Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Trojaner "O" (https://www.trojaner-board.de/10877-trojaner-o.html)

the_irishman 17.12.2004 12:17
Trojaner "O"
 
Hallo zusammen,

habe z.Z. ein Problem: Norton AV findet einen Trojaner, kann ihn aber nicht löschen, Zugriff verweigert. Gefunden wird er in system32/O.

Sobald ich die besagte Datei im Explorer anklicke, kommt die Meldung, dass der Computer in xy Sekunden heruntergefahren wird.

Kann mir jemand einen Tipp geben?

Grüßle

the_irishman

MountainKing 17.12.2004 12:26
Bitte ein Log mit diesem Programm erstellen:

http://www.trojaner-board.de/51130-a...ijackthis.html

Inhalt hier ins Forum posten.

the_irishman 18.12.2004 00:02
Logfile of HijackThis v1.99.0
Scan saved at 00:01:02, on 18.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.EXE
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\LckFldService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\sec4win.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programme\Medion\PowerCinema\My_TV\Agent.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\Telekom\T-Sinus 620data\Capictrl.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Opera7\Opera.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\Matthias\Lokale Einstellungen\Temp\Temporäres Verzeichnis 2 für hijackthis199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = days, days, days run away like horses over the hills...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\Programme\WinSweep\ws.js
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &WINSWEEP Toolbar - {E915E62E-41DA-40D0-8106-3438B4D24394} - C:\Programme\WinSweep\SurfBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] REM nwiz.exe /install
O4 - HKLM\..\Run: [Dit] REM Dit.exe
O4 - HKLM\..\Run: [NVRT] C:\Programme\NVRefreshTool\nvrt.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [IFSplash] REM ImmSplsh.exe
O4 - HKLM\..\Run: [routcnf] C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive
O4 - HKLM\..\Run: [NvCplDaemon] REM RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Agent] C:\Programme\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [dngkduw] REM C:\WINDOWS\ryhcrzffa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [CheckMedi8or] C:\Programme\Mediator6\CheckNewUser.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [dOlHf] REM C:\WINDOWS\meupmmr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TCMKeyboard ] C:\PROGRA~1\TCMCOM~1\PS2USBKBDDrv.exe
O4 - HKLM\..\Run: [TCMMouse ] C:\PROGRA~1\TCMCOM~1\MouseDrv.exe
O4 - HKCU\..\Run: [TransparentIcons] "C:\Programme\Tweak-XP Pro\tranicon.exe" -ex
O4 - HKCU\..\Run: [Tweak-XP] REM
O4 - HKCU\..\Run: [TransTask] REM
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [NvCplScan] nvsc32.exe
O4 - HKCU\..\Run: [SpyEmergency] "C:\Programme\Spy Emergency\SpyEmergency.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CAPIControl.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MedionShop - {36AF14E3-8E6A-413E-A01F-360900AD6802} - http://www.medionshop.de (file missing) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/Cl.../OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2CEF6C9-FC47-4522-897C-59D9997DC507}: NameServer = 145.253.2.81 145.253.2.203
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: Firebird Guardian - DefaultInstance - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance - The Firebird Project - C:\Programme\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: LckFldService - Unknown - C:\WINDOWS\System32\LckFldService.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sec4Win-Dienst - Unknown - C:\WINDOWS\System32\sec4win.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

*Christian* 18.12.2004 00:19
Fixe mit HijackThis dies:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = days, days, days run away like horses over the hills...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = file://C:\Programme\WinSweep\ws.js
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MedionShop - {36AF14E3-8E6A-413E-A01F-360900AD6802} - http://www.medionshop.de (file missing) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/C...7/OCI/setup.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)


Scanne anschl. hiermit im abg. Modus: http://www.trojaner-board.de/42731-escan-anleitung.html

Wo wird was gefunden?

the_irishman 18.12.2004 00:33
Danke! Habe das Tool, lasse den Scan durchlaufen...

the_irishman 18.12.2004 10:46
Also: Scan ist durch, folgende Ergebnisse:

File C:\WINDOWS\tool5.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\tools.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HIJTU4N6\istdownload[1].exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\Programme\EasyDivX\softs\ck.exe tagged as not-a-virus:Tool.Win32.Pcwelt.a. No Action Taken.
File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\1942662C.exe infected by "TrojanDropper.Win32.Small.ig" Virus. Action Taken: No Action Taken.
File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\29DB45E9.zip infected by "Trojan.Java.ClassLoader.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp\fDpCfmG.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp\fft1ydJ.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\tool5.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\tools.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.

*Christian* 18.12.2004 15:18
Leere den Norton-Quarantäne-Ordner, deinen Temp und Temp.-Internet-Files-Ordner.

Die restlichen infizierten Dateien lösche manuell im abg. Modus.


Alle Zeitangaben in WEZ +1. Es ist jetzt 23:34 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131