Trojaner-Board - hijack logfile - hilfloser bittet um hilfe

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - hijack logfile - hilfloser bittet um hilfe (https://www.trojaner-board.de/10757-hijack-logfile-hilfloser-bittet-um-hilfe.html)

hijack logfile - hilfloser bittet um hilfe

hallo!
schon mal einen RIESEN Dank für eure hilfe, ich weiß selbst nicht mehr weiter, ad-aware und spybot haben nichts gebracht.
hier der log:

Logfile of HijackThis v1.98.2
Scan saved at 16:28:41, on 14.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sstray.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\Programme\CyberLink\PowerVCRII\Agent.exe
C:\WINDOWS\System32\carpserv.exe
C:\Programme\Winamp3\winampa.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\javasr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\sysnx.exe
C:\Dokumente und Einstellungen\Jörg\Eigene Dateien\Download\Downloaded Songs\hijackthis_1-98-2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9037343E-6802-1EC2-D767-E57CC2D9D83C} - C:\WINDOWS\sysjg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [Agent] C:\Programme\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [Remote_Agent] C:\Programme\CyberLink\PowerVCRII\RemoteAgent.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [javasr.exe] C:\WINDOWS\javasr.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AV Antivirus\AVSched32.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

Gruß und Dank
nerner

@nerner
gebe HJT bitte einen eigenen ordner.
lasse siese datei C:\WINDOWS\sysjg.dll hier überprüfen
poste das ergebnis

chaosman

Dankeschön für die erste schnelle antwort.
HJT befindet sich eigentlich in nem eigenen Ordner. soll ich nochmal scannen und posten?

das ergebnis zu C:\WINDOWS\sysjg.dll ist:

Service load: 0% 100%

File: sysjg.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX

AntiVir No viruses found (0.42 seconds taken)
Avast No viruses found (3.01 seconds taken)
BitDefender No viruses found (0.55 seconds taken)
ClamAV Trojan.Downloader.Agent.AC (0.36 seconds taken)
Dr.Web Trojan.DownLoader.1101 (0.51 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Trojan-Downloader.Win32.Agent.an (0.62 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.45 seconds taken)
Norman Virus Control No viruses found (0.12 seconds taken)

danke,
nerner

Lösche dies im abg. Modus:

C:\WINDOWS\javasr.exe
C:\WINDOWS\system32\sysnx.exe
C:\WINDOWS\sysjg.dll

Fixe mit HijackThis dies:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zheos.dll/sp.html#11111
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9037343E-6802-1EC2-D767-E57CC2D9D83C} - C:\WINDOWS\sysjg.dll
O4 - HKLM\..\Run: [javasr.exe] C:\WINDOWS\javasr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

SP2 + alle anderen Updates/Patches installieren: www.windowsupdate.com

Schütze dich mit einem anderen Browser: www.firefox-browser.de ist sicher und kostenlos.

danke für die antwort bzw. hilfe, werd jetzt direkt tun wie mir "befohlen" :D

hatte zusätzlich schon mal escan im abgesicherten modus laufen lassen, und das alles bemängelte er als "infected" (wie gehe ich denn dabei jetzt genau vor?):

File C:\WINDOWS\system32\sysom32.dll infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\javasr.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sysnx.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\javamf.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\javasr.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\jgpdl.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\ntbo32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\sdkdc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\zdsnh.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\zpsru.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\adddv32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\hzafs.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\ieaf32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\ienl32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\ieti.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\javaoi32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\ntsn.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\sdkzr32.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\sysnx.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\sysom32.dll infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken

File C:\WINDOWS\System32\sysxz.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\DOKUME~1\JRG~1\LOKALE~1\TEMPOR~1\Content.IE5\9377P9OE\main[1].chm infected by "TrojanDownloader.JS.Weis.b" Virus. Action Taken: No Action Taken.

File C:\DOKUME~1\JRG~1\LOKALE~1\TEMPOR~1\Content.IE5\9377P9OE\x[1].chm infected by "TrojanDownloader.Win32.WinShow.am" Virus. Action Taken: No Action Taken.

File C:\DOKUME~1\JRG~1\LOKALE~1\TEMPOR~1\Content.IE5\9377P9OE\x[2].chm infected by "TrojanDownloader.Win32.WinShow.am" Virus. Action Taken: No Action Taken.

File C:\Dokumente und Einstellungen\Jörg\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9377P9OE\main[1].chm infected by "TrojanDownloader.JS.Weis.b" Virus. Action Taken: No Action Taken.

File C:\Dokumente und Einstellungen\Jörg\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9377P9OE\x[1].chm infected by "TrojanDownloader.Win32.WinShow.am" Virus. Action Taken: No Action Taken.

File C:\Dokumente und Einstellungen\Jörg\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9377P9OE\x[2].chm infected by "TrojanDownloader.Win32.WinShow.am" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{747DDF7D-5F7B-4C14-A4C6-22604EC90CD8}\RP18\A0050591.dll infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{747DDF7D-5F7B-4C14-A4C6-22604EC90CD8}\RP18\A0050596.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{747DDF7D-5F7B-4C14-A4C6-22604EC90CD8}\RP18\A0050613.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{747DDF7D-5F7B-4C14-A4C6-22604EC90CD8}\RP18\A0051613.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{747DDF7D-5F7B-4C14-A4C6-22604EC90CD8}\RP18\A0051628.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{747DDF7D-5F7B-4C14-A4C6-22604EC90CD8}\RP18\A0051634.dll infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\javamf.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\javasr.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\jgpdl.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\ntbo32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\sdkdc32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\adddv32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\hzafs.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\ieaf32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\ienl32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\ieti.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\javaoi32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\ntsn.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sdkzr32.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sysnx.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sysom32.dll infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\sysxz.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\zdsnh.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\zpsru.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: No Action Taken.

danke und gruß
nerner

Leere deinen Temp-Internet-Files-Ordner.
Dann deaktiviere die Systemwiederherstellung -> Neustart -> Systemwiederherstellung wieder aktivieren.

Scanne nochmal mit eScan -> lösche die jetzt gefundenen Dateien manuell im abg. Modus.

danke nochmals für die hifle.

also, habe alle maßnahmen so durchgeführt wie angegeben, und trotz allen fixens und löschens mit killbox und der escan-trial_version tritt das problem beim nächsten surfen erneut auf. ich gebe jetzt hier mal 2 logfile an, zuerst das nach der säuberungsaktion, und danach das welches sich nach dem nächsten onlinegehen wieder darstellt:

Logfile of HijackThis v1.99.0
Scan saved at 18:20:58, on 17.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Dokumente und Einstellungen\Download\hijackthis199_beta\HijackTh is.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\Basic\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\Basic\AVPMWrap.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O23 - Service: AntiVir Service - Unknown - C:\Programme\AV Antivirus\AVGUARD.EXE (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update - Unknown - C:\Programme\AV Antivirus\AVWUPSRV.EXE (file missing)
O23 - Service: eScan Server-Updater - MWTI2 - C:\PROGRA~1\Basic\TRAYSSER.EXE
O23 - Service: eScan Monitor Service - Kaspersky Labs. - C:\PROGRA~1\Basic\avpm.exe

und jetzt das wiederum anschließend "infizierte":

Logfile of HijackThis v1.99.0
Scan saved at 18:46:27, on 17.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Basic\TRAYSSER.EXE
C:\PROGRA~1\Basic\avpm.exe
C:\WINDOWS\50comupd.exe:hzaxt
C:\WINDOWS\System32\sstray.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Basic\TRAYICOS.EXE
C:\PROGRA~1\Basic\AVPMWrap.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Basic\AvpM.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Dokumente und Einstellungen\Download\hijackthis199_beta\HijackTh is.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mudpq.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fviie.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mudpq.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fviie.dll/sp.html#11111
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41B07E2C-E9E2-8FB3-E92D-F43E8F8F3DBB} - C:\WINDOWS\system32\appoa32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Programme\MultiMedia Keyboard\MultiMedia Keyboard\1.0\KbdAp32A.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\Basic\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\Basic\AVPMWrap.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Antivirus\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O23 - Service: AntiVir Service - Unknown - C:\Programme\AV Antivirus\AVGUARD.EXE (file missing)
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update - Unknown - C:\Programme\AV Antivirus\AVWUPSRV.EXE (file missing)
O23 - Service: eScan Server-Updater - MWTI2 - C:\PROGRA~1\Basic\TRAYSSER.EXE
O23 - Service: eScan Monitor Service - Kaspersky Labs. - C:\PROGRA~1\Basic\avpm.exe

vielen dank schonmal

nerner

Nochmal,

lösche dies im abg. Modus:
C:\WINDOWS\system32\appoa32.dll

Danach fixe mit HijackThis dies:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mudpq.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fviie.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mudpq.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fviie.dll/sp.html#11111
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {41B07E2C-E9E2-8FB3-E92D-F43E8F8F3DBB} - C:\WINDOWS\system32\appoa32.dll
O23 - Service: AntiVir Service - Unknown - C:\Programme\AV Antivirus\AVGUARD.EXE (file missing)
O23 - Service: AntiVir Update - Unknown - C:\Programme\AV Antivirus\AVWUPSRV.EXE (file missing)

Was ist dies eigentlich: C:\WINDOWS\50comupd.exe:hzaxt
Im Zweifelsfrei löschen!