sspMydoom.cih und Trojaner entfernen!

#16 Hallo@dasadrew

nun muessen wir von vorn anfangen, also poste das Log vom HijackThis , bitte
sowie die infizierten Dateien, die du mit dem escan im abgesicherten Modus findest (noch nichts loeschen, nur posten)
__________
MfG Sabina

rund um die PC-Sicherheit

#17 Also, jetzt geht's wieder los! Übrigens, wenn es der Säuberung hilft, ich habe jetzt alle Dateien, Programme und Daten als Original oder backups und kann neu-installieren. D.h. falls ich irgendwelche Programme wirklich löschen müsste, wäre das kein Problem!

Drew

Logfile of HijackThis v1.99.0
Scan saved at 18:42:56, on 09/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\appwr32.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\SAGEM\SAGEM F@st 908-948\BridgeMon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Fichiers communs\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netsu.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\explorer.exe
D:\Drew Downloads\Norton\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dczbq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dczbq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dczbq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dczbq.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dczbq.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dczbq.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dczbq.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {CB83AF3A-9251-64AE-8C9A-2124E181DEA7} - C:\WINDOWS\d3my.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [appwr32.exe] C:\WINDOWS\system32\appwr32.exe
O4 - HKLM\..\Run: [2.tmp] C:\DOCUME~1\andrew\LOCALS~1\Temp\2.tmp.exe 2 10001
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Windows System File] svshost.exe
O4 - HKLM\..\RunServices: [Windows System File] svshost.exe
O4 - HKCU\..\Run: [Windows System File] svshost.exe
O4 - Startup: BridgeMon.lnk = C:\Program Files\SAGEM\SAGEM F@st 908-948\BridgeMon.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Fax - Unknown - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\netsu.exe


eScan Report:

C:\DOCUME~1\andrew\LOCALS~1\Temp\2.tmp.exe infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\DOCUME~1\andrew\LOCALS~1\Temp\1.tmp infected by "Trojan-Downloader.Win32.Small.ahz" Virus
C:\DOCUME~1\andrew\LOCALS~1\Temp\2.tmp infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\DOCUME~1\andrew\LOCALS~1\Temp\2DB.tmp infected by "Trojan-Downloader.Win32.Small.ahz" Virus
Scanning File C:\DOCUME~1\andrew\LOCALS~1\TEMPOR~1\Content.IE5\K5I7SDMV\infected6xz[1].gif
C:\Documents and Settings\andrew\Local Settings\Temp\1.tmp infected by "Trojan-Downloader.Win32.Small.ahz" Virus
C:\Documents and Settings\andrew\Local Settings\Temp\2.tmp infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\Documents and Settings\andrew\Local Settings\Temp\2.tmp.exe infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\Documents and Settings\andrew\Local Settings\Temp\2DB.tmp infected by "Trojan-Downloader.Win32.Small.ahz" Virus
Scanning File C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\Content.IE5\K5I7SDMV\infected6xz[1].gif
Scanning Folder: C:\Program Files\AVPersonal\INFECTED\*.*
C:\Program Files\Kazaa\PerfectNavUninstall.exe infected by "Trojan-Downloader.Win32.Keenval.e" Virus
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\01E33CC7 infected by "Email-Worm.Win32.Sober.g" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\085B3A0E infected by "Email-Worm.Win32.NetSky.q" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\145F47EF infected by "Email-Worm.Win32.NetSky.q" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\158C1143 infected by "Trojan-Downloader.JS.IstBar.b" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\216A7110 infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\29D07A56 infected by "Exploit.HTML.FileDownload" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2C04425E infected by "Email-Worm.Win32.Sober.g" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3BEB314C infected by "Trojan-DDoS.Win32.Boxed.s" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\434A04E4 infected by "Email-Worm.Win32.NetSky.q" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\45385807 infected by "Email-Worm.Win32.Sober.g" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A745071 infected by "Trojan.Win32.Zapchast" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4A981E4A infected by "not-virus:Joke.Win16.Stupid.a" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4FA90035 infected by "Email-Worm.Win32.Sober.g" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\54837C8C.class infected by "Trojan.Java.ClassLoader.z" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\56A9457F infected by "Email-Worm.Win32.NetSky.q" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\56D03D54 infected by "Exploit.HTML.FileDownload" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\627A4EFE infected by "Email-Worm.Win32.Sober.g" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6C8D63EE infected by "Email-Worm.Win32.Sober.g" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6E7E7384 infected by "Email-Worm.Win32.Sober.g" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6F4A5CD5 infected by "Email-Worm.Win32.NetSky.q" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\77D90611 infected by "Trojan-Downloader.Win32.IstBar.gen" Virus
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7FF869DE infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\RECYCLER\NPROTECT\00157682.dll infected by "not-a-virus:AdWare.WinAD.t" Virus
C:\RECYCLER\NPROTECT\00157684.dll infected by "Trojan-Downloader.Win32.WinShow.au" Virus
C:\RECYCLER\NPROTECT\00157693.DLL infected by "Trojan-Downloader.Win32.IstBar.gz" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc1\WinStatComm.dll infected by "not-a-virus:AdWare.WinAD.u" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc1\WinStatKeep.exe infected by "not-a-virus:AdWare.WinAD.k" Virus
D:\Drew Downloads\Norton\hijackthis\backups\backup-20050206-152743-497.dll infected by "not-a-virus:AdWare.WinAD.t" Virus
D:\Drew Downloads\Norton\hijackthis\backups\backup-20050206-152754-955.dll infected by "Trojan-Downloader.Win32.WinShow.au" Virus
D:\Drew Downloads\Norton\hijackthis\backups\backup-20050206-152755-246.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus
D:\Humour\California.exe infected by "not-virus:Joke.Win16.Aloap" Virus
C:\WINDOWS\system32\svshost.exe infected by "Backdoor.Win32.Rbot.gen" Virus
C:\WINDOWS\system32\dczbq.dll infected by "not-a-virus:AdWare.JS.OneMoreSearch.a" Virus
C:\WINDOWS\system32\TFTP2860 infected by "Backdoor.Win32.Rbot.gen" Virus
Scanning File C:\DOCUME~1\andrew\LOCALS~1\TEMPOR~1\Content.IE5\K5IBWHQN\infected6xz[1].gif
C:\!Submit\1.tmp infected by "Trojan-Downloader.Win32.Small.ahz" Virus
Scanning File C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\Content.IE5\K5IBWHQN\infected6xz[1].gif
C:\RECYCLER\NPROTECT\00157682.dll infected by "not-a-virus:AdWare.WinAD.t" Virus
C:\RECYCLER\NPROTECT\00157684.dll infected by "Trojan-Downloader.Win32.WinShow.au" Virus
C:\RECYCLER\NPROTECT\00157693.DLL infected by "Trojan-Downloader.Win32.IstBar.gz" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc1 infected by "Email-Worm.Win32.Sober.g" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc10 infected by "Email-Worm.Win32.NetSky.q" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc12 infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc13 infected by "Exploit.HTML.FileDownload" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc14 infected by "Email-Worm.Win32.NetSky.q" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc15 infected by "Exploit.HTML.FileDownload" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc16 infected by "Trojan-Downloader.Win32.IstBar.gen" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc17 infected by "Email-Worm.Win32.NetSky.q" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc18 infected by "Email-Worm.Win32.NetSky.q" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc19 infected by "Trojan-Downloader.JS.IstBar.b" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc2 infected by "Email-Worm.Win32.Sober.g" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc20 infected by "not-a-virus:AdWare.WinShow.f" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc22 infected by "Email-Worm.Win32.NetSky.q" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc24 infected by "Email-Worm.Win32.Sober.g" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc25.class infected by "Trojan.Java.ClassLoader.z" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc3 infected by "Email-Worm.Win32.Sober.g" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc4 infected by "Trojan-DDoS.Win32.Boxed.s" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc5 infected by "not-virus:Joke.Win16.Stupid.a" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc6 infected by "Trojan.Win32.Zapchast" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc7 infected by "Email-Worm.Win32.Sober.g" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc8 infected by "Email-Worm.Win32.Sober.g" Virus
C:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dc9 infected by "Email-Worm.Win32.Sober.g" Virus
C:\WINDOWS\system32\dczbq.dll infected by "not-a-virus:AdWare.JS.OneMoreSearch.a" Virus
C:\WINDOWS\system32\TFTP2860 infected by "Backdoor.Win32.Rbot.gen" Virus
D:\Humour\California.exe infected by "not-virus:Joke.Win16.Aloap" Virus
D:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dd1.dll infected by "not-a-virus:AdWare.WinAD.t" Virus
D:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dd2.dll infected by "Trojan-Downloader.Win32.WinShow.au" Virus
D:\RECYCLER\S-1-5-21-385299623-2667655278-2453650892-1006\Dd3.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus

#18 Hallo@dasadrew

C:\WINDOWS\system32\svshost.exe infected by "Backdoor.Win32.Rbot.gen" Virus
C:\WINDOWS\system32\TFTP2860 infected by "Backdoor.Win32.Rbot.gen" Virus

schon deswegen--> solltest du neu formatieren (von Grund auf, mache alles platt , es ist besser
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Tschja, denke ich auch irgendwie! Habe schon mein Testament gemacht.

Letzte Frage: meinst Du ich sollte die €200 in Windows XP SP2 Voll Kaufversion investieren, damit wenn ich wieder online gehe, SP2 bereits aktiv ist? Bei Format c: würde mein erster online Sitzung ziemlich nackt sein, oder?

#20 du kaufst die normale Version XP (z.B. bei ebay), dann laedstbrennst du dir von einem anderen PC oder von einer CD (PC-Zeitschrift) SP2 und installierst, bevor du online gehst.
__________
MfG Sabina

rund um die PC-Sicherheit

#21 Hi Sabina,

konnte nicht so lange warten! Habe XP SP2 Vollversion gekauft und, nach 36 Stunden Modem Kampf (musste zum Schluss nur den Stromstecker ziehen und wieder einstecken, damit es sich wieder synchronisiert hat!!!) bin ich wieder online.

Nochmals einen riesen herzlichen Dank für Deine Betreuung - habe jetzt einiges über Viren, Hijackers und so gelernt!

Mach nur so weiter

Gruß

Drew

#22 Unter http://www.winhilfe.info/Sicherheit/Saeuberung/sspMydoom.cih_Spyware_in_5_Schritten_entfernen_2005021274/ findet ihr eine funktionierende Anleitung zum entfernen.

Gruss Udoc