Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   vbs/zerolin.A wird immer neu geladen (https://www.trojaner-board.de/7560-vbs-zerolin-a-immer-neu-geladen.html)

nasket 14.09.2004 16:59
vbs/zerolin.A wird immer neu geladen
 
Kann mir, bitte, jemand aus meiner ratlosigkeit helfen)
Der Trojaner vbs/zerolin.A wird immer neu geladen, das Antivirenprogramm löscht ihn, das Nachladen geht aber so schnell, dass online kein Arbeiten mehr möglich ist.

Logfile of HijackThis v1.98.2
Scan saved at 17:51:06, on 14.9.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAMME\JANA2\JANAD95.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\JANA2\JANAADMIN.EXE
C:\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsp.at/rpi/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\RunServices: [Janad95] C:\PROGRAMME\JANA2\JANAD95.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: JanaAdmin.exe.lnk = C:\Programme\Jana2\JanaAdmin.exe

Das ist bereits das gesamte HiJack Log; alles andere wurde bereits gefixed.

Danke für eure (guten) Tipps!!!!!!!!!!!!!!!!

Cidre 14.09.2004 17:33
Hallo,

Zitat:
Two new Trojans made their mark on the Top Twenty and both deserve a closer look. First we have TrojanDropper.VBS.Zerolin - a script Trojan programmed to install viruses on infected machines. We saw a significant number of spam campaigns where Zerolin came as a 'free' add-on. Zerolin then proceeded to install a variety of malware on victim machines, ranging from primitive key logging programs to multi-functional backdoors and even some worms.
Quelle: http://www.viruslist.com/eng/?tnews=1001&id=2140803

Hast du die Systemwiederherstellung schon deaktiviert?

Das eScan AV Toolkit (mwav.exe) herunterladen, die Datei in den Ordner "c:\Bases" (wichtig !) entpacken und danach die "kavupd.exe" (Update) ausführen.
Abgesicherter Modus und den Scanner mit der "mwavscan.com" starten. Alle Häkchen setzen und "Scan clean" klicken.
http://www.mwti.net/antivirus/free_utilities.asp

Danach ein neues Log-File von HiJackThis und die Virus Log Information von eScan posten.

nasket 15.09.2004 13:10
Den Empfehlungen - danke dafür - binich gefolgt und habe alles wie beschrieben durchgeführt:


Ein Teil der Log Datei (4 Viren wurden im Infected Ordner des Antivirenprogramms gefunden:

eScan AntiVirus Toolkit Utility.
Wed Sep 15 10:18:30 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Wed Sep 15 10:18:30 2004 => **********************************************************
Wed Sep 15 10:18:30 2004 => Version 4.4.7
Wed Sep 15 10:18:30 2004 => Log File: C:\WINDOWS\TEMP\mwav.log
Wed Sep 15 10:18:30 2004 => Latest Date of files inside MWAV: 08 Sep 2004 13:01:21.
Wed Sep 15 10:18:32 2004 => AV Library Loaded...
Wed Sep 15 10:18:32 2004 => Scanning File C:\WINDOWS\TEMP\kavss.exe
Wed Sep 15 10:18:32 2004 => Scanning File C:\WINDOWS\TEMP\Getvlist.exe
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\kavss.dll
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\kavssdi.dll
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\kavssi.dll
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\kavvlg.dll
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\msvlclnt.dll
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\ipc.dll
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\main.avi
Wed Sep 15 10:18:33 2004 => Scanning File C:\WINDOWS\TEMP\virus.avi
Wed Sep 15 10:18:33 2004 => Virus Database Date: 2004/09/08
Wed Sep 15 10:18:33 2004 => Virus Database Count: 103474
Wed Sep 15 10:18:39 2004 => AV Library Unloaded (3)...
Wed Sep 15 10:29:54 2004 => **********************************************************
Wed Sep 15 10:29:54 2004 => eScan AntiVirus Toolkit Utility.
Wed Sep 15 10:29:54 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Wed Sep 15 10:29:54 2004 => **********************************************************
Wed Sep 15 10:29:54 2004 => Version 4.4.7
Wed Sep 15 10:29:54 2004 => Log File: C:\BASES\mwav.log
Wed Sep 15 10:29:54 2004 => Latest Date of files inside MWAV: 08 Sep 2004 13:01:21.
Wed Sep 15 10:30:02 2004 => AV Library Loaded...
Wed Sep 15 10:30:02 2004 => Scanning File C:\BASES\kavss.exe
Wed Sep 15 10:30:02 2004 => Scanning File C:\BASES\Getvlist.exe
Wed Sep 15 10:30:04 2004 => Scanning File C:\BASES\kavss.dll
Wed Sep 15 10:30:04 2004 => Scanning File C:\BASES\kavssdi.dll
Wed Sep 15 10:30:04 2004 => Scanning File C:\BASES\kavssi.dll
Wed Sep 15 10:30:04 2004 => Scanning File C:\BASES\kavvlg.dll
Wed Sep 15 10:30:05 2004 => Scanning File C:\BASES\msvlclnt.dll
Wed Sep 15 10:30:05 2004 => Scanning File C:\BASES\ipc.dll
Wed Sep 15 10:30:05 2004 => Scanning File C:\BASES\main.avi
Wed Sep 15 10:30:05 2004 => Scanning File C:\BASES\virus.avi
Wed Sep 15 10:30:05 2004 => Virus Database Date: 2004/09/08
Wed Sep 15 10:30:05 2004 => Virus Database Count: 103474

Wed Sep 15 10:30:24 2004 => **********************************************************
Wed Sep 15 10:30:24 2004 => eScan AntiVirus Toolkit Utility.
Wed Sep 15 10:30:24 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Wed Sep 15 10:30:24 2004 =>
Wed Sep 15 10:30:24 2004 => Support: support@mwti.net
Wed Sep 15 10:30:24 2004 => Web: http://www.mwti.net
Wed Sep 15 10:30:24 2004 => **********************************************************
Wed Sep 15 10:30:24 2004 => Version 4.4.7
Wed Sep 15 10:30:24 2004 => Log File: C:\BASES\mwav.log
Wed Sep 15 10:30:24 2004 => Latest Date of files inside MWAV: 08 Sep 2004 13:01:21.

Wed Sep 15 10:30:24 2004 => Options Selected by User:
Wed Sep 15 10:30:24 2004 => Memory Check: Enabled
Wed Sep 15 10:30:24 2004 => Registry Check: Enabled
Wed Sep 15 10:30:24 2004 => StartUp Folder Check: Enabled
Wed Sep 15 10:30:24 2004 => System Folder Check: Enabled
Wed Sep 15 10:30:24 2004 => System Area Check: Disabled
Wed Sep 15 10:30:24 2004 => Services Check: Enabled
Wed Sep 15 10:30:24 2004 => Drive Check: Disabled
Wed Sep 15 10:30:24 2004 => All Drive Check :Enabled
Wed Sep 15 10:30:24 2004 => Scanning Type: Scan And Clean
Wed Sep 15 10:30:24 2004 => Folder Check: Disabled

Wed Sep 15 10:30:24 2004 => ***** Scanning Memory Files *****
Wed Sep 15 10:30:24 2004 => Scanning File C:\WINDOWS\SYSTEM\KERNEL32.DLL
Wed Sep 15 10:30:25 2004 => Scanning File C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Wed Sep 15 10:30:25 2004 => Scanning File C:\WINDOWS\SYSTEM\SPOOL32.EXE
Wed Sep 15 10:30:27 2004 => Scanning File C:\WINDOWS\SYSTEM\MPREXE.EXE
Wed Sep 15 10:30:27 2004 => Scanning File C:\WINDOWS\EXPLORER.EXE
Wed Sep 15 10:30:27 2004 => Scanning File C:\WINDOWS\SYSTEM\DDHELP.EXE
Wed Sep 15 10:30:28 2004 => Scanning File C:\BASES\MWAVSCAN.COM
Wed Sep 15 10:30:30 2004 => Scanning File C:\BASES\KAVSS.EXE

Wed Sep 15 10:30:30 2004 => ***** Scanning Registry Files *****

Wed Sep 15 10:30:30 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Wed Sep 15 10:30:30 2004 => Scanning File C:\WINDOWS\SYSTEM\WEBCHECK.DLL
Wed Sep 15 10:30:31 2004 => Scanning File C:\WINDOWS\SYSTEM\AUHOOK.DLL

Wed Sep 15 10:30:31 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
Wed Sep 15 10:30:31 2004 => {53707962-6F74-2D53-2644-206D7942484F} = C:\Programme\Spybot - Search & Destroy\SDHelper.dll
Wed Sep 15 10:30:31 2004 => Scanning File C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

Wed Sep 15 10:30:31 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Wed Sep 15 10:30:31 2004 => Scanning File c:\windows\scanregw.exe
Wed Sep 15 10:30:32 2004 => Scanning File c:\windows\taskmon.exe
Wed Sep 15 10:30:32 2004 => Scanning File C:\WINDOWS\SYSTEM\SysTray.Exe
Wed Sep 15 10:30:32 2004 => Scanning File c:\windows\PCHealth\Support\PCHSchd.exe
Wed Sep 15 10:30:34 2004 => Scanning File C:\WINDOWS\Rundll32.exe
Wed Sep 15 10:30:34 2004 => Scanning File C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE

Wed Sep 15 10:30:35 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Wed Sep 15 10:30:35 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

Wed Sep 15 10:30:35 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Wed Sep 15 10:30:35 2004 => Scanning File C:\PROGRAMME\JANA2\JANAD95.EXE
Wed Sep 15 10:30:36 2004 => Scanning File C:\WINDOWS\Rundll32.exe
Wed Sep 15 10:30:36 2004 => Scanning File C:\WINDOWS\SYSTEM\mstask.exe

Wed Sep 15 10:30:40 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Wed Sep 15 10:30:40 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Wed Sep 15 10:30:40 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

Wed Sep 15 10:30:40 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Wed Sep 15 10:30:40 2004 => Scanning HKCR\txtfile\shell\open\command
Wed Sep 15 10:30:40 2004 => Scanning File c:\windows\NOTEPAD.EXE

Wed Sep 15 10:30:40 2004 => Scanning HKCR\comfile\shell\open\command

Wed Sep 15 10:30:40 2004 => Scanning HKCR\exefile\shell\open\command

Wed Sep 15 10:30:40 2004 => Scanning HKCR\dllfile\shell\open\command

Wed Sep 15 10:30:40 2004 => Scanning HKCR\batfile\shell\open\command

Wed Sep 15 10:30:40 2004 => Scanning HKCR\piffile\shell\open\command

Wed Sep 15 10:30:40 2004 => Scanning HKCR\scrfile\shell\open\command

Wed Sep 15 10:30:40 2004 => Scanning HKCR\scrfile\shell\config\command

Wed Sep 15 10:30:40 2004 => Scanning HKCR\regfile\shell\open\command

Wed Sep 15 10:30:40 2004 => ***** Scanning INI Files *****
Wed Sep 15 10:30:40 2004 => looking for Run
Wed Sep 15 10:30:40 2004 => looking for Load
Wed Sep 15 10:30:40 2004 => looking for system.ini shell entry
Wed Sep 15 10:30:40 2004 => Scanning File C:\WINDOWS\Explorer.exe
Wed Sep 15 10:30:41 2004 => Scanning File C:\WINDOWS\SYSTEM\mmsystem.dll

Wed Sep 15 10:30:41 2004 => ***** Scanning StartUp Folders *****

Wed Sep 15 10:30:41 2004 => ***** Scanning C:\WINDOWS\Startmenü\Programme\Autostart Folder *****
Wed Sep 15 10:30:41 2004 => Scanning Folder: C:\WINDOWS\Startmenü\Programme\Autostart\*.*
Wed Sep 15 10:30:41 2004 => Scanning File C:\WINDOWS\Startmenü\Programme\Autostart\Microsoft Office.lnk
Wed Sep 15 10:30:41 2004 => Scanning File C:\WINDOWS\Startmenü\Programme\Autostart\JanaAdmin.exe.lnk

Wed Sep 15 10:30:41 2004 => ***** Scanning C:\WINDOWS\All Users\Startmenü\Programme\Autostart Folder *****
Wed Sep 15 10:30:41 2004 => Scanning Folder: C:\WINDOWS\All Users\Startmenü\Programme\Autostart\*.*

Wed Sep 15 10:30:41 2004 => ***** Scanning Service Files *****
Wed Sep 15 10:30:41 2004 => Scanning HKLM\SYSTEM\CurrentControlSet\Services
Wed Sep 15 10:30:41 2004 => Scanning File C:\WINDOWS\System32\Drivers\wdmfs.sys
Wed Sep 15 10:30:41 2004 => ERROR!!! Invalid Entry \SystemRoot\System\atmarpc.sys in SYSTEM\CurrentControlSet\Services\ATMARPC...
Wed Sep 15 10:30:41 2004 => Scanning File C:\WINDOWS\system32\drivers\rt.sys
Wed Sep 15 10:30:41 2004 => Scanning File C:\WINDOWS\SYSTEM\PSTORES.EXE

Wed Sep 15 12:38:07 2004 => ***** Scanning complete. *****

Wed Sep 15 12:38:07 2004 => Total Number of Files Scanned: 37677
Wed Sep 15 12:38:07 2004 => Total Number of Virus(es) Found: 6
Wed Sep 15 12:38:07 2004 => Total Number of Disinfected Files: 0
Wed Sep 15 12:38:07 2004 => Total Number of Files Renamed: 0
Wed Sep 15 12:38:07 2004 => Total Number of Deleted Files: 5
Wed Sep 15 12:38:07 2004 => Total Number of Errors: 1
Wed Sep 15 12:38:07 2004 => Time Elapsed: 02:02:12
Wed Sep 15 12:38:07 2004 => Virus Database Date: 2004/09/08
Wed Sep 15 12:38:07 2004 => Virus Database Count: 103474

Wed Sep 15 12:38:07 2004 => Scan Completed.

nasket 15.09.2004 13:11
Das HiJack Log

Logfile of HijackThis v1.98.2
Scan saved at 13:42:58, on 15.9.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAMME\JANA2\JANAD95.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\JANA2\JANAADMIN.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsp.at/rpi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\RunServices: [Janad95] C:\PROGRAMME\JANA2\JANAD95.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: JanaAdmin.exe.lnk = C:\Programme\Jana2\JanaAdmin.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsp.at/rpi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\RunServices: [Janad95] C:\PROGRAMME\JANA2\JANAD95.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: JanaAdmin.exe.lnk = C:\Programme\Jana2\JanaAdmin.exe

Leider hat die ganze Aktion - bisher noch nichts gebracht - nach Durchführung der Aktionen und Neustart hat sich der PC eingewählt und binnen 1 Minute wurde wieder der Trojaner geladen.

Danke für weitere Tipps

MountainKing 15.09.2004 13:20
Hast du es im abgesicherten Modus gemacht? Aus dem E-Scan-Log wird leider nicht ersichtlich WAS genau er gefunden und gelöscht hat, die Namen der Schädlinge wären wichtig, müssten in der Logdatei zu finden sein.

nasket 15.09.2004 13:31
Agesicherter Modus - ja, Systemwiederherstellung - deaktiviert.

Die Funde waren:
Wed Sep 15 10:35:15 2004 => File C:\WINDOWS\SYSTEM\winhex32xx.wrm infected by "I-Worm.Sober.f" Virus. Action Taken: File Deleted.
Wed Sep 15 10:36:27 2004 => File C:\WINDOWS\SYSTEM\winsys32xx.zzp infected by "I-
Wed Sep 15 11:54:44 2004 => Scanning File C:\Programme\AVPersonal\INFECTED\MSUPDATE.VIR
Wed Sep 15 11:54:46 2004 => File C:\Programme\AVPersonal\INFECTED\MSUPDATE.VIR infected by "Worm.Win32.Protoride.ab" Virus. Action Taken: File Deleted.

Wed Sep 15 11:54:46 2004 => Scanning File C:\Programme\AVPersonal\INFECTED\DIRLOG.VIR
Wed Sep 15 11:54:47 2004 => File C:\Programme\AVPersonal\INFECTED\DIRLOG.VIR infected by "I-Worm.Sober.f" Virus. Action Taken: File Deleted.

Wed Sep 15 11:54:47 2004 => Scanning File C:\Programme\AVPersonal\INFECTED\msupdate.VIR00
Wed Sep 15 11:54:49 2004 => File C:\Programme\AVPersonal\INFECTED\msupdate.VIR00 infected by "Worm.Win32.Protoride.ab" Virus. Action Taken: File Deleted.Worm.Sober.f" Virus. Action Taken: File Deleted.

MountainKing 15.09.2004 13:39
Hm, hole dir mal www.clearprog.de und säubere alle temporären files, auch die Internetfiles. Lädt sich der Trojaner nur, nachdem du den IE öffnest oder auch bei einer reinen Onlineverbindung, ohne Browser? Wie sind deine Einstellungen bzgl. der aktiven Inhalte in den internetoptionen (VBS, Active Scripting, Active X)?

nasket 15.09.2004 20:45
Danke für die Ratschläge, leider hat alles nichts geholfen. IE Einstellungen aug absolut dicht gemacht, nichts zugelassen; mit ClearProg gearbeitet, ...
Der Trojaner tauchte immer kurz nach dem Verbindugsaufbau (ohne Explorer) auf. Bin dabei das System neu aufzusetzen. Trotzdem - DANKE


Alle Zeitangaben in WEZ +1. Es ist jetzt 00:25 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131