Trojaner-Board
Seite 1 von 4 1 23 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Trojan.Win32.Blackbird.exe (https://www.trojaner-board.de/52144-trojan-win32-blackbird-exe.html)

tnowacki 06.05.2008 13:24
Trojan.Win32.Blackbird.exe
 
Guten Tag,
seit einigen Tagen habe ich o.g. Trojaner bei mir auf dem Desktop. Neben ihm erscheinen einige andere .exe-Dateien, diese habe ich aber ausgeblendet. (Weiß nicht mehr warum...) und weiß nicht mehr, wie ich sie wieder einblenden kann.
Ich besitze Vista Home Premium.
Sonderbar ist auch, dass mein Avast in Ordnern Viren entdeckt, die ich gar nicht finden kann... :balla:

Hier mein hijack:
Code:
Logfile of HijackThis v1.99.1
Scan saved at 14:19:36, on 06.05.2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\TabUserW.exe
C:\ProgramData\hmzovatq\xkpapszm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
H:\Program Files\Adobe\Adobe Fireworks CS3\Fireworks.exe
E:\FREEDO~1\fdm.exe
C:\Windows\explorer.exe
C:\Users\***\Documents\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://***.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - H:\Program Files\Adobe\/Adobe Contribute

CS3/contributeieplugin.dll
O2 - BHO: (no name) - {6237B16D-70F2-4D04-ADD7-6ADAF1FE9617} - C:\Windows\system32\tuvVNExY.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Free Download Manager\iefdm2.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program

Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - H:\Program Files\Adobe\/Adobe Contribute

CS3/contributeieplugin.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program

Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: wxdbpfvo - {C3169036-557E-45E1-840F-C845DC406C55} - C:\Windows\wxdbpfvo.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Adobe\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvUOFwTN.dll,#1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\***\AppData\Local\Temp\iifedaYP.dll,#1
O8 - Extra context menu item: Alles mit FDM herunterladen - file://E:\Free Download Manager\dlall.htm
O8 - Extra context menu item: An vorhandenes PDF anfügen - res://H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://H:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://E:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://E:\Free Download Manager\dllink.htm
O8 - Extra context menu item: In Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Videos mit FDM herunterladen - file://E:\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://***.webtip.ch/cgi-bin/toshiba/tracker_url_de.pl?

http://***.ebay.de/ (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Gopher Prefix:
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: qadovnel - {8F3489AD-D1EB-4F4E-AD58-A047FAFD89AC} - C:\Windows\qadovnel.dll
O23 - Service: Adobe Version Cue CS3 {de_DE}  (Adobe Version Cue CS3) - Unknown owner - C:\Program Files\Common

Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4

\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file

missing)
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: dev5_ap1 - Unknown owner - C:\phpdev5\apache\Apache.exe" --ntservice (file missing)
O23 - Service: dev5_ap2 - Unknown owner - C:\phpdev5\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file

missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file

missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power

Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba

Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe
O23 - Service: wampapache - Unknown owner - H:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - H:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %

ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Vielen Dank im Vorraus!

myrtille 06.05.2008 13:32
Hi,

lade dir bitte Smitfraudfix herunter und verfahre entsprechend der Anleitung "Suche".
Poste das erstellte Log hier.

Stelle anschließend sicher, dass alle Dateien sichtbar sind und suche folgende Datei:
Zitat:
C:\ProgramData\hmzovatq\xkpapszm.exe
und lade diese bei Virustotal hoch. Poste das komplette Ergebnis sowie einen Link zum Ergebnis von Virustotal, dann bitte hier.

lg myrtille

tnowacki 06.05.2008 14:51
Hier der Smitfraudfix:
Code:
SmitFraudFix v2.319

Scan done at 15:46:20,26, 06.05.2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Tablet.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\TabUserW.exe
C:\Windows\system32\Tablet.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
H:\Program Files\Adobe\Adobe Fireworks CS3\Fireworks.exe
C:\Windows\explorer.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
E:\FREEDO~1\fdm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» \


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows

C:\Windows\qadovnel.dll FOUND !
C:\Windows\xbaqktfv.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Admin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Admin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Admin\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\akl\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

[!] Suspicious: wxdbpfvo.dll
Toolbar: wxdbpfvo - {C3169036-557E-45E1-840F-C845DC406C55}
TypeLib: {D95C697F-D985-4AB1-92B5-40DF04BBE322}
Interface: {FC1E1AC3-3303-4BC5-913C-735D8B393FAD}
Classe: wxdbpfvo.bmva
Classe: wxdbpfvo.ToolBar.1

[!] Suspicious: qadovnel.dll
SSODL: qadovnel - {8F3489AD-D1EB-4F4E-AD58-A047FAFD89AC}


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/Wireless 3945ABG Network Connection
DNS Server Search Order: 192.168.178.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{45AF0DFF-A4DB-4ED7-B45A-AC87677CEF8B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB3C56FD-70C6-4395-A07B-3AC4BCBB48D1}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45AF0DFF-A4DB-4ED7-B45A-AC87677CEF8B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB3C56FD-70C6-4395-A07B-3AC4BCBB48D1}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45AF0DFF-A4DB-4ED7-B45A-AC87677CEF8B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BB3C56FD-70C6-4395-A07B-3AC4BCBB48D1}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Und hier der Virustotal:
Code:
MD5:          28e1eb9110e24fe9abe70496c1892753
First received:        2008.04.30 20:59:54 (CET)
Datum        2008.04.30 20:59:54 (CET) [>5D]
Ergebnisse        10/32
Permalink:        analisis/4eef82b9025e0070a8f5c15a4624ae25
VirusTotal - Kostenloser online Viren- und Malwarescanner - Neu analysieren

myrtille 06.05.2008 15:01
Kannst du mir bitte mal noch die Virenmeldungen von Avast posten?

Mich würde interessieren wo was gefunden wird.

lg myrtille

tnowacki 06.05.2008 15:03
Zitat:
Zitat von myrtille (Beitrag 336852)
Kannst du mir bitte mal noch die Virenmeldungen von Avast posten?

Mich würde interessieren wo was gefunden wird.

lg myrtille
Code:
01.05.2008 10:11:48        ***        1424        Sign of "Win32:Agent-LTS [Trj]" has been found in "c:\windows\bdkpfxqw.dll" file. 
01.05.2008 11:12:26        SYSTEM        1640        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\ysolgoxj.dll" file. 
01.05.2008 11:12:54        SYSTEM        1640        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Windows\System32\tuvVNExY.dll" file. 
01.05.2008 11:13:01        SYSTEM        1640        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Windows\System32\tuvVNExY.dll" file. 
01.05.2008 11:13:18        ***        6064        Sign of "Win32:TratBHO [Trj]" has been found in "c:\windows\system32\tuvvnexy.dll" file. 
01.05.2008 11:18:38        SYSTEM        1640        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Windows\System32\tuvVNExY.dll" file. 
01.05.2008 11:19:01        SYSTEM        1640        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Windows\System32\tuvVNExY.dll" file. 
01.05.2008 11:41:59        ***        1076        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Documents and Settings\***\AppData\Local\Temp\yayvTNFX.dll" file. 
01.05.2008 12:06:22        SYSTEM        1656        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\awturRji.dll" file. 
01.05.2008 13:06:25        SYSTEM        1656        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\khfETnkh.dll" file. 
01.05.2008 14:06:24        SYSTEM        1656        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\qoMeBuUk.dll" file. 
01.05.2008 15:06:24        SYSTEM        1656        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\mlJYrstq.dll" file. 
04.05.2008 19:19:29        SYSTEM        1620        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\khfCUNGv.dll" file. 
04.05.2008 20:19:28        SYSTEM        1620        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\efcDUmmM.dll" file. 
04.05.2008 21:19:28        SYSTEM        1620        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\jkKDtqRH.dll" file. 
05.05.2008 14:21:13        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\mlJaBsSJ.dll" file. 
05.05.2008 15:21:14        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\opnonoli.dll" file. 
05.05.2008 16:21:15        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\xxyyxwuu.dll" file. 
05.05.2008 19:50:37        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\vtUnnomM.dll" file. 
05.05.2008 20:50:37        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\mlJApOGW.dll" file. 
06.05.2008 13:37:17        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\iifdbCSm.dll" file. 
06.05.2008 14:37:18        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\hgGvvwUK.dll" file. 
06.05.2008 15:18:16        SYSTEM        1636        Sign of "Win32:Tiny-II [Trj]" has been found in "C:\Users\***\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STKYD2GL\xyyzdhuzz[1].htm" file. 
06.05.2008 15:19:42        SYSTEM        1636        Sign of "Win32:Tiny-II [Trj]" has been found in "C:\Users\***\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A298A6LH\xyyzdhuzz[1].htm" file. 
06.05.2008 15:37:18        SYSTEM        1636        Sign of "Win32:TratBHO [Trj]" has been found in "C:\Users\***\AppData\Local\Temp\urqQhFxU.dll" file.

myrtille 06.05.2008 15:07
Hehe, nein, das meinte ich nicht. :D
Du schriebst:
Zitat:
Sonderbar ist auch, dass mein Avast in Ordnern Viren entdeckt, die ich gar nicht finden kann
Wie heißen die OrdnerDateien denn?

lg myrtille

tnowacki 06.05.2008 15:12
Zitat:
Zitat von myrtille (Beitrag 336855)
Hehe, nein, das meinte ich nicht. :D
Du schriebst:


Wie heißen die OrdnerDateien denn?

lg myrtille
Die Ordner kann ich jetzt finden - Sie waren versteckt und nicht angezeigt :daumenhoch
und das, was ich vorher gepostet habe, waren alle Meldungen, die ich bekam.

myrtille 06.05.2008 15:14
Ok, hab dein Edit gesehen

tnowacki 06.05.2008 15:16
Zitat:
Zitat von myrtille (Beitrag 336858)
Ich würde trotzdem gern wissen, wie diese Ordner und Dateien heißen :D
Ansonsten kann ich dir auhc nicht sagen ob und wie man sie löscht.

lg myrtille
Siehe bitte 4 Posts vorher... Da stehen alle Virenmeldungen drin.
edit: myrtille war schneller :D

myrtille 06.05.2008 15:30
Hi,
dann arbeite bitte mal den 2. Schritt (Bereinigung) von Smitfraudfix ab und erstelle danach ein Log mit Malwarebytes

Smitfraudfix wird nicht alles entfernen, aber das gröbste sollte dann bereinigt sein.

lg myrtille

tnowacki 06.05.2008 18:49
Zitat:
Zitat von myrtille (Beitrag 336861)
Hi,
dann arbeite bitte mal den 2. Schritt (Bereinigung) von Smitfraudfix ab und erstelle danach ein Log mit Malwarebytes

Smitfraudfix wird nicht alles entfernen, aber das gröbste sollte dann bereinigt sein.

lg myrtille
Soooo...
Hier die Ergebnisse:
Code:
Malwarebytes' Anti-Malware 1.09
Database version: 507

Scan type: Full Scan (C:\|)
Objects scanned: 295916
Time elapsed: 1 hour(s), 20 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL (Adware.MyWebSearch) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\mwc (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\mslagent (Adware.EGDAccess) -> No action taken.
C:\Program Files\MySearch (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Cache (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\History (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Settings (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\Windows\mslagent\2_mslagent.dll (Adware.EGDAccess) -> No action taken.
C:\Windows\mslagent\mslagent.exe (Adware.EGDAccess) -> No action taken.
C:\Windows\mslagent\uninstall.exe (Adware.EGDAccess) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.JAR (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\S4FFXTBR.MANIFEST (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.JAR (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\S4NTSTBR.MANIFEST (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Cache\000356F5 (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Cache\00035D3C (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Cache\000361CE.bmp (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Cache\000364E9.bmp (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Cache\files.ini (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\History\search2 (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MySearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> No action taken.
C:\Users\***\AppData\Local\Temp\byXQJBTj.dll (Malware.Trace) -> No action taken.
C:\Windows\System32\vbsys2.dll (Trojan.Clicker) -> No action taken.
C:\Windows\System32\awtoolb.dll (Trojan.Vundo) -> No action taken.

myrtille 06.05.2008 18:56
Hi,
poste bitte auch den Inhalt der Datei C:\Rapport.txt. :)

Lass außerdem die von Malwarebytes gefundenen Einträge löschen.

Erstelle bitte außerdem noch ein neues Hijackthislogfile.

lg myrtille

tnowacki 06.05.2008 19:08
Zitat:
Zitat von myrtille (Beitrag 336883)
Hi,
poste bitte auch den Inhalt der Datei C:\Rapport.txt. :)

Lass außerdem die von Malwarebytes gefundenen Einträge löschen.

Erstelle bitte außerdem noch ein neues Hijackthislogfile.

lg myrtille
Code:
Logfile of HijackThis v1.99.1
Scan saved at 20:06:12, on 06.05.2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\TabUserW.exe
C:\ProgramData\hmzovatq\xkpapszm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\ProgramData\nfwspjcq\tofqzalu.exe
E:\Adobe\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\***\Documents\hijackthis_199\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://***.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - H:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {6237B16D-70F2-4D04-ADD7-6ADAF1FE9617} - C:\Windows\system32\tuvVNExY.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Free Download Manager\iefdm2.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - H:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "H:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Adobe\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\wvUOFwTN.dll,#1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\***\AppData\Local\Temp\fccYsppn.dll,#1
O4 - HKCU\..\Run: [nfwspjcq] C:\ProgramData\nfwspjcq\tofqzalu.exe
O8 - Extra context menu item: Alles mit FDM herunterladen - file://E:\Free Download Manager\dlall.htm
O8 - Extra context menu item: An vorhandenes PDF anfügen - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://E:\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://E:\Free Download Manager\dllink.htm
O8 - Extra context menu item: In Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Videos mit FDM herunterladen - file://E:\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://***.webtip.ch/cgi-bin/toshiba/tracker_url_de.pl?http://***.ebay.de/ (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Gopher Prefix:
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe Version Cue CS3 {de_DE}  (Adobe Version Cue CS3) - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: dev5_ap1 - Unknown owner - C:\phpdev5\apache\Apache.exe" --ntservice (file missing)
O23 - Service: dev5_ap2 - Unknown owner - C:\phpdev5\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: wampapache - Unknown owner - H:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - H:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Was meinst du mit rapport.txt? Und 4 Dateien konnte MWB nicht löschen - die genauen Daten habe ich aus Versehen weggeklickt :(
Aaaaa, rapport:
Code:
SmitFraudFix v2.319

Scan done at 16:40:30,68, 06.05.2008
Run from C:\Users\tnowacki\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1      localhost
::1            localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\Windows\wxdbpfvo.dll deleted.
C:\Windows\qadovnel.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Windows\xbaqktfv.exe Deleted
C:\Program Files\akl\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/Wireless 3945ABG Network Connection
DNS Server Search Order: 192.168.178.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{45AF0DFF-A4DB-4ED7-B45A-AC87677CEF8B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BB3C56FD-70C6-4395-A07B-3AC4BCBB48D1}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45AF0DFF-A4DB-4ED7-B45A-AC87677CEF8B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BB3C56FD-70C6-4395-A07B-3AC4BCBB48D1}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{45AF0DFF-A4DB-4ED7-B45A-AC87677CEF8B}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BB3C56FD-70C6-4395-A07B-3AC4BCBB48D1}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

tnowacki 06.05.2008 19:55
Hiilfe!
jetzt kommt noch eine Meldung, dass ich mit Spyware verseucht bin! :schrei::balla::balla::(:balla:

myrtille 06.05.2008 20:40
Ja, wie gesagt Smitfraudfix hat nicht alles entfernt.
Daher machen wir hiermit weiter:

Deaktiviere bitte zuerst die UAC, dies geht mit: Start -> Ausführen -> msconfig -> Enter -> Tools -> Benutzrkontenstrg. deaktivieren -> starten.
Ansonsten kann Avenger nicht korrekt funktionieren.

1.) Lade dir das Tool Avenger, speichere es auf dem Desktop und starte es.
2.) Klicke nun auf die Option „Input Script manually“ -> klicke jetzt auf die Lupe und kopiere folgenden Text rein:
Code:
Folders to delete:
C:\ProgramData\hmzovatq
C:\ProgramData\nfwspjcq

Files to delete:
C:\Windows\system32\wvUOFwTN.dll
C:\Users\***\AppData\Local\Temp\fccYsppn.dll

Registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|MSServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|nfwspjcq
3.) Klicke nun auf die „grüne Ampel“, das Script fängt an zu arbeiten.
4.) Danach das System unverzüglich neu starten lassen
5.) Poste den Inhalt der C:\avenger.txt Datei.

Die *** bitte durch deinen Benutzernamen ersetzen
Bitte nicht vergessen, nach dem Neustart UAC wieder zu aktivieren :)
Dazu bitte auch ein neues Hijackthislogfile.

lg myrtille


Alle Zeitangaben in WEZ +1. Es ist jetzt 00:22 Uhr.
Seite 1 von 4 1 23 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19