Bitte dringend um Hilfe! Virus? Trojaner?

Hallo Leute!

Ich benutze als Browser den Firefox 1.5 und habe selbstverständlich alle Updates für Win2k installiert.
Nun zu meinem Problem:

Seit einiger Zeit passiert es immer wieder, das beim Seitenaufruf von z.B. "www.google.at" oder anderen Seiten, die ich als Bookmark gespeichert habe (die URL stimmt 100%) sich eine Suchmaschine "suche.biz" erscheint.
Weiters wird oft eine Seite nicht gefunden. Wenn ich z.b. die Suchergebnisse bei ebay oder google durchblätter, ist auf einmal beim Laden einer Seite Schluss. Es erscheint die Meldung NOT FOUND The requested URL /search was not found on this server. Apache/1.3.33 Server at www.google.at Port 80

Spybot, AntiVir und AdAware finden nichts.

Hier findet ihr meinen HijackThis-Bericht

Ich hoffe, ihr Profis findet etwas.

lG
Stefan

 

Hallo,
ich kann auf den ersten Blick nichts außergewöhnliches entdecken. Ist das hier:
C:\Programme\Batch\NetLogin.bat
so gewollt?
Bei welchem Provider bist du?
Poste auch mal ein Log von Silentrunners.


Grüße Jasager

 

Das mit Suche.biz hatte ich bis gerade eben auch noch.
Guck mal auf http://www.scanspyware.net da hab ich mir die demo runtergeladen, die hat einige registryeinträge angezeigt und die habe ich dann gelöscht. Nach nem Neustart gings dann wieder.

 

Die ganzen BHOs, IE-Toolbars und Extra context menus kannst du löschen, da die für den FF uninteressant sind und den Autostart unübersichtlich machen.
Vielleicht ist da etwas darunter, dass die Suchmschine beeinträchtigt.

 

Hallo!

@Jasager
Darauf habe ich vergessen. Die Datei netlogin.bat ist eine Batchdatei, die mir beim Systemstart die Verbindungen aufbaut.
Als Provider habe ich Chello (Breitbandinternet per Kabel in Ö).
Anbei habe ich dir mal das Log von Silentrunners gepostet.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"pdfSaver3" = ""C:\Programme\PDF-XChange 3 Pro\pdfSaver\pdfSaver3.exe"" ["Tracker Software Products Ltd."]
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\wcescomm.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Nero AG"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"little_helper2.exe" = (empty string)
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{84B94901-3645-4D80-A6B7-4D0050B19455}\(Default) = "metaspinner GmbH" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Preispiraten3\Preispiraten3\IEButtonAmazonInterface.dll" [null data]
{CD9B7762-DFBC-42B1-BB30-02A78287B456}\(Default) = "metaspinner GmbH" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Preispiraten3\Preispiraten3\IEButtonEbayInterface.dll" [null data]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}\(Default) = "EpsonToolBandKicker Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]
{E9E027BF-C3F3-4022-8F6B-8F6D39A59684}\(Default) = "metaspinner GmbH" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Preispiraten3\Preispiraten3\IEButtonPPInterface.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Nero AG"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\Wcesview.dll" [MS]
"{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFld80.dll" [empty string]
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFld80.dll" [empty string]
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFld80.dll" [empty string]
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFld80.dll" [empty string]
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFld80.dll" [empty string]
"{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFld80.dll" [empty string]
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CNSFlt80.dll" [null data]
"{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CNSFlt80.dll" [null data]
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = "******A****" (unwritable string)
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! ActiveSync\DLLName = "WcesWlgn.dll" [MS]
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
INFECTION WARNING! taskmgr.exe\Debugger = "C:\Programme\Process Explorer\procexp.exe" ["Sysinternals"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
FileWiperContextMenuExtension\(Default) = "{B6BF4AAE-3AB0-4691-9119-2E6C13D38EFD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\TweakPower\FileWiper.dll" ["Kurt Zimmermann"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
FileWiperContextMenuExtension\(Default) = "{B6BF4AAE-3AB0-4691-9119-2E6C13D38EFD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\TweakPower\FileWiper.dll" ["Kurt Zimmermann"]
FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Corel\Graphics8\programs\CMFFld80.dll" [empty string]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
FileWiperContextMenuExtension\(Default) = "{B6BF4AAE-3AB0-4691-9119-2E6C13D38EFD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\TweakPower\FileWiper.dll" ["Kurt Zimmermann"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\sspipes.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"NetLogin" -> shortcut to: "C:\Programme\Batch\NetLogin.bat" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = "EPSON Web-To-Page" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = "EPSON Web-To-Page" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{350F4DA2-3886-4BB8-A1A8-D7F57B56DFFF}\
"ButtonText" = "Preispiraten 3"
"Exec" = "C:\Programme\Preispiraten3\Preispiraten3\preispiraten3ie.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["H+BEDV Datentechnik GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["H+BEDV Datentechnik GmbH"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Boonty Games, Boonty Games, ""C:\Programme\Gemeinsame Dateien\BOONTY Shared\Service\Boonty.exe"" ["BOONTY"]
COM+-Ereignissystem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}
InCD Helper, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Sygate Personal Firewall, SmcService, "C:\Programme\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor S520\Driver = "CNMLM3m.DLL" ["CANON INC."]
EPSON Stylus DX3800 Series 2KMonitor5E\Driver = "E_FLMACE.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDF-XChange\Driver = "C:\WINNT\system32\pxc25pm.dll" ["Tracker Software"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 19 seconds, including 8 seconds for message boxes)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

lG Stefan

 

Hallo,
da haben wir doch den Schlingel, die werden auch immer raffinierter. Gehe mal unter Systemsteuerung>>Software und schaue ob dort ein Programm namens littlehelper2 (o.ä.) aufgeführt ist, wenn ja deinstalliere es und poste ein neues HijackThis Log.


Grüße Jasager