Trojaner-Board - Von Jedem ein wenig und sie kommen immer wieder

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Von Jedem ein wenig und sie kommen immer wieder (https://www.trojaner-board.de/9104-wenig-kommen-immer.html)

Von Jedem ein wenig und sie kommen immer wieder

Also vorne weg Ich --> Firma ; Rechner--> Kunde!

Plage mich schon länger mit dem Problem!

Bei einer, meiner Meinung deaktivierten Systemwiederherstellung (Häkchen drin! bei Me unter Arbeitsplatz->Systemsteuerung->System->Leistungsmerkmale->Dateisystem),
kommen die Biester immer wieder!
Und zwar in C:\_Restore! (Ordner nicht vorhanden)

E-scan findet sie zwar und will sie nach Neustart löschen!
Und Schwubbs sind sie wieder da!

Bin für jede Hilfe dankbar!

Hier noch Hijack und e-scan log

Logfile of HijackThis v1.98.2
Scan saved at 14:31:42, on 02.11.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\SSK\SSK.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\A2\A2GUARD.EXE
C:\PROGRAMME\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAMME\SPYWAREGUARD\SGBHP.EXE
C:\BASES\MWAVSCAN.COM
C:\BASES\KAVSS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freenet.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=137837
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freenet.de/
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUNDLG32.DLL (file missing)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SuperSpamKiller] C:\PROGRA~1\SSK\SSK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKCU\..\Run: [a²] "C:\Programme\a2\a2guard.exe"
O4 - HKCU\..\RunServices: [a²] "C:\Programme\a2\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAMME\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...hase_3/vet.htm
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

-----------------------------------------------------------------------------------------------

Tue Nov 02 15:09:57 2004 => ***** Scanning complete. *****

Tue Nov 02 15:09:57 2004 => Total Number of Files Scanned: 26019
Tue Nov 02 15:09:57 2004 => Total Number of Virus(es) Found: 231
Tue Nov 02 15:09:57 2004 => Total Number of Disinfected Files: 0
Tue Nov 02 15:09:57 2004 => Total Number of Files Renamed: 1
Tue Nov 02 15:09:57 2004 => Total Number of Deleted Files: 0
Tue Nov 02 15:09:57 2004 => Total Number of Errors: 245
Tue Nov 02 15:09:57 2004 => Time Elapsed: 00:35:03
Tue Nov 02 15:09:57 2004 => Virus Database Date: 2004/10/19
Tue Nov 02 15:09:57 2004 => Virus Database Count: 106971

Tue Nov 02 15:09:57 2004 => Scan Completed.

Welche Version von eScan hast Du?
Ich vermute mal außerdem, daß deine "temp" Ordner randvoll sind.
Lade Dir mal clearprog runter und führe es aus (alle Häkchen bei IE und Windows) und mach dann einen neuen eScan. Ich denke er wird dann weniger als 231 Viren finden.
Dann berichte bitte neu.
cacatoa

Habe bereits alle temp's geleert!

E-scan (Download 02.11.04) löscht sie auch nach 'nem Reboot,
aber bei 'nem erneuten Scan sind sie wieder da!

<Danke erstmal !>

@Elsch_27

wechsle mal in den abgesicherten modus(bei deaktivierten systemwiederherstellung) und fixe (häkchen setzen und Fix Checked clicken)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=137837
3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUNDLG32.DLL (file missing)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAMME\SIDEFIND\SIDEFIND.DLL (file missing)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...phase_3/vet.htm
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
neu starten, systemwiederherstellung aktivieren, neue scan mit HJT machen und hier posten

chaosman

Der Kunde hat den Rechner erstmal wieder mitgenommen!

Wenn er ihn wieder bringt probier ich es nochmal!

Ich poste dann die neue log nochmal!

Wär also schön wenn ihr noch mal ein Auge auf das Thema hab!

<Danke>

Hab den Rechner jetzt wieder in der Werkstatt!

Hab alles wie beschrieben gefixt!

Das ist die log nach erneutem Scan:

Logfile of HijackThis v1.98.2
Scan saved at 14:08:47, on 04.11.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\SSK\SSK.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\A2\A2GUARD.EXE
C:\PROGRAMME\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAMME\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freenet.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freenet.de/
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SuperSpamKiller] C:\PROGRA~1\SSK\SSK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKCU\..\Run: [a²] "C:\Programme\a2\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...hase_3/vet.htm

Ich hoffe ihr könnt mir irgendwie helfen!

<Danke>

Hallo Elsch_27,

MSIE: Internet Explorer v5.50 (5.50.4134.0600) - Dies ist eine antike Version des IE, bitte updaten!: www.windowsupdate.com

Überprüfe mit virusscan.jotti.dhs.org:

C:\PROGRAMME\SSK\SSK.EXE

--> Ergebnis?

Boote in den abgesicherten Modus, deaktiviere die Systemwiederherstellung, und fixe dann mit Hijack This, wenn folgender Eintrag nicht benötigt wird:

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - ht*ps://components.viewpoint.com/MT...phase_3/vet.htm

boote in den normalen Modus.
Aktiviere die Systemwiederherstellung,

Hast Du die Dateien, die der eScan als Malware erkannt hat, im abgesicherten Modus mit deaktivierter Systemwiederherstellung gelöscht? Es ist bei win XP und ME notwendig, die Systemwiederherstellung zu deaktivieren, da die Dateien sonst bei einem Neustart des Rechners wieder auf dem System hergestellt werden.

Vielleicht wäre ein Browserwechsel angebracht: Alternative Browser und hier weitere Tips zur Vorbeugung.

SD

Danke für die Tip's!

Aber nach jedem Reboot findet E-scan weiterhin:

File C:\_RESTORE\TEMP\A0014841.0 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015061.0 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015075.1 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015340.1 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015416.0 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015424.1 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015432.0 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015651.0 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015659.0 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015675.1 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015886.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015893.0 infected by "TrojanDownloader.Win32.Small.fo" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015895.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015897.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015899.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015901.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015903.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015905.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015907.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015909.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015911.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015913.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015915.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015917.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015919.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015921.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015923.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015925.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015927.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015958.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015960.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015962.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015964.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015966.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015968.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015970.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015972.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015974.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015976.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015978.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015980.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015982.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015984.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015986.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015988.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015990.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015992.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015994.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015996.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0015998.1 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.
File C:\_RESTORE\TEMP\A0016000.0 infected by "I-Worm.Bagle.j" Virus. Action Taken: File to be deleted on reboot.

Kann mir absolut nicht helfen!
Wäre nett wenn jemand weitere Lösungsvorschläge hätte!

<Danke>

@ Elsch_27,

lade das Clear Prog runter, leere damit den Ordner File C:\_RESTORE\TEMP, Temporary Internet Files, Cookies und den Verlauf.

Spiele das Removal Tool gegen I-Worm.Bagle.j auf (Win32.Bagle.AX@mm), scanne damit den Rechner und lass die Probleme beheben.

SD