TR/Agent.BI und HTML/Exploit.Mh.B.1

woidl · 23.04.2005, 16:58

AntiVir meldet seit heute früh immer wieder TR/Agent.BI.
Einmal auch HTML/Exploit.Mh.B.1.
ZoneAlarm meldet immer wieder, dass apidj32.exe versucht, auf das Internet zuzugreifen. Vermute, dass diese .exe mit dem Trojaner zusammenhängt.
Bin selber in Computerangelegenheiten nicht sehr fit und benötige daher dringend Hilfe.
Danke im voraus!
Woidl

Cidre · 23.04.2005, 17:15

Hallo woidl,

erstelle mit Hilfe dieser bebilderten Anleitung ein HiJackThis Log-File und poste es hier rein.
Persönliche Informationen, wie Benutzername und dergleichen, bitte unkenntlich machen.

woidl · 23.04.2005, 17:47

Hallo Cidre!

Hier das HJT logfile. Hoffe, ich hab alles richtig gemacht.
Kannst Du was rauslesen?

Logfile of HijackThis v1.99.0
Scan saved at 18:38:47, on 23.04.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
E:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
E:\programme\QuickTime\qttask.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\apidj32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rkzax.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rkzax.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rkzax.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rkzax.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rkzax.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rkzax.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rkzax.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {283715D8-4B32-91ED-58C5-CDF8C4F6A0D0} - C:\WINDOWS\sdkbp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [iegs32.exe] C:\WINDOWS\system32\iegs32.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOKUME~1\Walter\LOKALE~1\Temp\7.tmp.exe 3 10001
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Programme\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [apidj32.exe] C:\WINDOWS\apidj32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programme\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\winbx32.exe (file missing)
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

cronos · 23.04.2005, 18:02

Das sieht nicht gut aus.

Lad dir bitte Escan runter:
http://www.trojaner-board.de/42731-escan-anleitung.html
Führe die gegebene Anleitung bitte genau so aus, wie sie da steht.

Teile uns da Ergebnis mit,dazu

Speichere außerdem diese Datei mittels Rechtsklick-> "Ziel speichern unter..." auf deiner Festplatte. Führe sie nach dem Scan mit eScan aus (Doppelklick). Danach solltest du die Datei C:\eScan_neu.txt auf deiner Festplatte finden. Den Inhalt dieser Datei postest du dann bitte in diesen Thread.

woidl · 24.04.2005, 08:26

Hallo,

hab alles nach Anleitung ausgeführt.
Unten der Inhalt von eScan_neu.txt.
Sieht schlimm aus - was mach ich jetzt?
Danke u. Gruß
Woidl

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 00:03:28 2005 => File C:\WINDOWS\sdkbp32.dll infected by "Trojan-Downloader.Win32.Agent.lz" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:36 2005 => File C:\WINDOWS\apidj32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => System found infected with cydoor Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => File System Found infected by "cydoor Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => System found infected with sw Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => File System Found infected by "sw Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => System found infected with se Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => File System Found infected by "se Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => System found infected with hsa Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 00:03:46 2005 => File System Found infected by "hsa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:48 2005 => File C:\WINDOWS\jxdrye.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:03:50 2005 => File C:\WINDOWS\jzidoy.dat infected by "Trojan-Downloader.Win32.Agent.lz" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:14:35 2005 => File C:\WINDOWS\jxdrye.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:15:23 2005 => File C:\WINDOWS\jzidoy.dat infected by "Trojan-Downloader.Win32.Agent.lz" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:21:20 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temp\cd_clint.dll infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:22:24 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temporary Internet Files\Content.IE5\AWYWYWKR\gxbplug[1].dll infected by "not-a-virus:AdWare.GXB.a" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:41:15 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Sun Apr 24 00:49:04 2005 => File E:\Treiber u Utilities\Musikprogramme\KaZaa\KaZaa_exe\kmd161_de.exe infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:49:06 2005 => File E:\Treiber u Utilities\Musikprogramme\KaZaa\KaZaa_exe\kmd171gu_de.exe infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 00:58:07 2005 => Total Disinfected Files: 0
Sun Apr 24 08:17:38 2005 => File C:\WINDOWS\sdkbp32.dll infected by "Trojan-Downloader.Win32.Agent.lz" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:17:46 2005 => File C:\WINDOWS\apidj32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => System found infected with cydoor Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => File System Found infected by "cydoor Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => System found infected with sw Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => File System Found infected by "sw Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => System found infected with se Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => File System Found infected by "se Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => System found infected with hsa Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 08:17:56 2005 => File System Found infected by "hsa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:17:58 2005 => File C:\WINDOWS\jxdrye.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:18:00 2005 => File C:\WINDOWS\jzidoy.dat infected by "Trojan-Downloader.Win32.Agent.lz" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:28:46 2005 => File C:\WINDOWS\jxdrye.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:29:36 2005 => File C:\WINDOWS\jzidoy.dat infected by "Trojan-Downloader.Win32.Agent.lz" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:35:57 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temp\cd_clint.dll infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:37:04 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temporary Internet Files\Content.IE5\AWYWYWKR\gxbplug[1].dll infected by "not-a-virus:AdWare.GXB.a" Virus. Action Taken: No Action Taken.
Sun Apr 24 08:56:25 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Sun Apr 24 09:04:08 2005 => File E:\Treiber u Utilities\Musikprogramme\KaZaa\KaZaa_exe\kmd161_de.exe infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 09:04:10 2005 => File E:\Treiber u Utilities\Musikprogramme\KaZaa\KaZaa_exe\kmd171gu_de.exe infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 09:13:21 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 00:37:36 2005 => File C:\Programme\Gemeinsame Dateien\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 00:44:57 2005 => File C:\j2sdk1.4.2\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 00:45:18 2005 => File C:\j2sdk1.4.2\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 00:48:34 2005 => File E:\Treiber u Utilities\Musikprogramme\napv2b7.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Sun Apr 24 08:52:34 2005 => File C:\Programme\Gemeinsame Dateien\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 09:00:00 2005 => File C:\j2sdk1.4.2\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 09:00:21 2005 => File C:\j2sdk1.4.2\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 09:03:38 2005 => File E:\Treiber u Utilities\Musikprogramme\napv2b7.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 00:58:07 2005 => Total Virus(es) Found: 19
Sun Apr 24 09:13:21 2005 => Total Virus(es) Found: 19
Sun Apr 24 00:58:07 2005 => Total Errors: 6
Sun Apr 24 09:13:21 2005 => Total Errors: 2
Sun Apr 24 00:58:07 2005 => Time Elapsed: 00:55:05
Sun Apr 24 09:13:21 2005 => Time Elapsed: 00:56:09
Sun Apr 24 00:58:07 2005 => Total Objects Scanned: 52104
Sun Apr 24 09:13:21 2005 => Total Objects Scanned: 52097
Sun Apr 24 00:02:23 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 00:58:07 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 01:20:51 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 08:16:43 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 09:13:21 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 09:18:33 2005 => Virus Database Date: 2005/04/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

Rene-gad · 24.04.2005, 09:02

@woidl

Zitat:

Sieht schlimm aus - was mach ich jetzt?

Als erster Schritt musst du Kazaa deinstallieren, Spybot Search & Destroy herunterladen und alle Probleme beheben.

Zitat:

C:\WINDOWS\sdkbp32.dll
C:\WINDOWS\apidj32.exe
C:\WINDOWS\jxdrye.log
C:\WINDOWS\jzidoy.dat

Diese Dateien im abgesicherten Modus löschen.
Dieses Bereinigungsprogramm hilft dir, den ganzen Müll aus den Temp-Ordner und Papierkorb zu entfernen.
Ordner C:\Programme\AVPersonal\INFECTED\*.* leeren.
Danach eScan wiederholen.

Haui45 · 24.04.2005, 10:57

Vor dem erneuten Scan mit eScan bitte die alte mwav.log löschen!

woidl · 24.04.2005, 19:52

So, hab jetzt alles genau so gemacht.
Hier der Inhalt der aktuellen eScan_neu.txt.
Sieh so aus, als ob immer noch was da wäre, obwohl Spybot S&D nichts mehr findet.
Noch irgendwelche Ideen?

Danke u. Gruß
Woidl

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 19:27:15 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => System found infected with sw Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "sw Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => System found infected with se Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "se Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => System found infected with hsa Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "hsa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:45:13 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temp\cd_clint.dll infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:46:20 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temporary Internet Files\Content.IE5\AWYWYWKR\gxbplug[1].dll infected by "not-a-virus:AdWare.GXB.a" Virus. Action Taken: No Action Taken.
Sun Apr 24 20:05:25 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Sun Apr 24 20:22:11 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 20:01:39 2005 => File C:\Programme\Gemeinsame Dateien\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 20:08:57 2005 => File C:\j2sdk1.4.2\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 20:09:19 2005 => File C:\j2sdk1.4.2\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 20:22:11 2005 => Total Virus(es) Found: 9
Sun Apr 24 20:22:11 2005 => Total Errors: 11
Sun Apr 24 20:22:11 2005 => Time Elapsed: 01:00:33
Sun Apr 24 20:22:11 2005 => Total Objects Scanned: 52410
Sun Apr 24 19:21:27 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 20:22:11 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 20:44:43 2005 => Virus Database Date: 2005/04/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

chaosman · 24.04.2005, 20:02

@woidl
leere den quarantäne ordner vom avscanner
leere deine TIFs
Temporary Internet Files
Leere diese Ordner:
C:\Dokumente und Einstellungen\*Benutzername*\Lokale Einstellungen\Temp
C:\WINDOWS\Downloaded Program Files
C:\Dokumente und Einstellungen\*Benutzername*\Lokale Einstellungen\Temporary Internet Files

lade Adaware, update es und in den abgesicherten modus scannen lassen
download
neu booten,

chaosman

woidl · 24.04.2005, 21:23

Hi,
hab alles gemacht wie beschrieben. Auch alle Ordner 'temp' und 'temporary internet files' sowie den AV-Quarantine-Ordner geleert.
Unten das aktuelle eScan_neu.txt. Es wird zwar immer weniger, scheint aber noch immer nicht ganz virenfrei zu sein.
Beim Neustart des Rechners startet auch immer IE, obwohl ich keinen autostart Eintrag finden kann.
Hoffe, es weiß noch jemand Rat.

Danke + Gruß
Woidl

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 19:27:15 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => System found infected with sw Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "sw Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => System found infected with se Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "se Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => System found infected with hsa Spyware/Adware! Action taken: No Action Taken.
Sun Apr 24 19:27:15 2005 => File System Found infected by "hsa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:45:13 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temp\cd_clint.dll infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
Sun Apr 24 19:46:20 2005 => File C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temporary Internet Files\Content.IE5\AWYWYWKR\gxbplug[1].dll infected by "not-a-virus:AdWare.GXB.a" Virus. Action Taken: No Action Taken.
Sun Apr 24 20:05:25 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Sun Apr 24 20:22:11 2005 => Total Disinfected Files: 0
Sun Apr 24 21:44:39 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Sun Apr 24 21:44:39 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
Sun Apr 24 22:03:47 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Sun Apr 24 22:13:19 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 20:01:39 2005 => File C:\Programme\Gemeinsame Dateien\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 20:08:57 2005 => File C:\j2sdk1.4.2\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 20:09:19 2005 => File C:\j2sdk1.4.2\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 22:00:36 2005 => File C:\Programme\Gemeinsame Dateien\Java\Update\Base Images\j2sdk1.4.2-b28\demos.zip tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 22:06:20 2005 => File C:\j2sdk1.4.2\demo\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
Sun Apr 24 22:06:32 2005 => File C:\j2sdk1.4.2\demo\plugin\applets\BarChart\BarChart.class tagged as not-a-virus:JavaClass.Chart. No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Apr 24 20:22:11 2005 => Total Virus(es) Found: 9
Sun Apr 24 22:13:19 2005 => Total Virus(es) Found: 4
Sun Apr 24 20:22:11 2005 => Total Errors: 11
Sun Apr 24 22:13:19 2005 => Total Errors: 13
Sun Apr 24 20:22:11 2005 => Time Elapsed: 01:00:33
Sun Apr 24 22:13:19 2005 => Time Elapsed: 00:29:14
Sun Apr 24 20:22:11 2005 => Total Objects Scanned: 52410
Sun Apr 24 22:13:19 2005 => Total Objects Scanned: 31303
Sun Apr 24 19:21:27 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 20:22:11 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 20:44:43 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 21:43:53 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 22:13:19 2005 => Virus Database Date: 2005/04/24
Sun Apr 24 22:13:29 2005 => Virus Database Date: 2005/04/24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

woidl · 26.04.2005, 17:52

Hi,

ich nocheinmal.
Hat schon jemand eine Idee, wie ich die Plagegeister loswerde?
Oder hilft da ohnehin nurmehr neu aufsetzen?
Bitte um Hilfe - danke.
Woidl

Haui45 · 26.04.2005, 19:07

Lösche die alte mwav.log und scanne erneut. Wahrscheinlich wird gar nichts mehr gefunden.

redbull55 · 30.04.2005, 06:53

hi leute hab den deselben trojaner.

das kahm mit hijack raus, bitte m hilfe .

------------------------
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\apitx.exe
D:\Programme\AVPersonal\AVGUARD.EXE
D:\Programme\AVPersonal\AVWUPSRV.EXE
D:\WINDOWS\Explorer.EXE
D:\Programme\VIAudioi\SBADeck\ADeck.exe
D:\Programme\D-Tools\daemon.exe
D:\Programme\Java\jre1.5.0_02\bin\jusched.exe
D:\Programme\AVPersonal\AVGNT.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Programme\Messenger\msmsgs.exe
D:\Programme\MSN Messenger\MsnMsgr.Exe
D:\Programme\MicroStar\WLANUtility\WlanUtility.exe
D:\WINDOWS\system32\ntvdm.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Programme\Crazy Browser\Crazy Browser.exe
D:\Programme\Windows Media Player\wmplayer.exe
D:\Dokumente und Einstellungen\Burhan.DIRTY-62IRCA2VW\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\fpfea.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\fpfea.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\fpfea.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\fpfea.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\fpfea.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\fpfea.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E2AAE708-7C06-EB89-99CD-EE6A96283C8C} - D:\WINDOWS\system32\apiab.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll (file missing)
O4 - HKLM\..\Run: [AudioDeck] D:\Programme\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1031
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Crazy Browser.exe] D:\Programme\Crazy Browser\Crazy Browser.exe
O4 - HKLM\..\Run: [AVGCtrl] D:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "D:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: WlanUtility.lnk = D:\Programme\MicroStar\WLANUtility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - D:\WINDOWS\system32\apitx.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Programme\AVPersonal\AVWUPSRV.EXE

Rene-gad · 30.04.2005, 08:52

@redbull55

Zitat:

Zitat von Haui45

Bei der Registrierung hast du den Nutzungshinweisen zugestimmt!

Zitat:

Dialogstörung:
Dialogstörung liegt vor, wenn ein Mitglied absichtlich den normalen Verlauf der Dialoge in einem Thread stört. Das kann z.B. durch wiederholtes Unterbrechen der Konversation zwischen anderen Mitgliedern geschehen

Wie poste ich falsch?

Maahk · 27.07.2007, 08:52

Bei mir hat sich Antivir heute gemeldet, dass ich den
TR/Agent.BYZ habe. Google findet nur TR/Agent.BI und
deshalb wollt ich ja mal fragen, ob das derselbe ist?
Wenn ja brauch ich keinen neuen Fred dazu zu setzen...
Thxalot

23.04.2005, 17:15	#2
Cidre Administrator, a.D.	TR/Agent.BI und HTML/Exploit.Mh.B.1 Hallo woidl, erstelle mit Hilfe dieser bebilderten Anleitung ein HiJackThis Log-File und poste es hier rein. Persönliche Informationen, wie Benutzername und dergleichen, bitte unkenntlich machen. __________________ __________________

TR/Agent.BI und HTML/Exploit.Mh.B.1

Plagegeister aller Art und deren Bekämpfung: TR/Agent.BI und HTML/Exploit.Mh.B.1