 73836
Thu Mar 02 18:25:09 2006 => Virus Database Date: 3/1/2006
Thu Mar 02 20:36:45 2006 => Virus Database Date: 3/1/2006
Thu Mar 02 20:49:10 2006 => Virus Database Date: 3/1/2006
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hi,
ich dachte mir schon, daß da was nicht stimmt.
Tenga.a ist ein file-infector, also ein Virus (kein Trojaner).
Er wird versuchen - und hat es teilweise schon gechafft, alle .exe Dateien zu infizieren.
Dieser Epidemie entkommst du nur durch Neuaufsetzen Deines Systems.
Sorry,
cacatoa

Erstmals Danke für die Hilfe!

Wie ich mir trotz Firewall und Antivirensoftware so was geholt habe.....

Ich habe inzwischen alle wichtigen Dateien gesichert.
Was kann der Virus noch alles anstellen?
Ist nun Eile geboten mit dem Neuaufsetzen?