Trojaners Smitfraud.c aka Troj/FakeAle-c (cidre help me)

veet · 16.06.2005, 17:38

Hier der HJT log

Logfile of HijackThis v1.99.1
Scan saved at 17:19:49, on 16.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Programme\Alwil Software\Avast4\aswUpdSv.exe
H:\Programme\Alwil Software\Avast4\ashServ.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Programme\Alwil Software\Avast4\ashMaiSv.exe
H:\Programme\Alwil Software\Avast4\ashWebSv.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\taskmgr.exe
H:\WINDOWS\system32\wscntfy.exe
P:\stuff\hijackthis\HijackThis.exe

O3 - Toolbar: News Ticker - {05F8C4F5-7CCF-4129-B221-B2B4CFC589DA} - H:\Programme\NewsTicker\Ticker.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] H:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] H:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] H:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] H:\Programme\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [RefreshLock] H:\Programme\refreshlock\RefreshLock.exe
O4 - HKLM\..\Run: [TkBellExe] "H:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PSGuard] H:\Programme\PSGuard\PSGuard.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "H:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "H:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "h:\programme\valve\steam\steam.exe" -silent
O4 - Startup: Ruhezeiten vorziehen.bat
O4 - Startup: WetterStation².lnk = ?
O8 - Extra context menu item: &Suche im Duden - res://H:\Programme\Duden-Suche Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - H:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - H:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Guru News Reader - {9025F70D-DB4B-4312-982B-8FE916987ED8} - H:\Programme\NewsTicker\Ticker.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O16 - DPF: {54C75FB0-6B8B-4278-BF7B-77036F15A69E} - http://akamai.downloadv3.com/binarie...1041_EN_XP.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - H:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - H:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - H:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - H:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - H:\Programme\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - H:\Programme\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe

und hier der eScan log, hoffe ihr könnt mir helfen

Thu Jun 16 18:16:00 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Thu Jun 16 18:16:01 2005 => System found infected with Bargain Buddy Spyware/Adware ({4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3})! Action taken: No Action Taken.
Thu Jun 16 18:16:01 2005 => Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:01 2005 => System found infected with Bargain Buddy Spyware/Adware ({c6906a23-4717-4e1f-b6fd-f06ebed15678})! Action taken: No Action Taken.
Thu Jun 16 18:16:01 2005 => Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:02 2005 => System found infected with Bargain Buddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e5678})! Action taken: No Action Taken.
Thu Jun 16 18:16:02 2005 => Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:02 2005 => System found infected with Bargain Buddy Spyware/Adware ({f4e04583-354e-4076-be7d-ed6a80fd66da})! Action taken: No Action Taken.
Thu Jun 16 18:16:02 2005 => Object "Bargain Buddy Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:03 2005 => Offending Folder H:\PROGRA~1\sidefind present...
Thu Jun 16 18:16:03 2005 => Object "sidefind Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:04 2005 => Offending Folder H:\PROGRA~1\istsvc present...
Thu Jun 16 18:16:04 2005 => Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:04 2005 => Offending value found in HKLM\Software\powerscan !!!
Thu Jun 16 18:16:04 2005 => Object "powerscan Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:04 2005 => Offending Folder H:\PROGRA~1\BULLSE~1 present...
Thu Jun 16 18:16:04 2005 => Object "BullsEye Network Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:04 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Thu Jun 16 18:16:04 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:05 2005 => System found infected with eZula Spyware/Adware (exclean.exe)! Action taken: No Action Taken.
Thu Jun 16 18:16:05 2005 => Object "eZula Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 18:16:07 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Thu Jun 16 18:16:08 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "H:\WINDOWS\eg_auth_1041.dll". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\BDA.cab". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\BDANT.cab". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\BDAXP.cab". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\DSETUP.dll". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\DirectX.cab". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\ManagedDX.CAB". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\dsetup32.dll". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\dxnt.cab". Action Taken: No Action Taken.

Thu Jun 16 18:16:09 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\DOKUME~1\Ersch\LOKALE~1\Temp\{256F319A-AEA5-481F-829A-2CEF51A91FDA}\{8421F058-CB2D-4BCE-B487-4A559DE70173}\DirectX9\dxsetup.exe". Action Taken: No Action Taken.

Thu Jun 16 18:16:10 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "H:\WINDOWS\eg_auth_1041.dll". Action Taken: No Action Taken.

Thu Jun 16 18:16:27 2005 => Entry "HKCR\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}" refers to invalid object "H:\WINDOWS\system32\msbe.dll". Action Taken: No Action Taken.

Thu Jun 16 18:16:31 2005 => Entry "HKCR\AcroIEHelper.AcroIEHlprObj" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.

Thu Jun 16 18:16:31 2005 => Entry "HKCR\AcroIEHelper.AcroIEHlprObj.1" refers to invalid object "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}". Action Taken: No Action Taken.

Thu Jun 16 18:16:37 2005 => Entry "HKCR\IEFlash.IEFlash" refers to invalid object "{E5A1691B-D188-4419-AD02-90002030B8EE}". Action Taken: No Action Taken.

Thu Jun 16 18:20:01 2005 => Checking for Welchia Virus...
Thu Jun 16 18:20:02 2005 => Checking for LovGate Virus...
Thu Jun 16 18:20:02 2005 => Checking for CodeRed Virus...
Thu Jun 16 18:20:02 2005 => Checking for OpaServ Virus...
Thu Jun 16 18:20:02 2005 => Checking for Sobig.e Virus...
Thu Jun 16 18:20:03 2005 => Checking for Winupie Virus...
Thu Jun 16 18:20:03 2005 => Checking for Swen Virus...
Thu Jun 16 18:20:03 2005 => Checking for JS.Fortnight Virus...
Thu Jun 16 18:20:03 2005 => Checking for Novarg Virus...
Thu Jun 16 18:20:03 2005 => Checking for Pagabot Virus...
Thu Jun 16 18:20:04 2005 => Checking for Parite.b Virus...
Thu Jun 16 18:20:04 2005 => Checking for Parite.a Virus...
Thu Jun 16 18:20:04 2005 => Checking for Adware.SeekSeek Virus...

Thu Jun 16 18:20:04 2005 => ***** Scanning complete. *****

Thu Jun 16 18:20:04 2005 => Total Objects Scanned: 10194
Thu Jun 16 18:20:04 2005 => Total Virus(es) Found: 14
Thu Jun 16 18:20:05 2005 => Total Disinfected Files: 0
Thu Jun 16 18:20:05 2005 => Total Files Renamed: 0
Thu Jun 16 18:20:05 2005 => Total Deleted Objects: 0
Thu Jun 16 18:20:05 2005 => Total Errors: 17
Thu Jun 16 18:20:05 2005 => Time Elapsed: 00:05:46
Thu Jun 16 18:20:05 2005 => Virus Database Date: 2005/06/13
Thu Jun 16 18:20:06 2005 => Virus Database Count: 134428

Thu Jun 16 18:20:06 2005 => Scan Completed.

wie bekomm ich die gefunden viren wech ? also eScan möcht ich nicht unbedingt kaufen

um das entfernen zu können

Cidre · 16.06.2005, 17:45

Hallo veet,

zum einen hast du eScan falsch ausgeführt und zum anderen steht in der Anleitung genau beschrieben, daß du eScan nicht käuflich erwerben mußt, sondern die Malware Dateien mit Alternativ Tools löschen kannst. eScan ist Dank seiner hohen Erkennungsrate leider nur noch für eine vernünftige Analyse zu gebrauchen und deshalb unersetzlich.

Führe einen erneuten Scan aus, diesmal richtig und die Anleitung lesen, und poste die Virus Log Information, lösche aber zuvor die mwav.log.

cronos · 16.06.2005, 19:34

@ veet

Wenn du tatsächlich meinen Thread abgearbeitet hast und noch zu keiner Lösung gekommen bist, lies mal diesen Thread, poste aber zunächst die korrekten Escan Ergebnisse:

http://www.trojaner-board.de/showthread.php?t=18970

veet · 18.06.2005, 12:21

ok hab alles nochmal gescannt, so sieht es nun bei mir aus

Logfile of HijackThis v1.99.1
Scan saved at 10:09:54, on 18.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\Explorer.EXE
P:\stuff\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: News Ticker - {05F8C4F5-7CCF-4129-B221-B2B4CFC589DA} - H:\Programme\NewsTicker\Ticker.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] H:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] H:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] H:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] H:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] H:\Programme\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [RefreshLock] H:\Programme\refreshlock\RefreshLock.exe
O4 - HKLM\..\Run: [TkBellExe] "H:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Ad-aware] "H:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - H:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - H:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Guru News Reader - {9025F70D-DB4B-4312-982B-8FE916987ED8} - H:\Programme\NewsTicker\Ticker.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programme\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - H:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - H:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - H:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - H:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\glaub mich tritt ein Pferd\hacktools\nvsvc32.exe" /service (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - H:\Programme\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - H:\Programme\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe

hier die eScan_neu

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Sat Jun 18 10:38:05 2005 => System found infected with Bargain Buddy Spyware/Adware ({4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3})! Action taken: No Action Taken.
Sat Jun 18 10:38:05 2005 => System found infected with Bargain Buddy Spyware/Adware ({c6906a23-4717-4e1f-b6fd-f06ebed15678})! Action taken: No Action Taken.
Sat Jun 18 10:38:05 2005 => System found infected with Bargain Buddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e5678})! Action taken: No Action Taken.
Sat Jun 18 10:38:05 2005 => System found infected with Bargain Buddy Spyware/Adware ({f4e04583-354e-4076-be7d-ed6a80fd66da})! Action taken: No Action Taken.
Sat Jun 18 10:38:24 2005 => System found infected with eZula Spyware/Adware (exclean.exe)! Action taken: No Action Taken.
Sat Jun 18 10:39:11 2005 => File H:\WINDOWS\uninstIU.exe infected by "Trojan.Win32.Agent.eo" Virus! Action Taken: No Action Taken.
Sat Jun 18 10:39:17 2005 => File H:\WINDOWS\p2esocks_1041.dll infected by "Trojan.Win32.P2E.bt" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:12:12 2005 => File D:\System Volume Information\_restore{AF9EA7D1-C8D6-4EC4-8936-AD95973B7274}\RP14\A0004454.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:19:12 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP47\A0067061.rbf infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:19:19 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP47\A0067130.rbf infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:19:50 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP48\A0067335.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:19:50 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP48\A0067337.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:21:22 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP50\A0074698.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:21:23 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP50\A0074707.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:21:49 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP52\A0078776.exe infected by "Trojan-Downloader.Win32.IstBar.gm" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:22:02 2005 => File D:\System Volume Information\_restore{E4CB43AB-CE11-4100-BBBE-361548E290DF}\RP31\A0027544.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:22:03 2005 => File D:\System Volume Information\_restore{E4CB43AB-CE11-4100-BBBE-361548E290DF}\RP31\A0027556.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
Sat Jun 18 11:22:03 2005 => File D:\System Volume Information\_restore{E4CB43AB-CE11-4100-BBBE-361548E290DF}\RP31\A0027557.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Sat Jun 18 10:42:06 2005 => File H:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
Sat Jun 18 11:09:14 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd1.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Sat Jun 18 11:10:07 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd1426.dll tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
Sat Jun 18 11:10:07 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd1427.dll tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
Sat Jun 18 11:10:24 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd2.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Sat Jun 18 11:10:26 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd211.INT tagged as "not-a-virus:AdWare.Gator.4203". Action Taken: No Action Taken.
Sat Jun 18 11:10:26 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd212.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:26 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd213.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:26 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd214.INT tagged as "not-a-virus:AdWare.Gator.5017". Action Taken: No Action Taken.
Sat Jun 18 11:10:27 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd215.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:27 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd216.INT tagged as "not-a-virus:AdWare.Gator.5017". Action Taken: No Action Taken.
Sat Jun 18 11:10:27 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd217.INT tagged as "not-a-virus:AdWare.Gator.5017". Action Taken: No Action Taken.
Sat Jun 18 11:10:27 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd218.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:28 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd222.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:28 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd223.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:28 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd224.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:29 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd225.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:29 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd226.INT tagged as "not-a-virus:AdWare.Gator.3124". Action Taken: No Action Taken.
Sat Jun 18 11:10:29 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd227.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:29 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd228.INT tagged as "not-a-virus:AdWare.Gator.6041". Action Taken: No Action Taken.
Sat Jun 18 11:10:30 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd229.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:30 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd230.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:30 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd231.INT tagged as "not-a-virus:AdWare.Gator.6051". Action Taken: No Action Taken.
Sat Jun 18 11:10:30 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd232.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:31 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd233.INT tagged as "not-a-virus:AdWare.Gator.5115". Action Taken: No Action Taken.
Sat Jun 18 11:10:39 2005 => File D:\RECYCLER\S-1-5-21-299502267-1425521274-839522115-1003\Dd3.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Sat Jun 18 11:12:08 2005 => File D:\sk8te\[sv]script2.61\[sv]script2.61\[sv]script2.61\[sv]script.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.03. No Action Taken.
Sat Jun 18 11:14:05 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP45\A0058862.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.03. No Action Taken.
Sat Jun 18 11:15:15 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP46\A0063138.exe tagged as "not-a-virus:AdWare.Altnet.l". Action Taken: No Action Taken.
Sat Jun 18 11:15:58 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP47\A0065432.exe tagged as "not-a-virus:AdWare.Gator.4203". Action Taken: No Action Taken.
Sat Jun 18 11:19:50 2005 => File D:\System Volume Information\_restore{B54E6343-DF5D-43C8-B780-10EDACD20EFF}\RP48\A0067336.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Sat Jun 18 10:36:49 2005 => Virus Database Date: 2005/06/13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

musste die eScan neu ein wenig SCHNEIDEN weil so viele sich im Ordner D:\System Volume Information\..... befinden

ansonsten ist alles original, bitte helft mir

dartus · 19.06.2005, 00:27

Hallo,

wechsel in den abgesicherten Modus bei deaktvierter Systemwiederherstellung (http://www.systemwiederherstellung-d...indows-xp.html) und fixe (Scan mit HJT, Häckchen vor Eintrag und auf fix checked klicken);

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

Lösche manuell:
H:\WINDOWS\uninstIU.exe
H:\WINDOWS\p2esocks_1041.dll

Leere Deinen Papierkorb

Neustart --> Systemwiederherstellung kann wieder aktiviert werden (durch die Deaktivierung werden sämtliche "System Volume Information\_restore" gelöscht).

Bereinige Deine Registry mit Regseeker . Das Häckchen "Sichern vor Löschen" bitte setzen, wenn nicht vorhanden.

dartus

Trojaners Smitfraud.c aka Troj/FakeAle-c (cidre help me)

Plagegeister aller Art und deren Bekämpfung: Trojaners Smitfraud.c aka Troj/FakeAle-c (cidre help me)