Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Zwunzi 1.0 build 133 (https://www.trojaner-board.de/80685-zwunzi-1-0-build-133-a.html)

netzkiller 23.12.2009 15:38
Zwunzi 1.0 build 133
 
Hallo Leute!

Ich habe gestern beim Durchsuchen meines Rechners einen Ordner namens "Zwunzi" gefunden. Da ich das Programm weder installiert habe noch kenne, bin ich misstrauisch geworden und hab mich ein wenig schlau gegooglet. Schnell war mir klar ich hab mir da einen Virus/Trojaner vermutlich mit dem "FreeYoutubeToMp3Converter" (von vertauenswürdiger Quelle!!!) installiert.
Ich habe bereits "Kaspersky 7.0" und "Spybot S&D" einen Komplettscan machen lassen, jedoch das Programm "Zwunzi" wurde nicht entfernt/erkannt.
Anschließend habe ich Zwunzi manuell in Quarantäne via KAS verschieben wollen, jedoch konnte ich die "Zwunzi.exe" und die "Zwunzi.dll" nicht löschen.
(Das Programm ist auch unter Systemsteuerung>Software und Firefox>Extras>AddOns zu finden.)

Nun bin ich etwas überfragt, wie ich die Dateien löschen soll, möglichst ohne Format C. :confused:
Meine nächsten Ideen waren jez es mal mit HiJack zu probieren und ansonsten einfach im abgesicherten Modus löschen, wenn das etwas bringt.

Wenn jmd weiß, was "Zwunzi" macht oder noch besser wie ich ihn ohne format :C loswerde wär ich sehr dankbar!

Lg Kevin :daumenhoc

http://i49.tinypic.com/v6t538.jpg

Virustotal:
Code:
Datei zwunzi.exe empfangen 2009.12.23 14:42:03 (UTC)

Ergebnis: 1/41 (2.44%)
       
Antivirus        Version        letzte aktualisierung        Ergebnis
a-squared        4.5.0.43        2009.12.23        -
AhnLab-V3        5.0.0.2        2009.12.23        -
AntiVir        7.9.1.122        2009.12.23        -
Antiy-AVL        2.0.3.7        2009.12.23        -
Authentium        5.2.0.5        2009.12.23        -
Avast        4.8.1351.0        2009.12.23        -
AVG        8.5.0.430        2009.12.23        -
BitDefender        7.2        2009.12.23        -
CAT-QuickHeal        10.00        2009.12.23        -
ClamAV        0.94.1        2009.12.23        -
Comodo        3341        2009.12.23        -
DrWeb        5.0.1.12222        2009.12.23        -
eSafe        7.0.17.0        2009.12.23        -
eTrust-Vet        35.1.7193        2009.12.23        -
F-Prot        4.5.1.85        2009.12.22        -
F-Secure        9.0.15370.0        2009.12.23        -
Fortinet        4.0.14.0        2009.12.22        -
GData        19        2009.12.23        -
Ikarus        T3.1.1.79.0        2009.12.23        -
Jiangmin        13.0.900        2009.12.23        -
K7AntiVirus        7.10.926        2009.12.22        -
Kaspersky        7.0.0.125        2009.12.23        -
McAfee        5840        2009.12.22        -
McAfee+Artemis        5840        2009.12.22        -
McAfee-GW-Edition        6.8.5        2009.12.23        -
Microsoft        1.5302        2009.12.23        -
NOD32        4711        2009.12.23        -
Norman        6.04.03        2009.12.23        -
nProtect        2009.1.8.0        2009.12.23        -
Panda        10.0.2.2        2009.12.15        -
PCTools        7.0.3.5        2009.12.23        -
Prevx        3.0        2009.12.23        Medium Risk Malware
Rising        22.27.02.02        2009.12.23        -
Sophos        4.49.0        2009.12.23        -
Sunbelt        3.2.1858.2        2009.12.23        -
Symantec        1.4.4.12        2009.12.23        -
TheHacker        6.5.0.3.108        2009.12.23        -
TrendMicro        9.120.0.1004        2009.12.23        -
VBA32        3.12.12.0        2009.12.23        -
ViRobot        2009.12.23.2105        2009.12.23        -
VirusBuster        5.0.21.0        2009.12.23        -
weitere Informationen
File size: 58176 bytes
MD5...: 397859a38a99ebeac3558f5c1edaa6fb
SHA1..: f0e0a1bcd97136271ffcdbe48a47bcaa74788df6
SHA256: e84ad18c82ac5e3935707de57904c06ae145b6e27948ef2441ed538698be7010
ssdeep: 768:guYVYni3ygWFc5JLzr6uBMb061+Zez4MkOcDmlODehl+g:guYGiVWFc5xzvM
b0+6ez45DehX
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x47d3
timedatestamp.....: 0x4b2ff340 (Mon Dec 21 22:14:24 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7869 0x8000 6.32 c6ac5581479b37e8800ab057fa9faae1
.rdata 0x9000 0x19bc 0x2000 4.20 4af36201e3ec7bd14a10a83fdd58b6e5
.data 0xb000 0x958 0x1000 1.04 3aed8e42390bcf9d3f2a51876c4d7e55
.rsrc 0xc000 0x10 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110

( 1 imports )
> KERNEL32.dll: lstrcpyA, lstrlenA, UnmapViewOfFile, FlushViewOfFile, MapViewOfFile, CloseHandle, CreateFileMappingA, GetFileSize, CreateFileA, GetProcAddress, LoadLibraryExA, lstrcmpA, RtlUnwind, RaiseException, GetSystemTimeAsFileTime, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersionExA, HeapAlloc, HeapFree, SetUnhandledExceptionFilter, ExitProcess, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, HeapSize, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, GetACP, GetOEMCP, GetCPInfo, LoadLibraryA, InterlockedExchange, VirtualQuery, GetLocaleInfoA, VirtualProtect, GetSystemInfo, LCMapStringA, LCMapStringW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=A747967F40EB0295E37600A2A103EE0060153A47' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=A747967F40EB0295E37600A2A103EE0060153A47</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: Zwunzi.com
UTN-USERFirst-Object
signing date.: 11:14 PM 12/21/2009
verified.....: -
Code:
Datei zwunzi133.exe empfangen 2009.12.23 14:42:55 (UTC)

Ergebnis: 1/40 (2.5%)
       
Antivirus        Version        letzte aktualisierung        Ergebnis
a-squared        4.5.0.43        2009.12.23        -
AhnLab-V3        5.0.0.2        2009.12.23        -
AntiVir        7.9.1.122        2009.12.23        -
Antiy-AVL        2.0.3.7        2009.12.23        -
Authentium        5.2.0.5        2009.12.23        -
Avast        4.8.1351.0        2009.12.23        -
AVG        8.5.0.430        2009.12.23        -
BitDefender        7.2        2009.12.23        -
CAT-QuickHeal        10.00        2009.12.23        -
ClamAV        0.94.1        2009.12.23        -
Comodo        3341        2009.12.23        -
DrWeb        5.0.1.12222        2009.12.23        -
eSafe        7.0.17.0        2009.12.23        -
eTrust-Vet        35.1.7193        2009.12.23        -
F-Prot        4.5.1.85        2009.12.22        -
F-Secure        9.0.15370.0        2009.12.23        -
Fortinet        4.0.14.0        2009.12.22        -
GData        19        2009.12.23        -
Ikarus        T3.1.1.79.0        2009.12.23        -
K7AntiVirus        7.10.926        2009.12.22        -
Kaspersky        7.0.0.125        2009.12.23        -
McAfee        5840        2009.12.22        -
McAfee+Artemis        5840        2009.12.22        -
McAfee-GW-Edition        6.8.5        2009.12.23        -
Microsoft        1.5302        2009.12.23        -
NOD32        4711        2009.12.23        -
Norman        6.04.03        2009.12.23        -
nProtect        2009.1.8.0        2009.12.23        -
Panda        10.0.2.2        2009.12.15        -
PCTools        7.0.3.5        2009.12.23        -
Prevx        3.0        2009.12.23        Medium Risk Malware
Rising        22.27.02.02        2009.12.23        -
Sophos        4.49.0        2009.12.23        -
Sunbelt        3.2.1858.2        2009.12.23        -
Symantec        1.4.4.12        2009.12.23        -
TheHacker        6.5.0.3.108        2009.12.23        -
TrendMicro        9.120.0.1004        2009.12.23        -
VBA32        3.12.12.0        2009.12.23        -
ViRobot        2009.12.23.2105        2009.12.23        -
VirusBuster        5.0.21.0        2009.12.23        -
weitere Informationen
File size: 58176 bytes
MD5...: 397859a38a99ebeac3558f5c1edaa6fb
SHA1..: f0e0a1bcd97136271ffcdbe48a47bcaa74788df6
SHA256: e84ad18c82ac5e3935707de57904c06ae145b6e27948ef2441ed538698be7010
ssdeep: 768:guYVYni3ygWFc5JLzr6uBMb061+Zez4MkOcDmlODehl+g:guYGiVWFc5xzvM
b0+6ez45DehX
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x47d3
timedatestamp.....: 0x4b2ff340 (Mon Dec 21 22:14:24 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7869 0x8000 6.32 c6ac5581479b37e8800ab057fa9faae1
.rdata 0x9000 0x19bc 0x2000 4.20 4af36201e3ec7bd14a10a83fdd58b6e5
.data 0xb000 0x958 0x1000 1.04 3aed8e42390bcf9d3f2a51876c4d7e55
.rsrc 0xc000 0x10 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110

( 1 imports )
> KERNEL32.dll: lstrcpyA, lstrlenA, UnmapViewOfFile, FlushViewOfFile, MapViewOfFile, CloseHandle, CreateFileMappingA, GetFileSize, CreateFileA, GetProcAddress, LoadLibraryExA, lstrcmpA, RtlUnwind, RaiseException, GetSystemTimeAsFileTime, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersionExA, HeapAlloc, HeapFree, SetUnhandledExceptionFilter, ExitProcess, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, HeapSize, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, GetACP, GetOEMCP, GetCPInfo, LoadLibraryA, InterlockedExchange, VirtualQuery, GetLocaleInfoA, VirtualProtect, GetSystemInfo, LCMapStringA, LCMapStringW, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=A747967F40EB0295E37600A2A103EE0060153A47' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=A747967F40EB0295E37600A2A103EE0060153A47</a>
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: Zwunzi.com
UTN-USERFirst-Object
signing date.: 11:14 PM 12/21/2009
verified.....: -
Code:
Datei zwunzi.dll empfangen 2009.12.23 14:41:22 (UTC)

Ergebnis: 10/41 (24.4%)

       
Antivirus        Version        letzte aktualisierung        Ergebnis
a-squared        4.5.0.43        2009.12.23        Riskware.AdWare.Win32.Zwangi!IK
AhnLab-V3        5.0.0.2        2009.12.23        -
AntiVir        7.9.1.122        2009.12.23        -
Antiy-AVL        2.0.3.7        2009.12.23        -
Authentium        5.2.0.5        2009.12.23        -
Avast        4.8.1351.0        2009.12.23        -
AVG        8.5.0.430        2009.12.23        -
BitDefender        7.2        2009.12.23        Gen:Adware.Heur.Ku4@1e5rerki
CAT-QuickHeal        10.00        2009.12.23        -
ClamAV        0.94.1        2009.12.23        -
Comodo        3341        2009.12.23        -
DrWeb        5.0.1.12222        2009.12.23        -
eSafe        7.0.17.0        2009.12.23        -
eTrust-Vet        35.1.7193        2009.12.23        -
F-Prot        4.5.1.85        2009.12.22        -
F-Secure        9.0.15370.0        2009.12.23        Gen:Adware.Heur.Ku4@1e5rerki
Fortinet        4.0.14.0        2009.12.22        -
GData        19        2009.12.23        Gen:Adware.Heur.Ku4@1e5rerki
Ikarus        T3.1.1.79.0        2009.12.23        not-a-virus:AdWare.Win32.Zwangi
Jiangmin        13.0.900        2009.12.23        -
K7AntiVirus        7.10.926        2009.12.22        -
Kaspersky        7.0.0.125        2009.12.23        -
McAfee        5840        2009.12.22        -
McAfee+Artemis        5840        2009.12.22        Artemis!CE23F1BA824C
McAfee-GW-Edition        6.8.5        2009.12.23        Heuristic.BehavesLike.Win32.Trojan.J
Microsoft        1.5302        2009.12.23        -
NOD32        4711        2009.12.23        -
Norman        6.04.03        2009.12.23        -
nProtect        2009.1.8.0        2009.12.23        -
Panda        10.0.2.2        2009.12.15        Suspicious file
PCTools        7.0.3.5        2009.12.23        -
Prevx        3.0        2009.12.23        -
Rising        22.27.02.02        2009.12.23        AdWare.Win32.Agent.dvu
Sophos        4.49.0        2009.12.23        Zwunzi
Sunbelt        3.2.1858.2        2009.12.23        -
Symantec        1.4.4.12        2009.12.23        -
TheHacker        6.5.0.3.108        2009.12.23        -
TrendMicro        9.120.0.1004        2009.12.23        -
VBA32        3.12.12.0        2009.12.23        -
ViRobot        2009.12.23.2105        2009.12.23        -
VirusBuster        5.0.21.0        2009.12.23        -
weitere Informationen
File size: 598016 bytes
MD5...: ce23f1ba824c1409554bc74ac1c961a5
SHA1..: 13c904f8ca67f26d088654962e34078cd424667f
SHA256: 1a785bd3e5067c3441bfc6d6bf24fce7df2a5ba35332d3557a0a12bd5a9176a6
ssdeep: 12288:pI3dGKT7ukplOPaR/3m0+C0NxlLOZGQi+cjG6EuY4AsDR+t:63wKGkpleI
/3Z+LNxgZGVnrA4+t
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5642
timedatestamp.....: 0x4b2ff33c (Mon Dec 21 22:14:20 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x97fe 0xa000 6.34 6448b49bc24b16427cb6dc7537222465
.rdata 0xb000 0x21a3 0x3000 3.85 b4943c431e95cc42b0dbb6baa520b434
.data 0xe000 0x127c 0x1000 1.92 7766d3d8753f505e33cb7cd05d1526c6
.rsrc 0x10000 0x80060 0x81000 7.99 52f3f7da7cd73ec37587ceb0f0e7028f
.reloc 0x91000 0x1608 0x2000 2.71 453598f1e666a9ac29173d4890ba0523

( 2 imports )
> KERNEL32.dll: FreeLibrary, GetProcAddress, LoadLibraryA, RtlUnwind, RaiseException, ExitProcess, GetCurrentThreadId, GetCommandLineA, GetVersionExA, HeapAlloc, TlsAlloc, SetLastError, GetLastError, TlsFree, TlsSetValue, TlsGetValue, GetModuleHandleA, SetUnhandledExceptionFilter, HeapFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, TerminateProcess, GetCurrentProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, UnhandledExceptionFilter, WriteFile, VirtualAlloc, HeapReAlloc, IsBadWritePtr, HeapSize, IsBadReadPtr, IsBadCodePtr, GetACP, GetOEMCP, GetCPInfo, InitializeCriticalSection, InterlockedExchange, VirtualQuery, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, VirtualProtect, GetSystemInfo
> USER32.dll: SetWindowsHookExA

( 7 exports )
Command, Install, Main, Opt, Service, SetProc, Uninstall
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


HiJack:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:13:42, on 23.12.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Zwunzi\zwunzi133.exe
C:\Programme\Zwunzi\zwunzi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Zwunzi\zwunzi.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\wuauclt.exe
C:\programme\steam\steam.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Programme\ICQ6.5\ICQ.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\Programme\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\Programme\MPK\MPK.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Steam] "c:\programme\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClipIncSrvTray] "C:\Programme\Tobit ClipInc\Player\ClipIncTray.exe"
O4 - HKUS\S-1-5-21-343818398-1004336348-839522115-1010\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'xxx')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Programme\PokerStars.NET\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228156964203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228157017765
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD52D0A5-73B4-4373-890A-3C88F6A99C40}: NameServer = 192.168.2.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - C:\Programme\Tobit ClipInc\Server\ClipInc-Server.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Google Update Service (gupdate1c9a0d236205ffc) (gupdate1c9a0d236205ffc) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Zwunzi Service - Unknown owner - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Zwunzi\zwunzi133.exe

--
End of file - 8711 bytes

PS: Frohe Weihnachten und nen guten Rutsch! =)

cosinus 24.12.2009 09:25
Hallo,

ich nutze den FreeYoutubeToMp3Converter auch, aber der Zwunzi ist mir nie aufgefallen.

Führ mal bitte aus über Start, ausführen, cmd eintippen=> ok, in die Konsole diesen Befehl eingeben: sc delete "Zwunzi Service"

Danach den Avenger bitte ausführen:

1.) Lade Dir von hier Avenger:
Swandog46's Public Anti-Malware Tools (Download, linksseitig)

2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:

http://mitglied.lycos.de/efunction/tb123/avenger.png

3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld:
Code:
folders to delete:
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Zwunzi
C:\Programme\Zwunzi
4.) Geh in "The Avenger" nun oben auf "Load Script", dort auf "Paste from Clipboard".

5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein.

6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso.

7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier.

8.) Die Datei c:\avenger\backup.zip bei file-upload.net hochladen und hier verlinken.

netzkiller 09.01.2010 14:39
Hallo!
Erstmal vielen Dank an dich für deine schnelle Hilfe und sorry, dass ich so lange gebraucht habe, aber es war mir zeitlich nicht schneller möglich.

Also ich habe deine Anleitung befolgt und hier ist das Script :

Code:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Zwunzi" deleted successfully.
Folder "C:\Programme\Zwunzi" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
... und hier der Link zum Backup :

http://www.file-upload.net/download-2144104/backup.zip.html

LG

cosinus 10.01.2010 12:38
Das war Adware, die ist nun aber bei Dir gelöscht worden vom Avenger. Mach mal bitte nun einen Durchlauf mit Malwarebytes (<- Anleitung beachten!) und poste das Logfile.


Alle Zeitangaben in WEZ +1. Es ist jetzt 07:50 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131