|
Mit den Nevern am Ende :( Ich habe auf meinem System (Win2000 SP4) offenbar einen oder mehrere Trojaner. Ca. einmal pro Minute öffnet sich ein Internet-Explorer-Fenster mit Werbeseiten. Ich habe das System zigmal mit Ad-Aware durchgescannt, auch im abgesicherten Modus. Ad-Aware findet auch immer mehrere Registry-Einträge und infizierte Dateien (vor allem von "Ebates Money Maker"). Aber wenn Ad-Aware die Dateien angeblich gelöscht hat, sind sie beim nächsten Scan wieder da und das Problem besteht immer noch. WÄHREND Ad-Aware scannt, tauchen die Fenster eigenartigerweise nicht mehr auf. Auch HijackThis und Spybot finden teilweise infzierte Dateien und Registry-Einträge, aber auch hier nützt eine Löschung gar nichts. Für Hilfe wäre ich sehr, sehr, sehr dankbar! ANMERKUNGEN ZUM LOGFILE: Die in der Log-Datei von HijackThis genannte Datei "C:\winnt\system32\elitetis32.exe" ist mit dem Explorer nicht zu finden (sie ist auch keine versteckte Datei). "DeltTray" ist das Tray-Utility meiner Soundkarte, also harmlos. Hier die Log-Datei von HijackThis: Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\DeltTray.exe C:\Programme\AVPersonal\AVGNT.EXE C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\MA311 PCI Adapter Configuration Utility\wlanutil.exe C:\Programme\palmOne\HOTSYNC.EXE C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Ad-Aware SE Personal\Ad-Aware.exe C:\DOKUME~1\THEGRE~1\LOKALE~1\Temp\Rar$EX00.125\HijackThis.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [DeltTray] DeltTray.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitetis32.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - Startup: HotSync Manager.lnk = C:\Programme\palmOne\HOTSYNC.EXE O4 - Global Startup: Configuration Utility.lnk = C:\Programme\MA311 PCI Adapter Configuration Utility\wlanutil.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Alles mit Net Transport herunterladen - C:\Programme\NetTransport 2\NTAddList.html O8 - Extra context menu item: Bild in &Microsoft PhotoDraw öffnen - res://C:\PROGRA~1\MICROS~2\Office\1031\phdintl.dll/phdContext.htm O8 - Extra context menu item: Herunterladen mit Net Transport - C:\Programme\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe |
Ach ja, und die von Ad-Aware: Ad-Aware SE Build 1.05 Logfile Created on:Mittwoch, 16. März 2005 20:42:18 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R32 10.03.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ebates MoneyMaker(TAC index:4):13 total references MRU List(TAC index:0):1 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 16.03.2005 20:42:18 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : S-1-5-21-1292428093-706699826-1343024091-1000\software\microsoft\internet explorer\typedurls Description : list of recently entered addresses in microsoft internet explorer Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 152 ThreadCreationTime : 16.03.2005 19:24:03 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 176 ThreadCreationTime : 16.03.2005 19:24:09 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 196 ThreadCreationTime : 16.03.2005 19:24:11 BasePriority : High #:4 [services.exe] FilePath : C:\WINNT\system32\ ProcessID : 224 ThreadCreationTime : 16.03.2005 19:24:13 BasePriority : Normal FileVersion : 5.00.2195.6700 ProductVersion : 5.00.2195.6700 ProductName : Betriebssystem Microsoft(R) Windows (R) 2000 CompanyName : Microsoft Corporation FileDescription : Anwendung für Dienste und Controller InternalName : services.exe LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINNT\system32\ ProcessID : 236 ThreadCreationTime : 16.03.2005 19:24:13 BasePriority : Normal FileVersion : 5.00.2195.6695 ProductVersion : 5.00.2195.6695 ProductName : Betriebssystem Microsoft(R) Windows (R) 2000 CompanyName : Microsoft Corporation FileDescription : LSA-Exe und Server-DLL InternalName : lsasrv.dll and lsass.exe LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : lsasrv.dll and lsass.exe #:6 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 424 ThreadCreationTime : 16.03.2005 19:24:15 BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft(R) Windows (R) 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe #:7 [spoolsv.exe] FilePath : C:\WINNT\system32\ ProcessID : 452 ThreadCreationTime : 16.03.2005 19:24:15 BasePriority : Normal FileVersion : 5.00.2195.6659 ProductVersion : 5.00.2195.6659 ProductName : Microsoft(R) Windows (R) 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolss.exe LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : spoolss.exe #:8 [avguard.exe] FilePath : C:\Programme\AVPersonal\ ProcessID : 480 ThreadCreationTime : 16.03.2005 19:24:15 BasePriority : Normal #:9 [avwupsrv.exe] FilePath : C:\Programme\AVPersonal\ ProcessID : 492 ThreadCreationTime : 16.03.2005 19:24:15 BasePriority : Normal #:10 [svchost.exe] FilePath : C:\WINNT\System32\ ProcessID : 512 ThreadCreationTime : 16.03.2005 19:24:15 BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft(R) Windows (R) 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe #:11 [nvsvc32.exe] FilePath : C:\WINNT\system32\ ProcessID : 552 ThreadCreationTime : 16.03.2005 19:24:16 BasePriority : Normal FileVersion : 6.13.10.2942 ProductVersion : 6.13.10.2942 ProductName : NVIDIA Driver Helper Service, Version 29.42 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 29.42 InternalName : NVSVC LegalCopyright : (c) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:12 [regsvc.exe] FilePath : C:\WINNT\system32\ ProcessID : 584 ThreadCreationTime : 16.03.2005 19:24:16 BasePriority : Normal FileVersion : 5.00.2195.6701 ProductVersion : 5.00.2195.6701 ProductName : Microsoft(R) Windows (R) 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Remote Registry Service InternalName : regsvc LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : REGSVC.EXE #:13 [mstask.exe] FilePath : C:\WINNT\system32\ ProcessID : 616 ThreadCreationTime : 16.03.2005 19:24:17 BasePriority : Normal FileVersion : 4.71.2195.6704 ProductVersion : 4.71.2195.6704 ProductName : Taskplaner für Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Taskplaner-Engine InternalName : TaskScheduler LegalCopyright : Copyright (C) Microsoft Corp. 1997 OriginalFilename : mstask.exe #:14 [vsmon.exe] FilePath : C:\WINNT\system32\ZoneLabs\ ProcessID : 664 ThreadCreationTime : 16.03.2005 19:24:18 BasePriority : Normal FileVersion : 5.5.062.011 ProductVersion : 5.5.062.011 ProductName : TrueVector Service CompanyName : Zone Labs LLC FileDescription : TrueVector Service InternalName : vsmon LegalCopyright : Copyright © 1998-2005, Zone Labs LLC OriginalFilename : vsmon.exe #:15 [winmgmt.exe] FilePath : C:\WINNT\System32\WBEM\ ProcessID : 708 ThreadCreationTime : 16.03.2005 19:24:20 BasePriority : Normal FileVersion : 1.50.1085.0100 ProductVersion : 1.50.1085.0100 ProductName : Windows Management Instrumentation CompanyName : Microsoft Corporation FileDescription : Windows-Verwaltungsinstrumentation InternalName : WINMGMT LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999 #:16 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 724 ThreadCreationTime : 16.03.2005 19:24:20 BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft(R) Windows (R) 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe #:17 [explorer.exe] FilePath : C:\WINNT\ ProcessID : 916 ThreadCreationTime : 16.03.2005 19:24:30 BasePriority : Normal FileVersion : 5.00.3700.6690 ProductVersion : 5.00.3700.6690 ProductName : Betriebssystem Microsoft(R) Windows (R) 2000 CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999 OriginalFilename : EXPLORER.EXE #:18 [delttray.exe] FilePath : C:\WINNT\system32\ ProcessID : 1028 ThreadCreationTime : 16.03.2005 19:24:33 BasePriority : Normal FileVersion : 5.1.0.01 ProductVersion : 5.1.0.01 ProductName : M Audio Delta Control Panel Interface System Tray Applet CompanyName : Doug Fetter Software Wizardry FileDescription : M Audio Delta Control Panel Interface System Tray Applet InternalName : Delta Panel System Tray Applet LegalCopyright : Copyright © 2002 Midiman, Inc. All rights reserved. LegalTrademarks : M Audio (TM) is a legal trademark of MIDIMAN, Inc. OriginalFilename : DeltTray.EXE Comments : Developed by Doug Fetter Software Wizardry #:19 [avgnt.exe] FilePath : C:\Programme\AVPersonal\ ProcessID : 1044 ThreadCreationTime : 16.03.2005 19:24:33 BasePriority : Normal #:20 [zlclient.exe] FilePath : C:\Programme\Zone Labs\ZoneAlarm\ ProcessID : 1100 ThreadCreationTime : 16.03.2005 19:24:34 BasePriority : Normal FileVersion : 5.5.062.011 ProductVersion : 5.5.062.011 ProductName : Zone Labs Client CompanyName : Zone Labs LLC FileDescription : Zone Labs Client InternalName : zlclient LegalCopyright : Copyright © 1998-2005, Zone Labs LLC OriginalFilename : zlclient.exe #:21 [wlanutil.exe] FilePath : C:\Programme\MA311 PCI Adapter Configuration Utility\ ProcessID : 1140 ThreadCreationTime : 16.03.2005 19:24:36 BasePriority : Normal #:22 [hotsync.exe] FilePath : C:\Programme\palmOne\ ProcessID : 1184 ThreadCreationTime : 16.03.2005 19:24:40 BasePriority : Normal FileVersion : 4.0.4 ProductVersion : 4.1.0 ProductName : HotSync® Manager, Palm Desktop CompanyName : Palm, Inc. FileDescription : HotSync® Manager Application InternalName : HotSync® LegalCopyright : Copyright © 1995-2001 Palm, Inc. LegalTrademarks : HotSync® is a registered trademark of Palm, Inc. OriginalFilename : Hotsync.exe #:23 [firefox.exe] FilePath : C:\Programme\Mozilla Firefox\ ProcessID : 276 ThreadCreationTime : 16.03.2005 19:35:14 BasePriority : Normal #:24 [ad-aware.exe] FilePath : C:\Programme\Ad-Aware SE Personal\ ProcessID : 676 ThreadCreationTime : 16.03.2005 19:41:51 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 1 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "AC" Rootkey : HKEY_USERS Object : S-1-5-21-1292428093-706699826-1343024091-1000\software\lq Value : AC Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 2 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ebates MoneyMaker Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : TM Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : U Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : AD Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : I Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : AT Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : AM Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : TR Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : country Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : city Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : state Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\lq Value : AC Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 12 Objects found so far: 14 20:47:03 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:04:44.449 Objects scanned:86371 Objects identified:13 Objects ignored:0 New critical objects:13 |
@transistor poste doch dein logfile mit systeminfos und HJTversion infos chaosman |
Ebenso solltest du eScan AntiVirus wie beschrieben im abgesicherten Modus anwenden. Poste anschliessend die Virus Log Information von eScan AntiVirus: Öffne die mwav.log im Ordner C:\bases -> Bearbeiten -> Suchen -> infected oder tagged eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen. |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 09:40 Uhr. |
Copyright ©2000-2025, Trojaner-Board