Antivirus Version letzte aktualisierung Ergebnis
a-squared 5.0.0.31 2010.07.12 -
AhnLab-V3 2010.07.10.00 2010.07.09 -
AntiVir 8.2.4.10 2010.07.12 -
Antiy-AVL 2.0.3.7 2010.07.12 -
Authentium 5.2.0.5 2010.07.11 -
Avast 4.8.1351.0 2010.07.12 -
Avast5 5.0.332.0 2010.07.12 -
AVG 9.0.0.836 2010.07.12 PSW.Generic8.DKN
BitDefender 7.2 2010.07.12 -
CAT-QuickHeal 11.00 2010.07.12 -
ClamAV 0.96.0.3-git 2010.07.12 -
Comodo 5403 2010.07.12 -
DrWeb 5.0.2.03300 2010.07.12 -
eSafe 7.0.17.0 2010.07.11 -
eTrust-Vet 36.1.7700 2010.07.12 -
F-Prot 4.6.1.107 2010.07.11 -
F-Secure 9.0.15370.0 2010.07.12 -
Fortinet 4.1.143.0 2010.07.11 -
GData 21 2010.07.12 -
Ikarus T3.1.1.84.0 2010.07.12 -
Jiangmin 13.0.900 2010.07.12 -
Kaspersky 7.0.0.125 2010.07.12 -
McAfee 5.400.0.1158 2010.07.12 -
McAfee-GW-Edition 2010.1 2010.07.12 -
Microsoft 1.5902 2010.07.12 TrojanSpy:Win32/Ursnif.gen!I
NOD32 5272 2010.07.12 -
Norman 6.05.11 2010.07.12 -
nProtect 2010-07-12.01 2010.07.12 -
Panda 10.0.2.7 2010.07.11 Trj/CI.A
PCTools 7.0.3.5 2010.07.12 -
Prevx 3.0 2010.07.12 -
Rising 22.56.00.04 2010.07.12 -
Sophos 4.55.0 2010.07.12 Troj/Spyurs-Gen
Sunbelt 6566 2010.07.10 -
SUPERAntiSpyware 4.40.0.1006 2010.07.12 -
Symantec 20101.1.0.89 2010.07.12 -
TheHacker 6.5.2.1.312 2010.07.12 -
TrendMicro 9.120.0.1004 2010.07.12 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.12 -
VBA32 3.12.12.6 2010.07.12 -
ViRobot 2010.7.12.3932 2010.07.12 -
VirusBuster 5.0.27.0 2010.07.12 -
weitere Informationen
File size: 46592 bytes
MD5 : 7799ee2d701401fbf0975fca762b2d8e
SHA1 : 6532101c282e1a154408cf53a55e5839cef0d5b8
SHA256: a1d7a5f019aaae5274b97491b9a3407927f8f5ba019b92b4f2697ab475d4fbf7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x13E7
timedatestamp.....: 0x3A3B984C (Sat Dec 16 17:29:00 2000)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7000 0x6800 7.17 0d548973c3612bf54887bc8d697dabd4
.data 0x8000 0x1000 0x200 2.75 bda26dcdc2fdaf2480f4d04f05df748a
.kdata 0x9000 0x5000 0x4600 7.09 2d064b88e5c9c0d8ca470df27778a037
.reloc 0xE000 0x1000 0x200 0.51 07546777a87893007750446324508cea

( 1 imports )

> kernel32.dll: GetThreadPriority, CreateEventA, GetCurrentThreadId, OpenThread, ExitProcess, LoadLibraryExA

( 1 exports )

> CreateProcessNotify, DllGetVersion
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 768:8PHDMrB8jTBJM8RPobM2WgePmPAlrg4+XcT0BPDnd2x/+JbI3VG0bO:8fDJYEPobQPllrQXxR2Rp3VRb
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set
-

Zitat:

Zitat von Uther

Microsoft 1.5902 2010.07.12 TrojanSpy:Win32/Ursnif.gen!I

Bei dir läuft ein Passwort und Benutzerinfo stehlender Trojaner. Ändere alle deine Passwörter, die du/ihr im Netz verwendest, (Mails,Bank,Loggins) so schnell wie möglich, von einem sauberen zweiten PC.

_________________________________________________________

Du kannst jetzt den OTL Fix durchführen. Poste das Log dann hier.

**************

All processes killed
Error: Unable to interpret <MOD - D:\WINXP\system32\mpnohare.dll ()> in the current context!
Error: Unable to interpret <DRV - (XDva289) -- D:\WINXP\System32\XDva289.sys File not found> in the current context!
Error: Unable to interpret <DRV - (GMSIPCI) -- E:\INSTALL\GMSIPCI.SYS File not found> in the current context!
Error: Unable to interpret <DRV - (EagleNT) -- D:\WINXP\System32\drivers\EagleNT.sys File not found> in the current context!
Error: Unable to interpret <O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()> in the current context!
Error: Unable to interpret <O36 - AppCertDlls: calcsn32 - (D:\WINXP\system32\mpnohare.dll) - D:\WINXP\system32\mpnohare.dll ()> in the current context!
Error: Unable to interpret <[2010.07.20 17:21:35 | 000,000,006 | -H-- | M] () -- D:\WINXP\tasks\SA.DAT> in the current context!
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 41620 bytes

User: LocalService

User: NetworkService

User: Uther
->Flash cache emptied: 48389 bytes

Total Flash Files Cleaned = 0,00 mb


[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Uther
->Temp folder emptied: 403 bytes
->Temporary Internet Files folder emptied: 32969 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 30791204 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2610062 bytes
%systemroot%\System32 .tmp files removed: 2951 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 32,00 mb

D:\WINXP\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.1 log created on 07232010_173912

Files\Folders moved on Reboot...
File\Folder D:\WINXP\temp\Perflib_Perfdata_79c.dat not found!

Registry entries deleted on Reboot...

Bitte den OTL Fix noch mal durchführen, er wurde nicht korrekt durchgeführt.

Das:
:OTL hast du nicht eingefügt. Es muss aber dabei sein. Füge GENAU diesen Text in das weisse Feld ein: (ohne zitat)

Zitat:

:OTL
MOD - D:\WINXP\system32\mpnohare.dll ()
DRV - (XDva289) -- D:\WINXP\System32\XDva289.sys File not found
DRV - (GMSIPCI) -- E:\INSTALL\GMSIPCI.SYS File not found
DRV - (EagleNT) -- D:\WINXP\System32\drivers\EagleNT.sys File not found
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O36 - AppCertDlls: calcsn32 - (D:\WINXP\system32\mpnohare.dll) - D:\WINXP\system32\mpnohare.dll ()
[2010.07.20 17:21:35 | 000,000,006 | -H-- | M] () -- D:\WINXP\tasks\SA.DAT
:Commands
[purity]
[EMPTYFLASH]
[emptytemp]
[resethosts]

wenn du unsicher bist frage nach!

Sorry hatte es wohl nicht makiert......

All processes killed
========== OTL ==========
Service XDva289 stopped successfully!
Service XDva289 deleted successfully!
File D:\WINXP\System32\XDva289.sys File not found not found.
Service GMSIPCI stopped successfully!
Service GMSIPCI deleted successfully!
File E:\INSTALL\GMSIPCI.SYS File not found not found.
Service EagleNT stopped successfully!
Service EagleNT deleted successfully!
File D:\WINXP\System32\drivers\EagleNT.sys File not found not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\ deleted successfully.
C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\calcsn32:\WINXP\system32\mpnohare.dll deleted successfully.
D:\WINXP\system32\mpnohare.dll moved successfully.
D:\WINXP\tasks\SA.DAT moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: Uther
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0,00 mb


[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Uther
->Temp folder emptied: 586045 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 17708347 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18,00 mb

D:\WINXP\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.1 log created on 07232010_175051

Files\Folders moved on Reboot...
File\Folder D:\WINXP\temp\Perflib_Perfdata_5c8.dat not found!

Registry entries deleted on Reboot...

Zitat:

Zitat von Uther

Sorry hatte es wohl nicht makiert......

diesmal ist es richtig. Du solltest dich unbedingt bei allen zukünftigen Anweisungen ganz genau an die Anweisungen halten da das sonst unnötig viel extra Arbeit und Zeit in Anspruch nimmt.


Führe jetzt Combofix ganz genau nach dieser Anleitung aus:
Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Alle Antivirenwächter/Antispywächter müssen deaktiviert werden bevor Combofix scannt! Alle Programme geschlossen sein! (auch InternetExplorer Firefox) Nichts anklicken wenn Combofix scannt! Warte geduldig ab bis CF fertig ist und das Log kommt. Poste es dann hier.

*******************************************

Das Fenster auf der Sparkassen seite ist weg.... werden jetzt neue Zugriffsdaten anfordern.

Vielen Dank für die Hilfe

MfG

Uther