Trojaner-Board - Bitte um Hilfe bei der Auswetung!

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Bitte um Hilfe bei der Auswetung! (https://www.trojaner-board.de/41664-bitte-um-hilfe-auswetung.html)

Bitte um Hilfe bei der Auswetung!

Ich bräuchte Hilfe da IE bei mir ein Pop up öffnet, ohne das ich es möchte?

Code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
 Header 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
 

Microsoft Windows XP [Version 5.1.2600]

Fri Aug 03 10:10:10 2007 => ProxyServer: Software\Microsoft\Windows\CurrentVersion\Internet Settings 

Fri Aug 03 10:10:31 2007 => Virus Database Date: 8/2/2007

Fri Aug 03 11:32:52 2007 => Virus Database Date: 8/2/2007

Fri Aug 03 11:33:46 2007 => Virus Database Date: 8/2/2007

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
 Infektionsmeldungen 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   

Fri Aug 03 10:12:12 2007 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.

Fri Aug 03 10:12:12 2007 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.

Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({f7258f6e-9f60-49c0-8c82-f0a0993d68e0})! Action taken: No Action Taken.

Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({a8b0f390-e6bf-4027-a4d4-1e4363f5e27b})! Action taken: No Action Taken.

Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({a9e33220-0b05-11d7-88d2-444553540000})! Action taken: No Action Taken.

Fri Aug 03 10:13:10 2007 => System found infected with whenu.savenow Spyware/Adware ({c285d18d-43a2-4aef-83fb-bf280e660a97})! Action taken: No Action Taken.

Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({e0abbf96-17dc-44ca-96d0-6217064a97ba})! Action taken: No Action Taken.

Fri Aug 03 10:13:26 2007 => System found infected with lop.com Spyware/Adware (sta3.exe)! Action taken: No Action Taken.

Fri Aug 03 10:13:26 2007 => System found infected with superutilbar Adware (temp.exe)! Action taken: No Action Taken.

Fri Aug 03 10:13:53 2007 => System found infected with smitfraud Browser Hijacker (antivirus test online.url)! Action taken: No Action Taken.

Fri Aug 03 10:13:53 2007 => System found infected with ezula Spyware/Adware (ebay.url)! Action taken: No Action Taken.

Fri Aug 03 10:14:13 2007 => System found infected with uplink Adware (installoptions.dll)! Action taken: No Action Taken.

Fri Aug 03 10:14:13 2007 => System found infected with uplink Adware (installoptions.dll)! Action taken: No Action Taken.

Fri Aug 03 10:14:13 2007 => System found infected with lop.com Spyware/Adware (sta3.exe)! Action taken: No Action Taken.

Fri Aug 03 10:14:13 2007 => System found infected with superutilbar Adware (temp.exe)! Action taken: No Action Taken.

Fri Aug 03 10:14:26 2007 => System found infected with netpumper Spyware/Adware (C:\Programme\netpumper\zm\minime.exe)! Action taken: No Action Taken.

Fri Aug 03 10:14:26 2007 => System found infected with mybugfreepc Corrupted Adware/Spyware (C:\WINDOWS\unvise32.exe)! Action taken: No Action Taken.

Fri Aug 03 10:14:26 2007 => System found infected with holistyc Dialer (C:\WINDOWS\icons)! Action taken: No Action Taken.

~~~~~~~~~~~ 
 Dateien 

~~~~~~~~~~~ 

~~~~ Infected files 

~~~~~~~~~~~ 

Fri Aug 03 10:11:54 2007 => File C:\DOKUME~1\ALLUSE~1\ANWEND~1\LICENS~1\BITSCH~1.EXE infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:11:54 2007 => File C:\DOKUME~1\ALLUSE~1\ANWEND~1\DEAFME~1\BONERD~1.EXE infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:11:55 2007 => File C:\DOKUME~1\Fridge\ANWEND~1\PLANAM~1\BOOBSH~1.EXE infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:16:31 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Deaf Meal Log License\Bone Rdr Jugs.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:16:31 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LICENSE ADMIN OPTION BIB\bits chin.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:16:33 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PILE INTER ACE REF\DOWNLOAD META.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:16:33 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PILE INTER ACE REF\send open.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\afgcocmh.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\avvthgtf.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\bitlqrzt.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\boob shim.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\idle bits blue.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\idle mfcd grey.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:19:42 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\36\383a6924-49c3f349/BaaaaBaa.class infected by "Trojan.Java.ClassLoader.ao" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:19:51 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\43\5af4726b-28621864/Dummy.class infected by "Trojan-Downloader.Java.OpenStream.v" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:20:10 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\6ac9be3c-56cb6f3d/BlackBox.class infected by "Trojan-Downloader.Java.OpenConnection.aa" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:20:48 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-13161adf-73c5c7bf.zip/BlackBox.class infected by "Trojan-Downloader.Java.OpenConnection.aa" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:20:50 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-4ace4a3-2f02005c.zip/BaaaaBaa.class infected by "Trojan.Java.ClassLoader.ao" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:20:50 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\dialarch.jar-571971d9-71081099.zip/Dummy.class infected by "Trojan-Downloader.Java.OpenStream.v" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:33:31 2007 => File C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\Temp\AutoDL%3FBundleId=11026_b197d946.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:33:40 2007 => File C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\Temp\bis78.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 10:34:22 2007 => File C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\Temp\sta3.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 11:05:50 2007 => File C:\Programme\Media-Codec\uninst.exe infected by "Trojan-Downloader.Win32.Zlob.vn" Virus! Action Taken: No Action Taken.

Fri Aug 03 11:09:53 2007 => File C:\Programme\NetPumper\ZM\minime.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.

Fri Aug 03 11:13:11 2007 => File C:\Programme\totalcommander\run.exe infected by "Trojan-Downloader.Win32.Zlob.ta" Virus! Action Taken: No Action Taken.

Fri Aug 03 11:13:13 2007 => File C:\Programme\totalcommander\twkt654a.exe/run.exe infected by "Trojan-Downloader.Win32.Zlob.ta" Virus! Action Taken: No Action Taken.

~~~~~~~~~~~ 

~~~~ Tagged files 

~~~~~~~~~~~ 

Fri Aug 03 10:15:23 2007 => File C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.

Fri Aug 03 10:15:26 2007 => File C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\kewhhjsh.default\Cache\0C5F542Cd01/SmitfraudFix/Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.

Fri Aug 03 11:16:43 2007 => File C:\RECYCLER\S-1-5-21-1839656885-3724385041-1575707048-500\Dc1.zip/SmitfraudFix/Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.

Fri Aug 03 11:29:40 2007 => File C:\WINDOWS\system32\cmdow.exe tagged as "not-a-virus:RiskTool.Win32.HideWindows". Action Taken: No Action Taken.

~~~~~~~~~~~ 

~~~~ Offending files 

~~~~~~~~~~~ 

Fri Aug 03 10:13:26 2007 => Offending file found: C:\DOKUME~1\Fridge\LOKALE~1\Temp\sta3.exe

Fri Aug 03 10:13:26 2007 => Offending file found: C:\DOKUME~1\Fridge\LOKALE~1\Temp\temp.exe

Fri Aug 03 10:13:53 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Favoriten\antivirus test online.url

Fri Aug 03 10:13:53 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Favoriten\ebay.url

Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\nse1b.tmp\installoptions.dll

Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\nsu16.tmp\installoptions.dll

Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\sta3.exe

Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\temp.exe

Fri Aug 03 10:14:26 2007 => Offending file found: C:\Programme\netpumper\zm\minime.exe

Fri Aug 03 10:14:26 2007 => Offending file found: C:\WINDOWS\unvise32.exe

Fri Aug 03 10:14:26 2007 => Offending file found: C:\WINDOWS\icons

~~~~~~~~~~~ 
 Ordner 

~~~~~~~~~~~ 

Fri Aug 03 10:13:22 2007 => Offending Folder found: C:\Programme\netpumper

Fri Aug 03 10:13:36 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\netpumper

Fri Aug 03 10:13:44 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\toshiba\pcdiag\v3.0

Fri Aug 03 10:13:57 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\eigene musik\metallica\load

Fri Aug 03 10:14:23 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\Eigene Musik\metallica\load

Fri Aug 03 10:14:25 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\eigene musik\metallica\load

~~~~~~~~~~~ 
 Registry 

~~~~~~~~~~~ 

Fri Aug 03 10:13:12 2007 => Offending Key found: HKLM\Software\netpumper !!!

Fri Aug 03 10:13:12 2007 => Offending Key found: HKCU\Software\whenu !!!

Fri Aug 03 10:13:12 2007 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu2\programs\netpumper !!!

Fri Aug 03 10:13:12 2007 => Offending Key found: HKCU\\media-codec.chl !!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 Statistiken: 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   

Fri Aug 03 10:27:12 2007 => [Scanning Folder: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\Eigene Bilder\Adobe\Gescannte Fotos]

Hallo und willkommen im Trojanerboard! :)

Die Log vom eScan reicht nicht aus, um eine komplette Auswertung des Systems durchzuführen.
Meistens reicht uns eine "HiJackThis"-Log aus.
Reiche das bitte anhand dieser Anleitung nach.

Ok hier ist der logfile

Code:

Logfile of HijackThis v1.99.1

Scan saved at 12:24:02, on 03.08.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Programme\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\Programme\QuickTime\qttask.exe

C:\Programme\DAEMON Tools\daemon.exe

C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

C:\Programme\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Programme\Mp3tag\Mp3tagQuickPick.exe

C:\Programme\Internet Explorer\iexplore.exe

C:\Programme\Internet Explorer\iexplore.exe

C:\Programme\Internet Explorer\iexplore.exe

C:\Programme\Mozilla Firefox\firefox.exe

C:\Dokumente und Einstellungen\Fridge\Desktop\hijackthis\kThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R3 - URLSearchHook: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programme\FlashFXP\IEFlash.dll

O3 - Toolbar: ICQ  Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LICENSE ADMIN OPTION BIB\bits chin.exe

O4 - HKLM\..\Run: [Up setup else log] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Deaf Meal Log License\Bone Rdr Jugs.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [roam extra] C:\DOKUME~1\Fridge\ANWEND~1\PLANAM~1\boob shim.exe

O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot

O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Mozilla Sunbird.lnk = C:\Programme\Mozilla Sunbird\sunbird.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Mp3tag Quick Pick.lnk = C:\Programme\Mp3tag\Mp3tagQuickPick.exe

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra button: eBay - {C61A2E0E-6D7E-4555-ACA0-50DB2CD83D4B} - C:\Programme\Internet Explorer\Signup\ToshibaGotoEbay.exe (HKCU)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: CeEPwrSvc - Unknown owner - C:\Programme\TOSHIBA\Power Management\CeEPwrSvc.exe (file missing)

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Hallo,

du hast einen Swizzor im System, der sich mit Hilfe dieser Anleitung entfernen lassen sollte.

Die für dich relevanten Einträge sind die folgenden:

Zitat:

Zitat von Fridge

O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LICENSE ADMIN OPTION BIB\bits chin.exe
O4 - HKLM\..\Run: [Up setup else log] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Deaf Meal Log License\Bone Rdr Jugs.exe
O4 - HKCU\..\Run: [roam extra] C:\DOKUME~1\Fridge\ANWEND~1\PLANAM~1\boob shim.exe

Dein eScan-Logfile habe ich mir noch nicht angesehen; ich hole es gleich nach.

Neuer Beitrag, damit er nicht übersehen wird: ;)

1. Sehe ich das richtig, dass du den Netpumper bereits deinstalliert hast? Er scheint den Swizzor mitgebracht zu haben.

2. Leere den Java-Cache: Start -> Einstellungen -> Systemsteuerung -> Java -> Reiter "Allgemein" -> Temporäre Internet-Dateien -> Einstellungen -> Dateien löschen

3. Lade dir CCleaner, verzichte bei der Installation auf die angebotene Toolbar, lass ihn laufen und lösche alles, was er vorschlägt.

4. Lade dir SmitFraudFix, beachte die Anleitung und führe eine Bereinigung durch.

Im Anschluss melde dich wieder mit
- einem neuen HJT-Logfile (vor dem Scan benenne aber die hijackthis.exe um in hjt.exe, da sich immer mehr Schädlinge vor HiJackThis zu verbergen versuchen)
- einem neuen eScan-Log (mit Hilfe der find.bat erstellt und vollständig)
- dem Inhalt der von SmitFraudFix erzeugten Datei c:\rapport.txt

Poste die Logfiles bitte ohne Code-Tags, d.h. kopiere sie einfach in deinen Beitrag hinein. Das ist übersichtlicher. :)

Wichtig: Die Durchführung dieser Tipps erfolgt auf eigene Gefahr!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fri Aug 03 10:11:54 2007 => File C:\DOKUME~1\ALLUSE~1\ANWEND~1\LICENS~1\BITSCH~1.EXE infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:11:54 2007 => File C:\DOKUME~1\ALLUSE~1\ANWEND~1\DEAFME~1\BONERD~1.EXE infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:11:55 2007 => File C:\DOKUME~1\Fridge\ANWEND~1\PLANAM~1\BOOBSH~1.EXE infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:12:12 2007 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Fri Aug 03 10:12:12 2007 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({f7258f6e-9f60-49c0-8c82-f0a0993d68e0})! Action taken: No Action Taken.
Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({a8b0f390-e6bf-4027-a4d4-1e4363f5e27b})! Action taken: No Action Taken.
Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({a9e33220-0b05-11d7-88d2-444553540000})! Action taken: No Action Taken.
Fri Aug 03 10:13:10 2007 => System found infected with whenu.savenow Spyware/Adware ({c285d18d-43a2-4aef-83fb-bf280e660a97})! Action taken: No Action Taken.
Fri Aug 03 10:13:10 2007 => System found infected with netpumper Spyware/Adware ({e0abbf96-17dc-44ca-96d0-6217064a97ba})! Action taken: No Action Taken.
Fri Aug 03 10:13:26 2007 => System found infected with lop.com Spyware/Adware (sta3.exe)! Action taken: No Action Taken.
Fri Aug 03 10:13:26 2007 => System found infected with superutilbar Adware (temp.exe)! Action taken: No Action Taken.
Fri Aug 03 10:13:53 2007 => System found infected with smitfraud Browser Hijacker (antivirus test online.url)! Action taken: No Action Taken.
Fri Aug 03 10:13:53 2007 => System found infected with ezula Spyware/Adware (ebay.url)! Action taken: No Action Taken.
Fri Aug 03 10:14:13 2007 => System found infected with uplink Adware (installoptions.dll)! Action taken: No Action Taken.
Fri Aug 03 10:14:13 2007 => System found infected with uplink Adware (installoptions.dll)! Action taken: No Action Taken.
Fri Aug 03 10:14:13 2007 => System found infected with lop.com Spyware/Adware (sta3.exe)! Action taken: No Action Taken.
Fri Aug 03 10:14:13 2007 => System found infected with superutilbar Adware (temp.exe)! Action taken: No Action Taken.
Fri Aug 03 10:14:26 2007 => System found infected with netpumper Spyware/Adware (C:\Programme\netpumper\zm\minime.exe)! Action taken: No Action Taken.
Fri Aug 03 10:14:26 2007 => System found infected with mybugfreepc Corrupted Adware/Spyware (C:\WINDOWS\unvise32.exe)! Action taken: No Action Taken.
Fri Aug 03 10:14:26 2007 => System found infected with holistyc Dialer (C:\WINDOWS\icons)! Action taken: No Action Taken.
Fri Aug 03 10:16:31 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Deaf Meal Log License\Bone Rdr Jugs.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:16:31 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LICENSE ADMIN OPTION BIB\bits chin.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:16:33 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PILE INTER ACE REF\DOWNLOAD META.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:16:33 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PILE INTER ACE REF\send open.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\afgcocmh.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\avvthgtf.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\bitlqrzt.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\boob shim.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\idle bits blue.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:18:57 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Planamenscr\idle mfcd grey.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:19:42 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\36\383a6924-49c3f349/BaaaaBaa.class infected by "Trojan.Java.ClassLoader.ao" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:19:51 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\43\5af4726b-28621864/Dummy.class infected by "Trojan-Downloader.Java.OpenStream.v" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:20:10 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\6.0\60\6ac9be3c-56cb6f3d/BlackBox.class infected by "Trojan-Downloader.Java.OpenConnection.aa" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:20:48 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-13161adf-73c5c7bf.zip/BlackBox.class infected by "Trojan-Downloader.Java.OpenConnection.aa" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:20:50 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-4ace4a3-2f02005c.zip/BaaaaBaa.class infected by "Trojan.Java.ClassLoader.ao" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:20:50 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\dialarch.jar-571971d9-71081099.zip/Dummy.class infected by "Trojan-Downloader.Java.OpenStream.v" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:33:31 2007 => File C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\Temp\AutoDL%3FBundleId=11026_b197d946.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:33:40 2007 => File C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\Temp\bis78.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 10:34:22 2007 => File C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\Temp\sta3.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 11:05:50 2007 => File C:\Programme\Media-Codec\uninst.exe infected by "Trojan-Downloader.Win32.Zlob.vn" Virus! Action Taken: No Action Taken.
Fri Aug 03 11:09:53 2007 => File C:\Programme\NetPumper\ZM\minime.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 11:13:11 2007 => File C:\Programme\totalcommander\run.exe infected by "Trojan-Downloader.Win32.Zlob.ta" Virus! Action Taken: No Action Taken.
Fri Aug 03 11:13:13 2007 => File C:\Programme\totalcommander\twkt654a.exe/run.exe infected by "Trojan-Downloader.Win32.Zlob.ta" Virus! Action Taken: No Action Taken.
Fri Aug 03 11:32:52 2007 => Total Disinfected Objects: 0
Fri Aug 03 14:49:33 2007 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Fri Aug 03 14:49:33 2007 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Fri Aug 03 14:49:34 2007 => System found infected with netpumper Spyware/Adware ({f7258f6e-9f60-49c0-8c82-f0a0993d68e0})! Action taken: No Action Taken.
Fri Aug 03 14:49:34 2007 => System found infected with netpumper Spyware/Adware ({a8b0f390-e6bf-4027-a4d4-1e4363f5e27b})! Action taken: No Action Taken.
Fri Aug 03 14:49:34 2007 => System found infected with netpumper Spyware/Adware ({a9e33220-0b05-11d7-88d2-444553540000})! Action taken: No Action Taken.
Fri Aug 03 14:49:34 2007 => System found infected with whenu.savenow Spyware/Adware ({c285d18d-43a2-4aef-83fb-bf280e660a97})! Action taken: No Action Taken.
Fri Aug 03 14:49:34 2007 => System found infected with netpumper Spyware/Adware ({e0abbf96-17dc-44ca-96d0-6217064a97ba})! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (process.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swreg.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swsc.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (process.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (reboot.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swreg.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with trojan-downloader.bat.ftp.ab Trojan-Downloader (swsc.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:39 2007 => System found infected with ezula Spyware/Adware (ebay.url)! Action taken: No Action Taken.
Fri Aug 03 14:49:42 2007 => System found infected with netpumper Spyware/Adware (C:\Programme\netpumper\zm\minime.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:43 2007 => System found infected with mybugfreepc Corrupted Adware/Spyware (C:\WINDOWS\unvise32.exe)! Action taken: No Action Taken.
Fri Aug 03 14:49:43 2007 => System found infected with holistyc Dialer (C:\WINDOWS\icons)! Action taken: No Action Taken.
Fri Aug 03 14:51:27 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PILE INTER ACE REF\DOWNLOAD META.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.
Fri Aug 03 14:51:28 2007 => File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PILE INTER ACE REF\send open.exe infected by "Trojan.Win32.Inject.au" Virus! Action Taken: No Action Taken.
Fri Aug 03 14:54:05 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-13161adf-73c5c7bf.zip/BlackBox.class infected by "Trojan-Downloader.Java.OpenConnection.aa" Virus! Action Taken: No Action Taken.
Fri Aug 03 14:54:06 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-4ace4a3-2f02005c.zip/BaaaaBaa.class infected by "Trojan.Java.ClassLoader.ao" Virus! Action Taken: No Action Taken.
Fri Aug 03 14:54:06 2007 => File C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\dialarch.jar-571971d9-71081099.zip/Dummy.class infected by "Trojan-Downloader.Java.OpenStream.v" Virus! Action Taken: No Action Taken.
Fri Aug 03 15:29:51 2007 => File C:\Programme\NetPumper\ZM\minime.exe infected by "Trojan.Win32.Obfuscated.en" Virus! Action Taken: No Action Taken.
Fri Aug 03 15:32:28 2007 => File C:\Programme\totalcommander\run.exe infected by "Trojan-Downloader.Win32.Zlob.ta" Virus! Action Taken: No Action Taken.
Fri Aug 03 15:32:29 2007 => File C:\Programme\totalcommander\twkt654a.exe/run.exe infected by "Trojan-Downloader.Win32.Zlob.ta" Virus! Action Taken: No Action Taken.
Fri Aug 03 15:36:29 2007 => File C:\System Volume Information\_restore{AD75C7A0-8634-4851-8FE2-E6E685C78125}\RP1\A0000216.exe infected by "Trojan-Downloader.Win32.Zlob.vn" Virus! Action Taken: No Action Taken.
Fri Aug 03 15:46:35 2007 => Total Disinfected Objects: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fri Aug 03 10:15:23 2007 => File C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 10:15:26 2007 => File C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\kewhhjsh.default\Cache\0C5F542Cd01/SmitfraudFix/Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 11:16:43 2007 => File C:\RECYCLER\S-1-5-21-1839656885-3724385041-1575707048-500\Dc1.zip/SmitfraudFix/Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 11:29:40 2007 => File C:\WINDOWS\system32\cmdow.exe tagged as "not-a-virus:RiskTool.Win32.HideWindows". Action Taken: No Action Taken.
Fri Aug 03 14:50:29 2007 => File C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 14:50:30 2007 => File C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\kewhhjsh.default\Cache\0C5F542Cd01/SmitfraudFix/Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 14:58:18 2007 => File C:\Dokumente und Einstellungen\Fridge\Desktop\SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 14:58:20 2007 => File C:\Dokumente und Einstellungen\Fridge\Desktop\SmitfraudFix.exe//data.rar/SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 15:02:25 2007 => File C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\f08qa09r.default\Cache\63329BDCd01//data.rar/SmitfraudFix\Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 15:35:40 2007 => File C:\RECYCLER\S-1-5-21-1839656885-3724385041-1575707048-500\Dc1.zip/SmitfraudFix/Reboot.exe tagged as "not-a-virus:RiskTool.Win32.Reboot.f". Action Taken: No Action Taken.
Fri Aug 03 15:44:14 2007 => File C:\WINDOWS\system32\cmdow.exe tagged as "not-a-virus:RiskTool.Win32.HideWindows". Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "offending"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fri Aug 03 10:13:12 2007 => Offending Key found: HKLM\Software\netpumper !!!
Fri Aug 03 10:13:12 2007 => Offending Key found: HKCU\Software\whenu !!!
Fri Aug 03 10:13:12 2007 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu2\programs\netpumper !!!
Fri Aug 03 10:13:12 2007 => Offending Key found: HKCU\\media-codec.chl !!!
Fri Aug 03 10:13:22 2007 => Offending Folder found: C:\Programme\netpumper
Fri Aug 03 10:13:26 2007 => Offending file found: C:\DOKUME~1\Fridge\LOKALE~1\Temp\sta3.exe
Fri Aug 03 10:13:26 2007 => Offending file found: C:\DOKUME~1\Fridge\LOKALE~1\Temp\temp.exe
Fri Aug 03 10:13:36 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\netpumper
Fri Aug 03 10:13:44 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\toshiba\pcdiag\v3.0
Fri Aug 03 10:13:53 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Favoriten\antivirus test online.url
Fri Aug 03 10:13:53 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Favoriten\ebay.url
Fri Aug 03 10:13:57 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\eigene musik\metallica\load
Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\nse1b.tmp\installoptions.dll
Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\nsu16.tmp\installoptions.dll
Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\sta3.exe
Fri Aug 03 10:14:13 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Lokale Einstellungen\temp\temp.exe
Fri Aug 03 10:14:23 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\Eigene Musik\metallica\load
Fri Aug 03 10:14:25 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\eigene musik\metallica\load
Fri Aug 03 10:14:26 2007 => Offending file found: C:\Programme\netpumper\zm\minime.exe
Fri Aug 03 10:14:26 2007 => Offending file found: C:\WINDOWS\unvise32.exe
Fri Aug 03 10:14:26 2007 => Offending file found: C:\WINDOWS\icons
Fri Aug 03 14:49:36 2007 => Offending Key found: HKLM\Software\netpumper !!!
Fri Aug 03 14:49:36 2007 => Offending Key found: HKCU\Software\whenu !!!
Fri Aug 03 14:49:36 2007 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu2\programs\netpumper !!!
Fri Aug 03 14:49:39 2007 => Offending file found: C:\WINDOWS\system32\process.exe
Fri Aug 03 14:49:39 2007 => Offending file found: C:\WINDOWS\system32\swreg.exe
Fri Aug 03 14:49:39 2007 => Offending file found: C:\WINDOWS\system32\swsc.exe
Fri Aug 03 14:49:39 2007 => Offending Folder found: C:\Programme\netpumper
Fri Aug 03 14:49:39 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\netpumper
Fri Aug 03 14:49:39 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Anwendungsdaten\toshiba\pcdiag\v3.0
Fri Aug 03 14:49:39 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Desktop\smitfraudfix\process.exe
Fri Aug 03 14:49:39 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Desktop\smitfraudfix\reboot.exe
Fri Aug 03 14:49:39 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Desktop\smitfraudfix\swreg.exe
Fri Aug 03 14:49:39 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Desktop\smitfraudfix\swsc.exe
Fri Aug 03 14:49:39 2007 => Offending file found: C:\Dokumente und Einstellungen\Fridge\Favoriten\ebay.url
Fri Aug 03 14:49:40 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\eigene musik\metallica\load
Fri Aug 03 14:49:40 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\Eigene Musik\metallica\load
Fri Aug 03 14:49:40 2007 => Offending Folder found: C:\Dokumente und Einstellungen\Fridge\Eigene Dateien\eigene musik\metallica\load
Fri Aug 03 14:49:42 2007 => Offending file found: C:\Programme\netpumper\zm\minime.exe
Fri Aug 03 14:49:43 2007 => Offending file found: C:\WINDOWS\unvise32.exe
Fri Aug 03 14:49:43 2007 => Offending file found: C:\WINDOWS\icons
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fri Aug 03 11:32:52 2007 => Total Objects Scanned: 85971
Fri Aug 03 15:46:35 2007 => Total Objects Scanned: 80052
Fri Aug 03 11:32:52 2007 => Total Critical Objects: 58
Fri Aug 03 11:32:52 2007 => Total Disinfected Objects: 0
Fri Aug 03 11:32:52 2007 => Total Deleted Objects: 0
Fri Aug 03 15:46:35 2007 => Total Critical Objects: 43
Fri Aug 03 15:46:35 2007 => Total Disinfected Objects: 0
Fri Aug 03 15:46:35 2007 => Total Deleted Objects: 0
Fri Aug 03 11:32:52 2007 => Total Errors: 84
Fri Aug 03 15:46:35 2007 => Total Errors: 87
Fri Aug 03 11:32:52 2007 => Time Elapsed: 01:21:31
Fri Aug 03 15:46:35 2007 => Time Elapsed: 00:57:40
Fri Aug 03 10:10:31 2007 => Virus Database Date: 8/2/2007
Fri Aug 03 11:32:52 2007 => Virus Database Date: 8/2/2007
Fri Aug 03 11:33:46 2007 => Virus Database Date: 8/2/2007
Fri Aug 03 14:28:58 2007 => Virus Database Date: 8/2/2007
Fri Aug 03 14:48:43 2007 => Virus Database Date: 8/2/2007
Fri Aug 03 15:46:35 2007 => Virus Database Date: 8/2/2007
Fri Aug 03 15:47:22 2007 => Virus Database Date: 8/2/2007
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 15:57:12, on 03.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\Mp3tag\Mp3tagQuickPick.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Fridge\Desktop\hijackthis\Hjt.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programme\FlashFXP\IEFlash.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Option Bib Logo Log] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\LICENSE ADMIN OPTION BIB\bits chin.exe
O4 - HKLM\..\Run: [Up setup else log] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Deaf Meal Log License\Bone Rdr Jugs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [roam extra] C:\DOKUME~1\Fridge\ANWEND~1\PLANAM~1\boob shim.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Programme\Mozilla Sunbird\sunbird.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Mp3tag Quick Pick.lnk = C:\Programme\Mp3tag\Mp3tagQuickPick.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: eBay - {C61A2E0E-6D7E-4555-ACA0-50DB2CD83D4B} - C:\Programme\Internet Explorer\Signup\ToshibaGotoEbay.exe (HKCU)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CeEPwrSvc - Unknown owner - C:\Programme\TOSHIBA\Power Management\CeEPwrSvc.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

SmitFraudFix v2.207

Scan done at 14:44:08,84, 03.08.2007
Run from C:\Dokumente und Einstellungen\Fridge\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOKUME~1\Fridge\FAVORI~1\Antivirus Test Online.url Deleted
C:\Programme\Media-Codec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A43BD00F-9C34-47E1-828F-2D0D49B59D1C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A43BD00F-9C34-47E1-828F-2D0D49B59D1C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A43BD00F-9C34-47E1-828F-2D0D49B59D1C}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Habe dann mal die neuen Files rein gestellt!

Ok, du hast SmitFraudFix laufen lassen. Was noch?

mwavscan.com oder so und dann find.bat
und hijackthis

Es scheint fast so, als hättest du die Anleitung zur Swizzor-Entfernung abgearbeitet, denn in deinem aktuellen HJT-Logfile tauchen die drei iexplore.exe nicht mehr auf.

Hast du sie abgearbeitet?

Jepp habe ich!

Nur ich musst den Ordner entfernen, der rest war nicht da!

Oder welche Programme schläusen noch den Swizzor ein?