Virus/Trojaner?? wie entfernen?
 

Hi!
Habe schonmal einen ähnlichen Post geschrieben, im Endeffekt konnte mir aber anscheinend keiner helfen. Hier sind einmal der Bericht vom "Sophos" und einmal ein HiJackThis Log-File. Ich hoffe, das hilft weiter und ihr könnt mir vielleicht helfen oder sagen, wie ich vorgehen soll.

Sophos-Bericht:

Sophos Anti-Virus
Version 4.15.0 [Win32/Intel]
Virus data version 4.15, March 2007
Includes detection for 223589 viruses, trojans and worms
Copyright (c) 1989-2007 Sophos Plc, Sophos - anti-virus and anti-spam software for businesses

System time 00:02:37, System date 24 February 2007
Command line qualifiers are: -di -remove -f -all -mime -mbr -noc -archive -opt=ISCabinet --stop-scan

IDE directory is: c:\AV-CLS\Sophos

Using IDE file lager-u.ide
Using IDE file agentdww.ide
Using IDE file bagdl-cj.ide
Using IDE file banl-avp.ide
Using IDE file bgldl-ca.ide
Using IDE file bho-be.ide
Using IDE file blic-a.ide
Using IDE file limpne-a.ide
Using IDE file bront-cr.ide
Using IDE file zasran-h.ide
Using IDE file clagg-ax.ide
Using IDE file clagr-ay.ide
Using IDE file delbot-g.ide
Using IDE file delbot-h.ide
Using IDE file delf-elf.ide
Using IDE file zapch-cx.ide
Using IDE file dloa-akq.ide
Using IDE file dloa-atg.ide
Using IDE file dlod-atw.ide
Using IDE file dolla-cm.ide
Using IDE file dref-ac.ide
Using IDE file dref-ae.ide
Using IDE file dref-q.ide
Using IDE file lookd-ca.ide
Using IDE file ds070219.ide
Using IDE file ds070220.ide
Using IDE file ds070221.ide
Using IDE file ds070222.ide
Using IDE file ds070223.ide
Using IDE file sohana-g.ide
Using IDE file soad-c.ide
Using IDE file fujac-aa.ide
Using IDE file fujack-i.ide
Using IDE file murlo-ek.ide
Using IDE file fujack-r.ide
Using IDE file fujack-z.ide
Using IDE file piggi-b.ide
Using IDE file iframe-b.ide
Using IDE file pitin-a.ide
Using IDE file zlob-zp.ide
Using IDE file lazy-a.ide
Using IDE file tileb-iw.ide
Using IDE file spy-ul.ide
Using IDE file psyme-dz.ide
Using IDE file poebo-kg.ide
Using IDE file sillyf-r.ide
Using IDE file sdbt-czq.ide
Using IDE file looke-ar.ide
Using IDE file rbot-gfk.ide
Using IDE file spamto-u.ide
Using IDE file rbot-gep.ide
Using IDE file pulcer-a.ide
Using IDE file poebo-ke.ide
Using IDE file rbot-gdc.ide
Using IDE file rbot-fwl.ide
Using IDE file rbot-gdb.ide
Using IDE file rbot-ful.ide
Using IDE file ircbo-ub.ide
Using IDE file rbot-gci.ide
Using IDE file fujack-p.ide
Using IDE file gampas-h.ide
Using IDE file dwnl-gag.ide
Using IDE file ds070209.ide
Using IDE file lookd-bw.ide
Using IDE file sdb-dlc.ide
Using IDE file dldr-atd.ide
Using IDE file bront-cp.ide
Using IDE file mooler-b.ide
Using IDE file dwn-gai.ide
Using IDE file msnvb-d.ide
Using IDE file lookd-bu.ide
Using IDE file strat-cu.ide
Using IDE file tileb-ip.ide
Using IDE file cimu-ca.ide
Using IDE file zapch-cw.ide
Using IDE file line-aiv.ide
Using IDE file look-bx.ide
Using IDE file zlob-zt.ide

Full Scanning

Could not open c:\Dokumente und Einstellungen\"name"\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\Us rClass.dat
Could not open c:\Dokumente und Einstellungen\"name"\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\Us rClass.dat.LOG
Could not open c:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\Us rClass.dat
Could not open c:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\Us rClass.dat.LOG
Could not open c:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\Us rClass.dat
Could not open c:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\Us rClass.dat.LOG
Could not open c:\WINDOWS\system32\CatRoot2\edb.log
Could not open c:\WINDOWS\system32\CatRoot2\tmp.edb
Could not open c:\WINDOWS\system32\config\system.LOG
>>> Virus 'Troj/Cimuz-BW' found in file c:\WINDOWS\system32\rsvp32_2.dll
Removal failed
>>> Virus 'Troj/Dorf-Fam' found in file c:\WINDOWS\system32\wincom32.sys
Removal successful
Could not check d:\RECYCLER\S-1-5-21-1757981266-1960408961-725345543-1004\Dd9.exe\SfxArchiveData\Sarc0000 (corrupt)

1 master boot record swept.
37687 files swept in 37 minutes and 29 seconds.
10 errors were encountered.
2 viruses were discovered.
2 files out of 37687 were infected.
Please send infected samples to Sophos for analysis.
For advice consult Sophos - anti-virus and anti-spam software for businesses, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.



HiJackThis Log-File:

Logfile of HijackThis v1.99.1
Scan saved at 16:42:08, on 22.02.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\Fast.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\DOKUME~1\HENRIK~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trojaner-board.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Trojaner-Board - powered by Trojaner-Board
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Trojaner-Board - powered by Trojaner-Board
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Trojaner-Board - powered by Trojaner-Board
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Trojaner-Board - powered by Trojaner-Board
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe


Hoffe, das hilft. MFG Memoryx

Hallo

so wie es aussieht war auf deinem System ein Backdoortrojaner aktiv
und zusätzlich ein Schädling der Informationen stielt, wie immer diese aussehen und auch ungefragt E-Mails mit wohl sehr fraglichem Inhalten verschickt.
Ich rate dir folge dieser Anleitung zur Neuinstallation mit anschließender Absicherung des Systems --> Anleitung zum neuaufsetzen des Systems

MFG