Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Immer wieder kommende Würmer etc. (https://www.trojaner-board.de/37087-immer-kommende-wuermer-etc.html)

kiwibaum 15.03.2007 12:42
Immer wieder kommende Würmer etc.
 
Hallo,

Hab hier den Rechner eines bekannten wo ich immer wieder Würmer finde.(in unregelmäßigen Abständen mit Adaware,Antiv Rius Shield, Antivir und Kaspersky online Scan.
Wollte hier einfach mal meinen HJT-Log posten, nicht dassich mir hier was gröberes eingefangen habe.

System:
Winnt 2000 SP4
Programme:
Anti Virus Shield
Adaware
CC Cleaner(findet auch regelmäßig defekte einträge obwohl der PC zz nicht konstruktiv eingesetzt wird)

Hier der Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:29:07, on 15.03.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AOL\Active Virus Shield\avp.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\herold home\OtbStart.EXE
E:\PFY\Stechuhr\Stechuhr.exe
C:\Programme\AOL\Active Virus Shield\avp.exe
C:\Programme\Microsoft Office\Office\MSOFFICE.EXE
C:\WINNT\System32\cidaemon.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Highjack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telering.at/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von tele.ring
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.1012surfnet.at:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - E:\FlipAlbum 5 Suite Eval\fplaunch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [OtbStart] e:\herold home\OtbStart.EXE
O4 - HKLM\..\Run: [Stechuhr2] E:\PFY\Stechuhr\Stechuhr.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Programme\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [aol] "C:\Programme\AOL\Active Virus Shield\avp.exe"
O4 - Global Startup: Microsoft Office Shortcut-Leiste.lnk = C:\Programme\Microsoft Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: &Download with &DAP - E:\DOWNLO~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\DOWNLO~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\DOWNLO~1\DAP\DAP.EXE
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O12 - Plugin for .ivr: C:\Programme\Internet Explorer\PLUGINS\NPRVRT32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133293869751
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programme\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Mfg,
kiwibaum

trott 15.03.2007 15:38
Hallo!
Welche Würmer werden denn gefunden? Internet Explorer5.00 ist von Schwachstellen übersäht, und ich glaube auch das dieser PC die Windows Update Seite nicht oft sieht!:D

mfg

undoreal 16.03.2007 01:09
Hallo.

Lade dir bitte SSW.
Installiere und update es.
Dann deaktiviere die Systemwiederherstellung auf allen Laufwerken und lasse das Programm 2 mal arbeiten. Einmal im normalen Modus und einmal im abgesicherten Modus(F8) beim Hochfahren.

Danach poste bitte ein neues HJT log

mfg

Undoreal

kiwibaum 16.03.2007 08:19
Morgen,

Danke für die Hilfe bis jetzt.
bin grad am Scannen, werden den Log nachreichen.

Hier mal ein Log des ersten Scans mit active virus shield, detected files:

deleted: adware not-a-virus:AdWare.Win32.NewDotNet.g File: C:\WINNT\NDNuninstall6_30.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\WINNT\NDNuninstall7_14.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: C:\WINNT\NDNuninstall4_85.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: C:\WINNT\NDNuninstall6_38.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\WINNT\NDNuninstall6_90.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\WINNT\NDNuninstall6_98.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\WINNT\NDNuninstall7_22.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\WINNT\NDNuninstall7_48.exe
deleted: adware not-a-virus:AdWare.Win32.Gator.1018 File: C:\WINNT\Downloaded Program Files\HDPlugin1018.dll
deleted: adware not-a-virus:AdWare.Win32.MyWay.b File: C:\Programme\MyWay\myBar\1.bin\MY2NS.EXE
deleted: adware not-a-virus:AdWare.Win32.MyWay.f File: C:\Programme\MyWay\myBar\1.bin\NPMYWAY.DLL
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: C:\Programme\NewDotNet\uninstall6_38.exe
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\Programme\NewDotNet\newdotnet7_48.dll
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\Programme\NewDotNet\uninstall7_48.exe
deleted: adware not-a-virus:AdWare.Win32.MyWay.l File: C:\Highjack\backups\backup-20070313-141359-818.dll
deleted: adware not-a-virus:AdWare.Win32.MyWay.l File: C:\Highjack\backups\backup-20070313-141359-292.dll
deleted: adware not-a-virus:AdWare.Win32.NewDotNet.e File: C:\Highjack\backups\backup-20070313-141359-356.dll
deleted: adware not-a-virus:AdWare.Win32.Dap.c File: E:\DOWNLOADS\dap53lang.exe/WISE0021.BIN\dapiebar.dll
deleted: adware not-a-virus:AdWare.Win32.Dap.c File: E:\DOWNLOADS\dap7.exe/WISE0021.BIN\dapiebar.dll
deleted: adware not-a-virus:AdWare.Win32.Dap.c File: E:\DOWNLOADS\DAP\DAPIEBar.dll

Mfg,
kiwibaum

kiwibaum 16.03.2007 10:16
So, habs gemacht wie oben beschrieben, das Programm fand wieder ein paar neue Trojaner.

Hier der HJT-Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:14:49, on 16.03.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AOL\Active Virus Shield\avp.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\herold home\OtbStart.EXE
E:\PFY\Stechuhr\Stechuhr.exe
C:\Programme\AOL\Active Virus Shield\avp.exe
C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programme\Microsoft Office\Office\MSOFFICE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telering.at/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von tele.ring
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.1012surfnet.at:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - E:\FlipAlbum 5 Suite Eval\fplaunch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [OtbStart] e:\herold home\OtbStart.EXE
O4 - HKLM\..\Run: [Stechuhr2] E:\PFY\Stechuhr\Stechuhr.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Programme\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [aol] "C:\Programme\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office Shortcut-Leiste.lnk = C:\Programme\Microsoft Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: &Download with &DAP - E:\DOWNLO~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\DOWNLO~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\DOWNLO~1\DAP\DAP.EXE
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\programme\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll
O12 - Plugin for .ivr: C:\Programme\Internet Explorer\PLUGINS\NPRVRT32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133293869751
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programme\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

undoreal 16.03.2007 14:45
Hast du SSW zwei mal durchlaufen lassen? Wäre super, wenn du die Berichte posten könntest oder ein bischen mehr Infos rüber wachsen lassen würdest was so gefunden wurde und bei welchem scan in welchen Ordnern usw.

Dann lade dir bitte lspfix und lasse das Tool arbeiten.

Dann poste ein neues HJT log.

mfg

Undoreal

kiwibaum 19.03.2007 08:13
Hier die 2 gewünschten Logs:

SUPERAntiSpyware Scan Log
Generated 03/16/2007 at 08:57 AM

Application Version : 3.6.1000

Core Rules Database Version : 3201
Trace Rules Database Version: 1212

Scan type : Complete Scan
Total Scan Time : 00:49:17

Memory items scanned : 304
Memory threats detected : 0
Registry items scanned : 4808
Registry threats detected : 57
File items scanned : 25270
File threats detected : 67

Adware.Tracking Cookie
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@tradedoubler[2].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@mediaplex[1].txt

Trojan.NewDotNet
HKU\.DEFAULT\Software\New.net
HKLM\Software\New.net
HKLM\Software\New.net#Activity
HKLM\Software\New.net#InstalledVersion
HKLM\Software\New.net#InstalledPath
HKLM\Software\New.net#Tag
HKLM\Software\New.net#DiscardTag
HKLM\Software\New.net#FirstTime
HKLM\Software\New.net#Source
HKLM\Software\New.net#Prt
HKLM\Software\New.net#LSPStatus
HKLM\Software\New.net#NextUpgradeHi
HKLM\Software\New.net#NextUpgradeLo
HKLM\Software\New.net#UpgradeCounter
HKLM\Software\New.net#Search
HKLM\Software\New.net#Complete
C:\Programme\NewDotNet\readme.html
C:\Programme\NewDotNet

Adware.MyWay
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0\win32
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\FLAGS
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\HELPDIR
HKLM\Software\MyWay
HKLM\Software\MyWay\myBar
HKLM\Software\MyWay\myBar#Dir
HKLM\Software\MyWay\myBar#pid
HKLM\Software\MyWay\myBar#CurInstall
HKLM\Software\MyWay\myBar#sr
HKLM\Software\MyWay\myBar#Id
HKLM\Software\MyWay\myBar#CacheDir
HKLM\Software\MyWay\myBar#HistoryDir
HKLM\Software\MyWay\myBar#Visible
HKLM\Software\MyWay\myBar#SettingsDir
HKLM\Software\MyWay\myBar#ConfigRevision
HKLM\Software\MyWay\myBar#ConfigRevisionURL
HKLM\Software\MyWay\myBar#ConfigDateStamp
HKLM\Software\MyWay\myBar#Maximized
HKLM\Software\MyWay\SearchAssistant
HKLM\Software\MyWay\SearchAssistant#Dir
HKLM\Software\MyWay\SearchAssistant#pid
HKLM\Software\MyWay\SearchAssistant#CurInstall
HKLM\Software\MyWay\SearchAssistant#sr
HKLM\Software\MyWay\SearchAssistant#Id
HKLM\Software\MyWay\SearchAssistant#CacheDir
HKLM\Software\MyWay\SearchAssistant#ConfigDateStamp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UrlInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#UrlInfoAbout
C:\Programme\MyWay\myBar\1.bin\F3HTMLMU.DLL
C:\Programme\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Programme\MyWay\myBar\1.bin\PARTNER.DAT
C:\Programme\MyWay\myBar\1.bin\UNINSTALL.INF
C:\Programme\MyWay\myBar\1.bin
C:\Programme\MyWay\myBar\Cache\files.ini
C:\Programme\MyWay\myBar\Cache\00094917
C:\Programme\MyWay\myBar\Cache\000638E0
C:\Programme\MyWay\myBar\Cache\006928BD.bin
C:\Programme\MyWay\myBar\Cache\00692D83.bin
C:\Programme\MyWay\myBar\Cache\00693470.bin
C:\Programme\MyWay\myBar\Cache\007A75CE.bmp
C:\Programme\MyWay\myBar\Cache\000414D2
C:\Programme\MyWay\myBar\Cache\00DB34BF
C:\Programme\MyWay\myBar\Cache\004C32A4
C:\Programme\MyWay\myBar\Cache\00057A5E.bmp
C:\Programme\MyWay\myBar\Cache\000583FD.bin
C:\Programme\MyWay\myBar\Cache\0009B568
C:\Programme\MyWay\myBar\Cache\00D8B91B
C:\Programme\MyWay\myBar\Cache\007BD9C9
C:\Programme\MyWay\myBar\Cache\00B76F0C
C:\Programme\MyWay\myBar\Cache\00037176
C:\Programme\MyWay\myBar\Cache\0045EE8A
C:\Programme\MyWay\myBar\Cache\00050607
C:\Programme\MyWay\myBar\Cache\0008AB52
C:\Programme\MyWay\myBar\Cache\0045CA0A
C:\Programme\MyWay\myBar\Cache
C:\Programme\MyWay\myBar\History\search
C:\Programme\MyWay\myBar\History
C:\Programme\MyWay\myBar\Settings\prevcfg.htm
C:\Programme\MyWay\myBar\Settings\settings.dat.bak
C:\Programme\MyWay\myBar\Settings\settings.dat
C:\Programme\MyWay\myBar\Settings\settings.htm.bak
C:\Programme\MyWay\myBar\Settings\settings.htm
C:\Programme\MyWay\myBar\Settings
C:\Programme\MyWay\myBar
C:\Programme\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Programme\MyWay\SrchAstt\1.bin\UNINSTAL.INF
C:\Programme\MyWay\SrchAstt\1.bin
C:\Programme\MyWay\SrchAstt\Cache\files.ini
C:\Programme\MyWay\SrchAstt\Cache\00094B47
C:\Programme\MyWay\SrchAstt\Cache\000639A8
C:\Programme\MyWay\SrchAstt\Cache\0001E5BC
C:\Programme\MyWay\SrchAstt\Cache\000414D2
C:\Programme\MyWay\SrchAstt\Cache\004C3358
C:\Programme\MyWay\SrchAstt\Cache\0009B677
C:\Programme\MyWay\SrchAstt\Cache\000E0904
C:\Programme\MyWay\SrchAstt\Cache\00080F0B
C:\Programme\MyWay\SrchAstt\Cache\00054480
C:\Programme\MyWay\SrchAstt\Cache\00027615
C:\Programme\MyWay\SrchAstt\Cache\000369CB
C:\Programme\MyWay\SrchAstt\Cache\001F7C10
C:\Programme\MyWay\SrchAstt\Cache\000CFB05
C:\Programme\MyWay\SrchAstt\Cache\00E4B974
C:\Programme\MyWay\SrchAstt\Cache
C:\Programme\MyWay\SrchAstt
C:\Programme\MyWay

Trojan.Downloader-Gen
C:\WINNT\SYSTEM32\MWSRVACC.EXE

Trojan.ErrorSafe
C:\WINNT\DOWNLOADED PROGRAM FILES\UERSU_0001_N68M1402NETINSTALLER.EXE

Adware.MovieLand/MediaPipe
C:\PROGRAMME\FSUPPORT\NOTIFIER.EXE


Hier der 2te:


SUPERAntiSpyware Scan Log
Generated 03/16/2007 at 10:07 AM

Application Version : 3.6.1000

Core Rules Database Version : 3201
Trace Rules Database Version: 1212

Scan type : Complete Scan
Total Scan Time : 00:43:07

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 4827
Registry threats detected : 43
File items scanned : 25262
File threats detected : 62

Adware.MyWay
HKU\S-1-5-21-515967899-746137067-854245398-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
HKU\S-1-5-21-515967899-746137067-854245398-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\0\win32
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\FLAGS
HKCR\TypeLib\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}\1.0\HELPDIR
HKLM\Software\MyWay
HKLM\Software\MyWay\myBar
HKLM\Software\MyWay\myBar#Dir
HKLM\Software\MyWay\myBar#pid
HKLM\Software\MyWay\myBar#CurInstall
HKLM\Software\MyWay\myBar#sr
HKLM\Software\MyWay\myBar#Id
HKLM\Software\MyWay\myBar#CacheDir
HKLM\Software\MyWay\myBar#HistoryDir
HKLM\Software\MyWay\myBar#Visible
HKLM\Software\MyWay\myBar#SettingsDir
HKLM\Software\MyWay\myBar#ConfigRevision
HKLM\Software\MyWay\myBar#ConfigRevisionURL
HKLM\Software\MyWay\myBar#ConfigDateStamp
HKLM\Software\MyWay\myBar#Maximized
HKLM\Software\MyWay\SearchAssistant
HKLM\Software\MyWay\SearchAssistant#Dir
HKLM\Software\MyWay\SearchAssistant#pid
HKLM\Software\MyWay\SearchAssistant#CurInstall
HKLM\Software\MyWay\SearchAssistant#sr
HKLM\Software\MyWay\SearchAssistant#Id
HKLM\Software\MyWay\SearchAssistant#CacheDir
HKLM\Software\MyWay\SearchAssistant#ConfigDateStamp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UrlInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWaySearchAssistant#UrlInfoAbout
C:\Programme\MyWay\myBar\1.bin\F3HTMLMU.DLL
C:\Programme\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Programme\MyWay\myBar\1.bin\PARTNER.DAT
C:\Programme\MyWay\myBar\1.bin\UNINSTALL.INF
C:\Programme\MyWay\myBar\1.bin
C:\Programme\MyWay\myBar\Cache\files.ini
C:\Programme\MyWay\myBar\Cache\00094917
C:\Programme\MyWay\myBar\Cache\000638E0
C:\Programme\MyWay\myBar\Cache\006928BD.bin
C:\Programme\MyWay\myBar\Cache\00692D83.bin
C:\Programme\MyWay\myBar\Cache\00693470.bin
C:\Programme\MyWay\myBar\Cache\007A75CE.bmp
C:\Programme\MyWay\myBar\Cache\000414D2
C:\Programme\MyWay\myBar\Cache\00DB34BF
C:\Programme\MyWay\myBar\Cache\004C32A4
C:\Programme\MyWay\myBar\Cache\00057A5E.bmp
C:\Programme\MyWay\myBar\Cache\000583FD.bin
C:\Programme\MyWay\myBar\Cache\0009B568
C:\Programme\MyWay\myBar\Cache\00D8B91B
C:\Programme\MyWay\myBar\Cache\007BD9C9
C:\Programme\MyWay\myBar\Cache\00B76F0C
C:\Programme\MyWay\myBar\Cache\00037176
C:\Programme\MyWay\myBar\Cache\0045EE8A
C:\Programme\MyWay\myBar\Cache\00050607
C:\Programme\MyWay\myBar\Cache\0008AB52
C:\Programme\MyWay\myBar\Cache\0045CA0A
C:\Programme\MyWay\myBar\Cache
C:\Programme\MyWay\myBar\History\search
C:\Programme\MyWay\myBar\History
C:\Programme\MyWay\myBar\Settings\prevcfg.htm
C:\Programme\MyWay\myBar\Settings\settings.dat.bak
C:\Programme\MyWay\myBar\Settings\settings.dat
C:\Programme\MyWay\myBar\Settings\settings.htm.bak
C:\Programme\MyWay\myBar\Settings\settings.htm
C:\Programme\MyWay\myBar\Settings
C:\Programme\MyWay\myBar
C:\Programme\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Programme\MyWay\SrchAstt\1.bin\UNINSTAL.INF
C:\Programme\MyWay\SrchAstt\1.bin
C:\Programme\MyWay\SrchAstt\Cache\files.ini
C:\Programme\MyWay\SrchAstt\Cache\00094B47
C:\Programme\MyWay\SrchAstt\Cache\000639A8
C:\Programme\MyWay\SrchAstt\Cache\0001E5BC
C:\Programme\MyWay\SrchAstt\Cache\000414D2
C:\Programme\MyWay\SrchAstt\Cache\004C3358
C:\Programme\MyWay\SrchAstt\Cache\0009B677
C:\Programme\MyWay\SrchAstt\Cache\000E0904
C:\Programme\MyWay\SrchAstt\Cache\00080F0B
C:\Programme\MyWay\SrchAstt\Cache\00054480
C:\Programme\MyWay\SrchAstt\Cache\00027615
C:\Programme\MyWay\SrchAstt\Cache\000369CB
C:\Programme\MyWay\SrchAstt\Cache\001F7C10
C:\Programme\MyWay\SrchAstt\Cache\000CFB05
C:\Programme\MyWay\SrchAstt\Cache\00E4B974
C:\Programme\MyWay\SrchAstt\Cache
C:\Programme\MyWay\SrchAstt
C:\Programme\MyWay

Adware.Tracking Cookie
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@tradedoubler[2].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@mediaplex[1].txt


Ispfix werdich gleich mal laufen lassen

EDIT:
Ispfix sagt:"Nor Problems Found"

undoreal 19.03.2007 11:25
Jetzt update avs und mache einen abschließenden scan im abgesicherten Modus und poste danach ein nues HJ log.

Hast du dann noch Probleme?

mfg

Undoreal

kiwibaum 19.03.2007 15:24
so, Virenscanner im Safemode durchlaufen lassen, hier der HJT-Log:

Logfile of HijackThis v1.99.1
Scan saved at 15:21:14, on 19.03.2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AOL\Active Virus Shield\avp.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
E:\herold home\OtbStart.EXE
E:\PFY\Stechuhr\Stechuhr.exe
C:\Programme\AOL\Active Virus Shield\avp.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Microsoft Office\Office\MSOFFICE.EXE
C:\WINNT\System32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telering.at/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von tele.ring
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.1012surfnet.at:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - E:\FlipAlbum 5 Suite Eval\fplaunch.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [OtbStart] e:\herold home\OtbStart.EXE
O4 - HKLM\..\Run: [Stechuhr2] E:\PFY\Stechuhr\Stechuhr.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Programme\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [aol] "C:\Programme\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office Shortcut-Leiste.lnk = C:\Programme\Microsoft Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: &Download with &DAP - E:\DOWNLO~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\DOWNLO~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\DOWNLO~1\DAP\DAP.EXE
O12 - Plugin for .ivr: C:\Programme\Internet Explorer\PLUGINS\NPRVRT32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pub.plan.at/mgaxctrlde.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133293869751
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programme\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



Werd das mal beobachten ob in nächster Zeit noch immer vermehrt Viren einkehren.
Danke für die schnelle und Kompetente Hilfe

Mfg,
kiwi


Alle Zeitangaben in WEZ +1. Es ist jetzt 14:09 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131