Trojaner-Board - vbsys2.dll

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - vbsys2.dll (https://www.trojaner-board.de/11035-vbsys2-dll.html)

Das is mein HJT lock. ich hab irgendein problem mit dem file vbsys2.dll, sagt mir zumindest mein mcafee virusscan. kann mir jemand helfen?? DANKE!!

Logfile of HijackThis v1.99.0
Scan saved at 22:52:29, on 20.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Stephan\iTunes\iTunesHelper.exe
C:\games\quicktime\qttask.exe
C:\Games\ZoneAlarm\zlclient.exe
C:\Program Files\Winad Client\Winad.exe
C:\Programme\Palm\HOTSYNC.EXE
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Programme\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Network Associates\VirusScan\VsStat.exe
C:\Programme\Network Associates\VirusScan\Vshwin32.exe
C:\Programme\Network Associates\VirusScan\Avconsol.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe
C:\Games\ICQ\Icq.exe
C:\Dokumente und Einstellungen\Rummelt\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
O1 - Hosts: 64.159.91.200 auto.search.msn.com
O1 - Hosts: 64.159.91.200 auto.search.msn.com
O1 - Hosts: 69.31.79.101 auto.search.msn.com
O1 - Hosts: 69.31.79.101 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Games\Adobe\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programme\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\Stephan\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\games\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Games\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKCU\..\Run: [Steam] C:\Games\Steam\Steam.exe -silent
O4 - Startup: HotSync Manager.lnk = C:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Games\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Games\ICQ\ICQ.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/wins...searchie32.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - file://c:\x.cab
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98CA060-09B8-483F-A62B-AA85E64C443F}: NameServer = 172.16.10.1
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: AVSync Manager - Unknown - C:\Programme\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown - C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Danke schonmal...

Lösche dies im abg. Modus:

C:\Program Files\Winad Client

Fixe dies mit HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwebsearch.net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwebsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwebsearch.net/search.html
O1 - Hosts: 64.159.91.200 auto.search.msn.com
O1 - Hosts: 64.159.91.200 auto.search.msn.com
O1 - Hosts: 69.31.79.101 auto.search.msn.com
O1 - Hosts: 69.31.79.101 auto.search.msn.com
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/win...nsearchie32.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab30149.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - file://c:\x.cab
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...ro.cab30149.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)

Bitte unbedingt www.windowsupdate.com besuchen und alle Updates und Patches installieren.

Scanne zur Kontrolle noch mit eScan im abg. Modus: http://www.trojaner-board.de/42731-escan-anleitung.html

@Christian
Vielen Dank!! der escan hat aber trotzdem noch viren gefunden und zwar diese:
File C:\WINDOWS\System32\vbsys2.dll infected by "TrojanClicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\winupd.exe infected by "TrojanDropper.Win32.Small.ig" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Rummelt\Desktop\hijackthis.log infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.
File C:\Games\Counter-Strike\hltv.exe tagged as not-a-virus:RiskWare.Proxy.Hltv. No Action Taken.

Das hier ist mein neuer HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 16:04:27, on 22.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Stephan\iTunes\iTunesHelper.exe
C:\games\quicktime\qttask.exe
C:\Games\ZoneAlarm\zlclient.exe
C:\Games\Steam\Steam.exe
C:\Programme\Palm\HOTSYNC.EXE
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Network Associates\VirusScan\VsStat.exe
C:\Programme\Network Associates\VirusScan\Vshwin32.exe
C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe
C:\Programme\Network Associates\VirusScan\Avconsol.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Games\ICQ\Icq.exe
C:\Dokumente und Einstellungen\Rummelt\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Games\Adobe\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Programme\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\Stephan\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\games\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Games\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Steam] C:\Games\Steam\Steam.exe -silent
O4 - Startup: HotSync Manager.lnk = C:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Programme\Palm\HOTSYNC.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Games\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Games\ICQ\ICQ.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E98CA060-09B8-483F-A62B-AA85E64C443F}: NameServer = 172.16.10.1
O23 - Service: AVSync Manager - Unknown - C:\Programme\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown - C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Könntest du den bitte nochmal checken???
Dankeschön!!!!

Log ist sauber.

Lösche nun die gefundenen Dateien im abg. Modus manuell.

Ok das war jetz alles oder????

Ja - nur WindowsUpdate solltest du noch machen.

Jap mach ich vielen dank für alles!!