Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 15.07.2008, 22:06   #1
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Hallo,

bräuchte dringend Hilfe bei der Bekämpfung der im Titel genannten Trojaner... Habe über AntiVir schon mehrmals einen Durchlauf gestartet und bei Warnmeldungen des Guard versucht in Quarantäne zu verschieben, den Zugriff zu verweigern bzw zu Löschen.. Allerdings geht das alles anscheinend nicht, die Meldungen kommen sofort wieder..

Der Pfad für die Funde ist beim:
TR/Crypt:XPACK.Gen C:\Users\***\AppData\Local\Temp\qsivlial.dll
TR/Vundo.Gen C:\Users\***\AppData\Local\...\css4[2]
TR/Monder.alx C:\Users\***\AppData\Local\...\labqaass.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22:14, on 15.07.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://alice.aol.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [7485d71c] rundll32.exe "C:\Users\Matze\AppData\Local\Temp\labqaass.dll",b
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll,#1
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - h**p://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - h**p://www.dwnldietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - h**p://www.dwnldietool.com/redirect.php (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10680 bytes

Mein System:
MS Windows Vista SP1
Intel Core2 Duo CPU E4500 @2.20GHz, 2,2GB RAM, NVIDIA GeForce 8400 GS

Jetzt kam gerade noch eine Meldung vom Guard:
TR/Monderb.28288.2 C:\Users\***\AppData\Local\...\efcaWoPi.dll

Denke mal, dass ich noch ne ganze Menge anderen Müll auf dem Rechner habe.. Da ich leider nicht so bewandert bin, wäre ich hierbei für jede Hilfe sehr dankbar..

Gruß

Geändert von MatzeHRo (15.07.2008 um 22:17 Uhr)

Alt 16.07.2008, 09:37   #2
trojan-death
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Hi und

Ja du hast schon ein paar Sachen drauf
Bitte lass als erstes Malwarebytes laufen, lass alles löschen was er findet und poste das Log
Dazu dann bitte auch ein frisches HijackThis Log

edit: Bitte editiere deine Links im HJT Log
__________________

__________________

Alt 16.07.2008, 16:54   #3
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Alles klar danke erstmal.. Also hab das jetzt gemacht...
Hier der Log von Malwarebytes:

Malwarebytes' Anti-Malware 1.20
Datenbank Version: 957
Windows 6.0.6001 Service Pack 1

16:37:31 16.07.2008
mbam-log-7-16-2008 (16-37-31).txt

Scan Art: Komplett Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Objekte gescannt: 343140
Scan Dauer: 1 hour(s), 31 minute(s), 25 second(s)

Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 9
Infizierte Registrierungswerte: 3
Infizierte Datei Objekte der Registrierung: 0
Infizierte Verzeichnisse: 2
Infizierte Dateien: 6

Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)

Infizierte Speicher Module:
(Keine Malware Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99ba268b-4021-4739-9945-3c774217fe75} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7485d71c (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.

Infizierte Datei Objekte der Registrierung:
(Keine Malware Objekte gefunden)

Infizierte Verzeichnisse:
C:\Program Files\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.


Und hier der HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:57:05, on 16.07.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -
O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9256 bytes

Achso hab die Links jetzt mal komlett rausgenommen, weil ich das irgendwie nicht editiert kriege.. Wenn ich das so mache wie es in der Anleitung steht, erscheinen die ja trotzdem (auch wenn mit **).. Achso, danke nochmal für die schnelle antwort...
__________________

Geändert von MatzeHRo (16.07.2008 um 17:07 Uhr)

Alt 16.07.2008, 17:13   #4
trojan-death
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Ok, soweit so gut
Hast immer noch ne Menge Zeug drauf...

Bitte hol die The Avenger(in meiner Signatur zu finden)
-Speicher es auf dem Desktop
-Starte The Avenger
-Gib im weissen feld folgenden text ein:
Zitat:
files to delete:
C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll
C:\Users\Matze\AppData\Local\Temp\labqaass.dll
folders to delete:
C:\Program Files\NetProject
C:\RecInfo
-drücke nun auf "execute"
-wenn er fragt ob du Neustarten möchtest, antwortest du mit ja
-zum Schluss postest du den Inhalt der C:\Avenger text Datei die dir auch direkt nachdem Neustart geöffnet wird

Fixe mit HijackThis folgende Einträge:
Zitat:
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O4 - HKCU\..\Run: [7485d71c] rundll32.exe "C:\Users\Matze\AppData\Local\Temp\labqaass.dl l",b
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll,#1
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldietool.com/redirect.php (file missing)
Wenn du die Einträge fixen willst, und bei folgenden auf einmal "file missing" steht, bedeutet dies nichts schlechtes sondern nur das The Avenger gute Arbeit geleistet hat, sprich die Dateien gelöscht hat
---->das ganze sollte bei folgenden Einträgen passieren
Zitat:
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O4 - HKCU\..\Run: [7485d71c] rundll32.exe "C:\Users\Matze\AppData\Local\Temp\labqaass.dl l",b
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll,#1
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
In dem Fall die Einträge fixen

Bitte lade folgende Dateien bei Virustotal hoch und poste das Ergebnis:
Zitat:
C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
__________________
Kein Support per PN

Zitat:
"If it ain't broke, don't fix it"
"Never change a running System"

Alt 16.07.2008, 19:06   #5
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Ok hier die text Datei von The Avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" not found!
Deletion of file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" not found!
Deletion of file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Program Files\NetProject" not found!
Deletion of folder "C:\Program Files\NetProject" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\RecInfo" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Wenn ich die angegebenen Einträge mit HijackThis fixen will, dann sind da einige gar nicht mehr drinne, nachdem ich erneut einen Scan gemacht habe.. Poste diesen mal:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:59, on 16.07.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -
O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9643 bytes

Also hat er folgende Einträge noch:
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

Den Rest wohl nicht mehr... Soll ich diese dann trotzdem fixen Und die anderen beiden Einträge bei Virustotal hochladen?? Danke


Geändert von MatzeHRo (16.07.2008 um 19:14 Uhr)

Alt 17.07.2008, 13:23   #6
trojan-death
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Mach bitte nochmals ein neues HijackThis logfile und poste es
Du hast es wohl bevor du The Avenger hast laufen lassen gemacht
Ich benötige eins nachdem du The Avenger angewendet hast

Die Dateien musst du trozdem auf VirusTotal hochladen und das Ergebnis posten

Dann lässt du aber bevor du ein Log mit HijackThis machst nochmals The Avenger laufen und gibst folgenden text ein:
Zitat:
C:\Users\***\AppData\Local\...\efcaWoPi.dll
musst halt die * und ... ersetzen
__________________
--> Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!

Alt 18.07.2008, 12:39   #7
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



So hier erstmal die Ergebnisse von VirusTotal:

für C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.7.17.0 2008.07.18 -
AntiVir 7.8.0.68 2008.07.18 -
Authentium 5.1.0.4 2008.07.18 W32/HackTool.AYE
Avast 4.8.1195.0 2008.07.18 -
AVG 8.0.0.130 2008.07.18 -
BitDefender 7.2 2008.07.18 -
CAT-QuickHeal 9.50 2008.07.17 AdTool.MyWebSearch.az (Not a Virus)
ClamAV 0.93.1 2008.07.18 Adware.Search-2
DrWeb 4.44.0.09170 2008.07.18 -
eSafe 7.0.17.0 2008.07.17 -
eTrust-Vet 31.6.5965 2008.07.18 -
Ewido 4.0 2008.07.18 -
F-Prot 4.4.4.56 2008.07.18 W32/HackTool.AYE
F-Secure 7.60.13501.0 2008.07.18 AdTool.Win32.MyWebSearch.az
Fortinet 3.14.0.0 2008.07.18 W32/MyWebSearch
GData 2.0.7306.1023 2008.07.18 -
Ikarus T3.1.1.34.0 2008.07.18 -
Kaspersky 7.0.0.125 2008.07.18 not-a-virus:AdTool.Win32.MyWebSearch.az
McAfee 5341 2008.07.18 potentially unwanted program MWS
Microsoft 1.3704 2008.07.18 -
NOD32v2 3278 2008.07.18 Win32/Toolbar.AskSBar
Norman 5.80.02 2008.07.18 -
Panda 9.0.0.4 2008.07.17 -
Prevx1 V2 2008.07.18 -
Rising 20.53.42.00 2008.07.18 -
Sophos 4.31.0 2008.07.18 -
Sunbelt 3.1.1536.1 2008.07.17 -
Symantec 10 2008.07.18 -
TheHacker 6.2.96.381 2008.07.16 Adware/MyWebSearch.az
TrendMicro 8.700.0.1004 2008.07.18 -
VirusBuster 4.5.11.0 2008.07.17 -
Webwasher-Gateway 6.6.2 2008.07.18 -
weitere Informationen
File size: 245760 bytes
MD5...: 59dbfe16aa20144cb11e7fc8b2d21eaa
SHA1..: b4403810c1db8482c5a26b418499a8643e4a6410
SHA256: 809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c
SHA512: 83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936
477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000eb25
timedatestamp.....: 0x45819f8c (Thu Dec 14 19:01:32 2006)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x26d92 0x27000 6.50 06d14cbba9a26ba977ecdd7e3825f2b0
.rdata 0x28000 0x3f31 0x4000 5.89 0e7139b9c1817ab81c376e1cb2a5b0bd
.data 0x2c000 0x2c37 0x2000 4.73 4628324c0af12e567302d475666b04ef
AskTBarS 0x2f000 0x258 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x30000 0x9a58 0xa000 4.92 4cef46525fd59ceb4ec1a33f9237c1f9
.reloc 0x3a000 0x2964 0x3000 5.91 745bcfa73ad4db53c10d428dcfa3b45e

( 8 imports )
> COMCTL32.dll: -
> ADVAPI32.dll: RegQueryValueExA, RegCloseKey, RegQueryInfoKeyA, RegCreateKeyExA, RegEnumKeyA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyExA, RegDeleteValueA, RegSetValueExA, RegEnumValueA, RegFlushKey
> GDI32.dll: ExtTextOutA, SetBkColor, GetRgnBox, CreateRectRgnIndirect, CreateFontIndirectA, DeleteObject, GetDeviceCaps, GetStockObject, SetTextColor, GetTextColor, GetTextExtentPoint32A, GetTextMetricsA, SelectObject, GetTextExtentPoint32W, GetObjectType, GetBitmapBits, GetObjectA, SetBkMode, RectInRegion, OffsetRgn, LineTo, MoveToEx, CreatePen, SelectClipRgn, SetPixel, GetBkColor, SelectClipPath, EndPath, CloseFigure, BeginPath, UpdateColors, DeleteDC, BitBlt, RealizePalette, SelectPalette, CreateCompatibleDC, CreateCompatibleBitmap, CreatePalette, CreateRectRgn, CreateBitmap, GetPixel, SetWindowOrgEx, OffsetWindowOrgEx
> KERNEL32.dll: SetFileAttributesA, MultiByteToWideChar, WideCharToMultiByte, SizeofResource, LoadResource, FindResourceA, lstrcmpiA, IsDBCSLeadByte, HeapDestroy, InterlockedIncrement, InterlockedDecrement, LoadLibraryA, FlushInstructionCache, GetCurrentProcess, GetCurrentThreadId, GetSystemDirectoryA, CreateThread, GetLocalTime, CopyFileA, FindClose, FindNextFileA, FindFirstFileA, DebugBreak, HeapReAlloc, HeapFree, GetShortPathNameA, SetCurrentDirectoryA, LockResource, FlushFileBuffers, SetFilePointer, SetThreadPriority, ResumeThread, GetUserDefaultLangID, CompareFileTime, SystemTimeToFileTime, WritePrivateProfileSectionA, GetPrivateProfileIntA, GetPrivateProfileStringA, SetEvent, ResetEvent, CreateEventA, GetCommandLineA, GetDriveTypeA, GetFileAttributesA, GetCurrentDirectoryA, WaitForMultipleObjects, WritePrivateProfileStringA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, SetLastError, RemoveDirectoryA, HeapCreate, GetVersionExA, GetSystemInfo, HeapAlloc, DisableThreadLibraryCalls, DeleteCriticalSection, InitializeCriticalSection, LoadLibraryExA, GetProcAddress, EnterCriticalSection, FreeLibrary, LeaveCriticalSection, GetModuleHandleA, lstrlenW, DeleteFileA, CreateProcessA, CreateFileA, GetFileSize, ReadFile, WriteFile, GetExitCodeProcess, lstrcpyA, GetLastError, GetModuleFileNameA, CreateDirectoryA, lstrcmpA, GetTickCount, GetCurrentProcessId, WaitForSingleObject, ReleaseMutex, lstrlenA, lstrcpynA, lstrcatA, CreateMutexA, CloseHandle, GetWindowsDirectoryA, MoveFileA
> ole32.dll: CoCreateGuid, CLSIDFromProgID, CoGetInterfaceAndReleaseStream, CreateOleAdviseHolder, OleRegGetMiscStatus, OleRegGetUserType, OleRegEnumVerbs, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, CoCreateInstance, StringFromGUID2, CoFreeUnusedLibraries, CoMarshalInterThreadInterfaceInStream
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> USER32.dll: GetAsyncKeyState, GetIconInfo, CreateIcon, DestroyIcon, GetWindow, GetClassNameA, BeginPaint, GetClientRect, EndPaint, InvalidateRect, IntersectRect, EqualRect, OffsetRect, SetWindowRgn, SetWindowPos, IsWindow, DestroyWindow, SetFocus, GetFocus, IsChild, GetClassInfoExA, LoadCursorA, CreateWindowExA, ShowWindow, UnionRect, PtInRect, GetKeyState, CharNextA, LoadStringA, MessageBoxA, CallWindowProcA, GetWindowLongA, DefWindowProcA, SetWindowLongA, SetForegroundWindow, PostMessageA, GetParent, GetWindowRect, MapWindowPoints, GetSysColor, SendMessageA, SetTimer, PostQuitMessage, KillTimer, wsprintfA, GetMessageA, TranslateMessage, DispatchMessageA, GetWindowLongW, IsWindowUnicode, SetWindowLongW, CallWindowProcW, DefWindowProcW, MoveWindow, RegisterClassExA, UpdateWindow, ReleaseCapture, DrawIconEx, TrackPopupMenuEx, GetUpdateRgn, ClientToScreen, ScreenToClient, SetCapture, GetForegroundWindow, ValidateRect, DrawEdge, GetActiveWindow, IsRectEmpty, GetMessagePos, GetMessageTime, CallNextHookEx, SetWindowsHookExA, EnumWindows, PeekMessageA, GetWindowThreadProcessId, GetKeyboardType, SystemParametersInfoA, ReleaseDC, GetDC, IsWindowVisible, LoadImageA, SetWindowTextA, GetWindowTextLengthA, SetRectEmpty, EnableMenuItem, GetMenuItemInfoA, CheckMenuItem, GetWindowDC, GetDesktopWindow, SetMenuItemInfoA, InflateRect, CreatePopupMenu, DrawTextW, DrawTextA, CreateWindowExW, GetWindowTextA, GetWindowTextW, SetWindowTextW, AppendMenuW, AppendMenuA, DestroyMenu, IsMenu, CopyRect, SetRect, UnregisterClassA, WindowFromPoint, GetCursorPos, GetCapture, SubtractRect, FindWindowA, AdjustWindowRectEx, UnhookWindowsHookEx, CreateIconIndirect
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

( 6 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, O, Update


für C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.7.17.0 2008.07.18 -
AntiVir 7.8.0.68 2008.07.18 -
Authentium 5.1.0.4 2008.07.18 W32/HackTool.BAC
Avast 4.8.1195.0 2008.07.18 -
AVG 8.0.0.130 2008.07.18 -
BitDefender 7.2 2008.07.18 -
CAT-QuickHeal 9.50 2008.07.17 AdTool.MyWebSearch.az (Not a Virus)
ClamAV 0.93.1 2008.07.18 -
DrWeb 4.44.0.09170 2008.07.18 -
eSafe 7.0.17.0 2008.07.17 -
eTrust-Vet 31.6.5965 2008.07.18 -
Ewido 4.0 2008.07.18 -
F-Prot 4.4.4.56 2008.07.18 W32/HackTool.BAC
F-Secure 7.60.13501.0 2008.07.18 AdTool.Win32.MyWebSearch.az
Fortinet 3.14.0.0 2008.07.18 W32/MyWebSearch
GData 2.0.7306.1023 2008.07.18 -
Ikarus T3.1.1.34.0 2008.07.18 not-a-virus:AdTool.Win32.MyWebSearch.az
Kaspersky 7.0.0.125 2008.07.18 not-a-virus:AdTool.Win32.MyWebSearch.az
McAfee 5341 2008.07.18 potentially unwanted program MWS
Microsoft 1.3704 2008.07.18 -
NOD32v2 3278 2008.07.18 Win32/Toolbar.MyWebSearch
Norman 5.80.02 2008.07.18 -
Panda 9.0.0.4 2008.07.17 Application/MyWebSearch
Prevx1 V2 2008.07.18 -
Rising 20.53.42.00 2008.07.18 -
Sophos 4.31.0 2008.07.18 -
Sunbelt 3.1.1536.1 2008.07.17 -
Symantec 10 2008.07.18 -
TheHacker 6.2.96.381 2008.07.16 Adware/MyWebSearch.az
TrendMicro 8.700.0.1004 2008.07.18 -
VBA32 3.12.8.0 2008.07.17 -
VirusBuster 4.5.11.0 2008.07.17 -
Webwasher-Gateway 6.6.2 2008.07.18 -
weitere Informationen
File size: 57344 bytes
MD5...: 30e4c0a012ae80e8479523a8d9a3217f
SHA1..: f5e602af05e25de625fd401f9492a66659ea20b7
SHA256: 23b4fd1592eed3c2d06877fa909ed13985e0d3ca76db856cb216a1ec6af4c5cd
SHA512: cd9e775e448c78bc370d4d208a6383308f596d01409d0909c0cbfb34fe9adf2b
410764d3e9c245001d013581f97335edc70c1fb7c090c5e1c011d4e6342e52ca
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000565a
timedatestamp.....: 0x455b32f7 (Wed Nov 15 15:32:07 2006)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6dc2 0x7000 6.36 cb8bd9828556612bf1f2369de628aeae
.rdata 0x8000 0x1855 0x2000 4.45 0c3ab818e61c3548d8d150cba105b8bc
.data 0xa000 0xc4e 0x1000 3.12 d5514a93e0115940557f6d76d9e5fb53
AskTBar_ 0xb000 0x18 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xc000 0xb38 0x1000 3.79 b50d55c755368358e903e7a4850d4f54
.reloc 0xd000 0x960 0x1000 3.83 e9cde1bc5a3a8bd46e028f1c65563641

( 6 imports )
> ADVAPI32.dll: RegDeleteKeyA, RegCreateKeyExA, RegDeleteValueA, RegCloseKey, RegOpenKeyExA, RegEnumKeyExA, RegSetValueExA, RegQueryInfoKeyA, RegEnumValueA, RegFlushKey, RegQueryValueExA
> KERNEL32.dll: DeleteCriticalSection, lstrlenW, lstrcatA, lstrlenA, lstrcpyA, LeaveCriticalSection, EnterCriticalSection, SystemTimeToFileTime, GetLocalTime, CompareFileTime, lstrcmpA, lstrcpynA, InitializeCriticalSection, DisableThreadLibraryCalls, HeapAlloc, GetSystemInfo, GetVersionExA, HeapCreate, InterlockedIncrement, InterlockedDecrement, FlushInstructionCache, GetCurrentProcess, MultiByteToWideChar, GetShortPathNameA, GetModuleHandleA, GetModuleFileNameA, WideCharToMultiByte, CreateThread, SizeofResource, LoadResource, FindResourceA, GetLastError, LoadLibraryExA, lstrcmpiA, IsDBCSLeadByte, HeapDestroy, GetProcAddress, LoadLibraryA, DebugBreak, HeapReAlloc, HeapFree, GetSystemDirectoryA, GetUserDefaultLangID, CloseHandle, ReleaseMutex, WaitForSingleObject, CreateMutexA, GetDriveTypeA, GetFileAttributesA, UnmapViewOfFile, CreateFileMappingA, MapViewOfFile, SetLastError, WaitForMultipleObjects, SetEvent, ResetEvent, SetThreadPriority, ResumeThread, CreateEventA, GetCurrentThreadId, GetCurrentProcessId, FreeLibrary
> ole32.dll: CoCreateGuid, StringFromGUID2, CoCreateInstance, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree
> OLEAUT32.dll: -, -, -, -, -, -, -
> USER32.dll: CharNextA, wsprintfA, GetWindowLongA, SetWindowLongA, GetClassNameA, CallWindowProcA, CreateWindowExA, RegisterClassExA, LoadCursorA, GetClassInfoExA, GetKeyboardType, UnregisterClassA, GetWindowThreadProcessId, DestroyWindow, EnumWindows, DefWindowProcA, PostMessageA, IsWindow, PeekMessageA
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

Alt 18.07.2008, 14:51   #8
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Users\Matze\AppData\Local\Temp\efcaWoPi.dll" not found!
Deletion of file "C:\Users\Matze\AppData\Local\Temp\efcaWoPi.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Geändert von MatzeHRo (18.07.2008 um 15:42 Uhr)

Alt 18.07.2008, 15:46   #9
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



und hier noch das Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22:14, on 15.07.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [7485d71c] rundll32.exe "C:\Users\Matze\AppData\Local\Temp\labqaass.dll",b
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll,#1
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldietool.com/redirect.php (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10680 bytes

Alt 18.07.2008, 16:21   #10
trojan-death
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Ok bitte starte nochmals The Avenger und gib folgendes im weissen Feld ein:
Zitat:
files to delete:
C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
C:\RecInfo\RecInfo.exe
C:\Users\Matze\AppData\Local\Temp\labqaass.dll
C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll
C:\Program Files\NetProject\sbmntr.exe
folders to delete:
C:\RecInfo
C:\Program Files\NetProject
C:\Program Files\AskTBar
Bitte wende Blacklight an (Link ist in meiner Signatur) und poste dann das Logfile:aplaus:
Dasselbe mit SmitfraudFix
Und zum Schluss nochmals ein frisches HijackThis Logfile.
__________________
Kein Support per PN

Zitat:
"If it ain't broke, don't fix it"
"Never change a running System"

Alt 18.07.2008, 18:56   #11
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Ok hier erstmal das Logfile von The Avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" deleted successfully.
File "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" deleted successfully.

Error: could not open file "C:\RecInfo\RecInfo.exe"
Deletion of file "C:\RecInfo\RecInfo.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" not found!
Deletion of file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" not found!
Deletion of file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\Program Files\NetProject\sbmntr.exe"
Deletion of file "C:\Program Files\NetProject\sbmntr.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: folder "C:\RecInfo" not found!
Deletion of folder "C:\RecInfo" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Program Files\NetProject" not found!
Deletion of folder "C:\Program Files\NetProject" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\Program Files\AskTBar" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Nach dem Neustart zeigt er mir allerdings das an:

Windows - Kein Datenträger
Exception Processing Message 0xc0000013 Parameters 0x75E192A0
0x00000004 0x75E192A0 0x75E192A0

Alt 18.07.2008, 19:27   #12
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



So bei Blacklight hat er nichts gefunden, daher hat er mir wohl auch kein Logfile angezeigt...

Hier ist das von SmitFraudFix:

SmitFraudFix v2.329

Scan done at 20:15:20,08, 18.07.2008
Run from C:\Users\Matze\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer=213.191.74.19 62.109.123.197


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Alt 18.07.2008, 19:31   #13
MatzeHRo
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Und hier noch das Logfile von Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28:10, on 18.07.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 9089 bytes

Und kannst du mir schon sagen wie ob es jetzt besser aussieht???:aplaus:

Alt 19.07.2008, 11:09   #14
trojan-death
 
Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Standard

Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!



Ok

Ja sieht schon besser aus, aber dieses RecInfo will wohl einfach nicht verschwinden
Kannnst du bitte mal selbst nachschauen ob du C:\RecInfo und dementsprechenden C:\Recinfo\Recinfo.exe findest? Dasselbe bitte mit C:\Program Files\NetProject

Nun fixe mit HijackThis folgende Einträge:
Zitat:
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing)
O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing)
O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
Bitte starte nun nochmals The Avenger (nach dem fixen) und gib folgenden Text ein:
Zitat:
files to delete:
C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
c:\RecInfo\RecInfo.exe
folders to delete:
c:\RecInfo
__________________
Kein Support per PN

Zitat:
"If it ain't broke, don't fix it"
"Never change a running System"

Antwort

Themen zu Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!
adobe, antivir, ask toolbar, avg, avira, bho, cpu, defender, dringend, firefox, gservice, helper, hijack, hijackthis, hkus\s-1-5-18, home, internet, internet explorer, local\temp, magix, mozilla, mozilla firefox, pop-up-blocker, poweriso, programdata, quara, rundll, software, solution, system, temp, tr/crypt.xpack.ge, tr/crypt.xpack.gen, tr/vundo.gen, urlsearchhook, vista, warnmeldungen, windows, windows defender, windows sidebar, xpack.gen



Ähnliche Themen: Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!


  1. Trojaner TR/Vundo.Gen TR/Crypt.XPACK.Gen TR/Crypt.Morphine.Gen
    Log-Analyse und Auswertung - 09.04.2010 (4)
  2. Vundo.Gen & Crypt.XPACK.Gen
    Plagegeister aller Art und deren Bekämpfung - 13.11.2008 (16)
  3. Vundo und crypt.XPACK.gen
    Log-Analyse und Auswertung - 11.09.2008 (6)
  4. TR/Vundo.Gen und TR/Crypt.XPACK.Gen
    Log-Analyse und Auswertung - 31.08.2008 (2)
  5. Hilfe bei TR/Vundo und TR/Crypt.XPACK
    Log-Analyse und Auswertung - 25.08.2008 (5)
  6. monder/ crypt/ vundo/ hilfe
    Plagegeister aller Art und deren Bekämpfung - 25.08.2008 (12)
  7. Trojaner TR/Vundo.Gen TR/Crypt.XPACK.Gen TR/Crypt.Morphine.Gen
    Mülltonne - 25.08.2008 (0)
  8. Hilfe ! *tr/vundo.gen und tr/crypt.xpack.gen*
    Plagegeister aller Art und deren Bekämpfung - 16.07.2008 (3)
  9. Hilfe habe: VundO.gen & Crypt.XPack.gen drauf bitte mal Log-Flie checken.danke.
    Mülltonne - 04.07.2008 (0)
  10. TR Monder 97792.1 / 91136.10 und Vundo.Gen hartnäckig! Bitte Hilfe!
    Log-Analyse und Auswertung - 28.06.2008 (10)
  11. TR Vundo und TR monder: Hilfe bei Logfileauswertung gesucht
    Log-Analyse und Auswertung - 15.06.2008 (1)
  12. Trojaner TR/Crypt.XPACK.GEN TR/Vundo.GEN TR/Vundo.AG
    Plagegeister aller Art und deren Bekämpfung - 12.06.2008 (4)
  13. TR/Crypt.XPACK.GEN TR/Vundo.GEN TR/Vundo.AG
    Mülltonne - 12.06.2008 (0)
  14. TR/Crypt.XPACK.Gen - TR/Monder.126976.1
    Plagegeister aller Art und deren Bekämpfung - 08.06.2008 (21)
  15. Bitte Hilfe bei Löschen von zwei Trojanern: TR/PCK.Monder.45056.4 und TR/Vundo.Gen
    Log-Analyse und Auswertung - 22.05.2008 (1)
  16. Hilfe! TR/Dldr.ConHook.Pr1 TR/Crypt.XPack.Gen TR/PrivacySet.A TR/Vundo.ELT
    Plagegeister aller Art und deren Bekämpfung - 18.05.2008 (4)
  17. TR/Vundo.Gen, Vundo.AG, Crypt.XPACK.Gen usw.
    Plagegeister aller Art und deren Bekämpfung - 16.05.2008 (3)

Zum Thema Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! - Hallo, bräuchte dringend Hilfe bei der Bekämpfung der im Titel genannten Trojaner... Habe über AntiVir schon mehrmals einen Durchlauf gestartet und bei Warnmeldungen des Guard versucht in Quarantäne zu verschieben, - Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!...
Archiv
Du betrachtest: Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.