bekomm den trojaner TR/Dldr.Dyfuca.DB nich in griff

hab seit 2 tagen den trojaner TR/Dldr.Dyfuca.DB auf meinem rechner. wenn ich eine internetverbindung herstelle meldet Antivir immer eine infizierte datei names INSTALLER.EXE in meinem temp ordner. egal ob ich sie lösche, umbenenne oder verschiebe, wenn ich den rechner neustarte und wieder online gehe kommt die selbe meldung
ausserdem öffnet sich danach immer der internet explorer und will auf http://rev0lt.net/index.**** zugreifen. (die sternchen stehen für html, habs nur verändert das sich nich irgendwer ausversehen auch den trojaner einfängt.)
hab echt schon alles versucht, aber der trojaner ist nich zu finden wenn ich offline bin, taucht nur auf sobald ich eine internetverdung herstelle.

bin echt am verzweifeln und für jeden tipp dankbar

 

Hallo,

das eScan AV Toolkit (mwav.exe) herunterladen, die Datei in den Ordner "c:\Bases" (wichtig !) entpacken und danach die "kavupd.exe" (Update) ausführen.
Abgesicherter Modus und den Scanner mit der "mwavscan.com" starten. Alle Häkchen setzen und "Scan clean" klicken.
http://www.mwti.net/antivirus/free_utilities.asp

Poste danach die Virus Log Information des eScan.

 

Hallo Marta1983!

Lt. Ewido.net gibts schon eine lange Liste dazu:

1. TrojanDownloader.Dyfuca
2. TrojanDownloader.Dyfuca.aa
3. TrojanDownloader.Dyfuca.ac
4. TrojanDownloader.Dyfuca.ae
5. TrojanDownloader.Dyfuca.af
6. TrojanDownloader.Dyfuca.ak
7. TrojanDownloader.Dyfuca.ar
8. TrojanDownloader.Dyfuca.bb
9. TrojanDownloader.Dyfuca.bm
10. TrojanDownloader.Dyfuca.bn
11. TrojanDownloader.Dyfuca.bq
12. TrojanDownloader.Dyfuca.bw
13. TrojanDownloader.Dyfuca.bx
14. TrojanDownloader.Dyfuca.cn
15. TrojanDownloader.Dyfuca.cq
16. TrojanDownloader.Dyfuca.cr
17. TrojanDownloader.Dyfuca.cs
18. TrojanDownloader.Dyfuca.ct
19. TrojanDownloader.Dyfuca.cy
20. TrojanDownloader.Dyfuca.g
21. TrojanDownloader.Dyfuca.i
22. TrojanDownloader.Dyfuca.j
23. TrojanDownloader.Dyfuca.v
24. TrojanDownloader.Dyfuca.x
25. TrojanDownloader.Dyfuca.y

"Dein" TR/Dldr.Dyfuca.DB ist zwar da noch nicht aufgeführt (oder wird bei Ewido anders bezeichnet). Evlt. auch die infizierte Datei zur Analyse einschicken. Die Hersteller sind ja auch auf die Interaktion mit den Usern angewiesen und prüfen solche Einsendungen bzw. aktualisieren dann gffls. ihre Signaturen.

Aber eScan AV Toolkit (was ja bekanntlich Kaspersky ist) sollte diesen Lümmel auf jeden Fall finden und dann auch hoffentlich killen können.

Zur "Familie" der TR/Dldr.Dyfuca gibts noch einen Link bei Rokop-Security: http://www.rokop-security.de/board/index.php?showtopic=4817&st=0&#entry49479

Einfach mal durchlesen. Aber zunächst mal das Ergebnisse bei eScan abwarten.
Meine Hinweise sind da nur zur Ergänzung.

 

File C:\Dokumente und Einstellungen\Martin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4PMRW1YJ\bridge-c7[1].cab infected by "not-a-virus:AdvWare.WinAD" Virus. Action Taken: File Renamed.

File C:\Programme\Gamers.IRC\backup\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.03. No Action Taken.

File C:\System Volume Information\_restore{79110301-8ABD-42A9-B6B3-C8AE063E0AC5}\RP25\A0003116.dll infected by "not-a-virus:AdvWare.WinAD" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{79110301-8ABD-42A9-B6B3-C8AE063E0AC5}\RP25\A0003168.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{79110301-8ABD-42A9-B6B3-C8AE063E0AC5}\RP28\A0003499.dll infected by "not-a-virus:AdvWare.WinAD" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{79110301-8ABD-42A9-B6B3-C8AE063E0AC5}\RP31\A0004660.dll infected by "not-a-virus:AdvWare.WinAD" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{79110301-8ABD-42A9-B6B3-C8AE063E0AC5}\RP31\A0004664.exe infected by "not-a-virus:AdvWare.PurityScan.u" Virus. Action Taken: File Renamed.

File C:\WINDOWS\Downloaded Program Files\SyncroAdX.dll infected by "not-a-virus:AdvWare.WinAD" Virus. Action Taken: File Renamed.

 

Erstelle zur Sicherheit mit HiJackThis ein Log-File und poste es hier rein.
Persönliche Informationen, wie Benutzername und dergleichen, bitte unkenntlich machen.

 

Logfile of HijackThis v1.98.2
Scan saved at 19:56:44, on 26.09.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\index.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Martin\Eigene Dateien\Internet\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b0a1e2aa4d99:18d9855a145f802cd2a921ef7de749b0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096060012361
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA093008-3721-47B7-A3EB-00439E8899C9}: NameServer = 217.237.151.33 217.237.149.225

so

 

Das solltest du in jedem Fall mal fixen.

 

Diesen Prozess beenden:
C:\index.exe

Diesen Eintrag fixen (Haken setzen und auf Fix Checked klicken):
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe

Danach bitte diese Datei gezippt an cidre_troja@yahoo.de schicken und danach löschen.

Lesenswerte Lektüre:
http://www.mathematik.uni-marburg.de/~wetzmj/index.php?viewPage=sec-compromise.html

 

juhu, er is weg

hab dir die datei gemailt.

big thx

 

Hallo.

Ich habe das selbe Problem mit dem Trojaner. Habe alles so gemacht, wie
Ihr es beschrieben habt. Allerdings konnte ich beim mwavscan nur Scan
und nicht Scan clean klicken.
Hier die Logfiles - könnt Ihr mir auch helfen, was ich löschen oder
ändern muß?

Thu Oct 21 19:50:04 2004 => File C:\WINDOWS\system32\winU32L.exe
infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Thu Oct 21 19:50:04 2004 => Scanning File
C:\WINDOWS\system32\MSNMSGR5.exe
Thu Oct 21 19:50:04 2004 => File C:\WINDOWS\system32\MSNMSGR5.exe
infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Thu Oct 21 19:50:04 2004 => Scanning File
C:\windows\system32\netcom2ix.exe
Thu Oct 21 19:50:04 2004 => File C:\windows\system32\netcom2ix.exe
infected by "TrojanDownloader.Win32.Agent.dn" Virus. Action Taken: No
Action Taken.

Thu Oct 21 19:50:05 2004 => File C:\WINDOWS\system32\winU32L.exe
infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Thu Oct 21 19:50:05 2004 => File C:\WINDOWS\system32\MSNMSGR5.exe
infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Thu Oct 21 19:51:11 2004 => File C:\WINDOWS\system32\MSNMSGR5.exe
infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Thu Oct 21 19:51:16 2004 => File C:\WINDOWS\system32\netcom2ix.exe
infected by "TrojanDownloader.Win32.Agent.dn" Virus. Action Taken: No
Action Taken.
Thu Oct 21 19:51:51 2004 => File C:\WINDOWS\system32\winU32L.exe
infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.

Thu Oct 21 19:52:39 2004 => File C:\Dokumente und
Einstellungen\Walter\Lokale Einstellungen\Temp\INSTALLER.EXE.VIR tagged as
not-a-virus:AdWare.PurityScan.u. No Action Taken.

Thu Oct 21 19:54:20 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\A0000596.EXE.VIR
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\A0000596.EXE.VIR infected by "Backdoor.Win32.Agobot.vm" Virus. Action Taken:
No Action Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\B2[1].EXE.VIR
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\B2[1].EXE.VIR infected by "Win32.Parite.b" Virus. Action Taken: No Action
Taken.
Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.001
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.001 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.002
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.002 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.003
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.003 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.004
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.004 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.005
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.005 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.006
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.006 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.007
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.007 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.008
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.008 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.009
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.009 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.010
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.010 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.011
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.011 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.012
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.012 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.013
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.013 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.014
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.014 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.015
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.015 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.016
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.016 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.017
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.017 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.018
Thu Oct 21 19:54:21 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.018 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:21 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.019
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.019 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.020
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.020 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.021
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.021 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.022
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.022 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.023
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.023 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.024
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.024 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.025
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.025 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.026
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.026 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.027
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.027 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.028
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.028 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.029
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.029 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.030
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.030 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

 

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.030
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.030 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.031
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.031 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.032
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.032 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.033
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.033 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.034
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.034 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.035
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.035 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.036
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.036 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.037
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.037 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.038
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.038 tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.VIR
Thu Oct 21 19:54:22 2004 => File
C:\Programme\AVPersonal\INFECTED\INSTALLER.EXE.VIR tagged as not-a-virus:AdWare.PurityScan.u. No Action
Taken.

Thu Oct 21 19:54:22 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\svhost.VIR
Thu Oct 21 19:54:23 2004 => File
C:\Programme\AVPersonal\INFECTED\svhost.VIR infected by "Backdoor.Win32.ForBot.o" Virus. Action Taken: No
Action Taken.

Thu Oct 21 19:54:23 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\svhost.VIR00
Thu Oct 21 19:54:23 2004 => File
C:\Programme\AVPersonal\INFECTED\svhost.VIR00 infected by "Backdoor.Win32.ForBot.o" Virus. Action Taken: No
Action Taken.

Thu Oct 21 19:54:23 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\SVXHOST.EXE.VIR
Thu Oct 21 19:54:23 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\TFTP388.VIR
Thu Oct 21 19:54:23 2004 => File
C:\Programme\AVPersonal\INFECTED\TFTP388.VIR infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No
Action Taken.

Thu Oct 21 19:54:23 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\VIDEOSD32.EXE.VIR
Thu Oct 21 19:54:24 2004 => File
C:\Programme\AVPersonal\INFECTED\VIDEOSD32.EXE.VIR infected by "Backdoor.Win32.Wootbot.gen" Virus. Action
Taken: No Action Taken.

Thu Oct 21 19:54:24 2004 => Scanning File
C:\Programme\AVPersonal\INFECTED\WINIPRTX.EXE.VIR
Thu Oct 21 19:54:24 2004 => File
C:\Programme\AVPersonal\INFECTED\WINIPRTX.EXE.VIR infected by "Win32.Parite.b" Virus. Action Taken: No Action
Taken.

Logfile of HijackThis v1.98.2
Scan saved at 20:10:15, on 21.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\winU32L.exe
C:\WINDOWS\system32\MSNMSGR5.exe
C:\windows\system32\netcom2ix.exe
C:\Programme\AVPersonal\AVSched32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Dokumente und Einstellungen\Walter\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dab-bank.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Win Update 32] winU32L.exe
O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe
O4 - HKLM\..\Run: [WIN32SNDS] C:\windows\system32\netcom2ix.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE
/min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Win Update 32] winU32L.exe
O4 - HKLM\..\RunServices: [MSNMSGR5] MSNMSGR5.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe"
/background
O4 - Global Startup: InterVideo WinCinema Manager.lnk =
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk =
C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{C8E1C984-0C29-47F8-A154-34B0C4EF71AF}: NameServer = 192.168.120.252,192.168.120.253

 

Hallo
Ich habe den o.g.Virus ebenfalls auf meinem Rechner und dazu
TR/Agent.BCM und JS/Clicker.L.J.4.
Hier das hijack-log:
Logfile of HijackThis v1.99.1
Scan saved at 19:58:16, on 18.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\windows\micros0fe.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Eraser\eraser.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Programme\OpenOffice.org1.1.4\program\soffice.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\msiexec.exe
C:\Dokumente und Einstellungen\dagobert\Lokale Einstellungen\Temporary Internet Files\Content.IE5\0ZH3A275\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teltarif.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Registry Control] C:\windows\micros0fe.exe
O4 - HKLM\..\Run: [AVAUTODELETE] "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic\UPGRADE\upgrade.exe" /restart
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Internet] C:\windows\system32\drivers\helpsys\internet.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Programme\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: PC-Bibliothek-Direktsuche.lnk = C:\pc-bib\PCLib.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17D0C64A-5283-4125-8256-105694C274ED} (MozillaPluginHostCtrl Class) - http://www.uniklinik-saarland.de/med_fak/anatomie/bock/activex/spx33.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqemea/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20455bcf651b5490bd21/netzip/RdxIE601_de.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqemea/downloads/msxml4.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c10.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp01.photoprintit.de/microsite/2976/defaults/activex/ImageUploader3.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Boonty Games - BOONTY - C:\Programme\Gemeinsame Dateien\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Dummerweise lässt sich der Rechner im abgesicherten Modus gar nicht hochfahren! Es erscheint nur das Eingabeprompt

Ist mir noch zu helfen?
mfG
Dagobert Ross