BDS/Ciadoor.13 eingefangen

#1 Hallo!
Ich habe mir vor einigen Tagen den BDS/Ciadoor.13 eingefangen. Die Virusmeldung wurde direkt von Antivir angezeigt. Es war aber scheinbar durch Löschen der entsprechenden Datei die den Virus beinhaltete nicht mehr zu vermeiden dass der Virus meinen Rechner befällt. Wenn ich nun einen Virus Scan mit Antivir durchführe wird der BDS/Ciadoor.13 gefunden. Ich hoffe dass ihr mir helfen könnt sowie ihr es bereits schon einmal bei einem anderen Virus- Problem getan habt.
Hier der logfile von hijack this:

im Voraus schon mal vielen Dank

Logfile of HijackThis v1.99.1
Scan saved at 13:11:58, on 03.01.2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\SlySoft\CloneCD\CloneCDTray.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\StopHid.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programme\Microsoft Office\Office10\POWERPNT.EXE
C:\Programme\Steinberg\Cubase SX\Cubasesx.exe
C:\Programme\AntiVir PersonalEdition Classic\avscan.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\han\Eigene Dateien\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
F1 - win.ini: run= C:\WESTWOOD\ALARM\INSTICON.EXE
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [StatusClient] C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Programme\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [H2O] C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [AVAUTODELETE] "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition classic\UPGRADE\upgrade.exe" /restart
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [StopHid] StopHid.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe

#2 Henneböhl

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hi. Erstmal vielen vielen Dank für die prompte Antwort.

hier nun die Textdateien von Datfind:

1.

04.01.2007 12:08 2.184 wpa.dbl
03.12.2006 18:38 34.064 lhacm.acm
29.10.2006 12:18 316.594 perfh007.dat
29.10.2006 12:18 48.156 perfc007.dat
29.10.2006 12:18 39.992 perfc009.dat
29.10.2006 12:18 311.604 perfh009.dat
29.10.2006 12:18 723.744 PerfStringBackup.INI
27.10.2006 16:35 0 nvapps.xml
05.10.2006 21:14 87 ssprs.tgz
05.10.2006 21:14 73 ssprs.dll
05.10.2006 21:14 219 lsprst7.tgz
05.10.2006 21:14 205 lsprst7.dll

2.

04.01.2007 12:25 2.089.678 jar_cache24496.tmp
04.01.2007 12:25 218 TB2OverwriteHandler.log
04.01.2007 12:25 110 newtb1handler.log
04.01.2007 12:18 203 jusched.log

3.

04.01.2007 12:08 159 wiadebug.log
04.01.2007 12:08 50 wiaservc.log
04.01.2007 12:08 0 0.log
04.01.2007 12:08 2.048 bootstat.dat
03.01.2007 13:49 32.616 SchedLgU.Txt
02.01.2007 22:05 1.721 cdplayer.ini
02.01.2007 15:38 651.609 setupapi.log
28.11.2006 23:58 271 hpqcopy.INI
17.11.2006 21:49 248 WinSchach.ini
18.10.2006 19:44 484 GEARInstall.log

4.

Verzeichnis von C:\WINDOWS\Temp

5.

17.05.2006 19:13 65 desktop.ini

6.

04.01.2007 12:36 0 sys.txt
04.01.2007 12:35 487 down.txt
04.01.2007 12:35 117 tmp.txt
04.01.2007 12:33 6.560 system.txt
04.01.2007 12:33 462 systemtemp.txt
04.01.2007 12:25 104.389 system32.txt
04.01.2007 12:08 805.306.368 pagefile.sys

#4 Henneböhl

Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

»»
scanne mit deinem Antivirus und poste hier den Scanreport
__________
MfG Sabina

rund um die PC-Sicherheit

#5 und wieder ein riesen Dankeschön für die schnelle Antwort. Der Virus wurde bei diesem Scan nicht mehr angezeigt. Hoffe damit ist die Sache erledigt. Hier trotzdem nochmal der Scan Report:

AntiVir PersonalEdition Classic
Report file date: Donnerstag, 4. Januar 2007 15:40

Scanning for 612446 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (plain) [5.1.2600]
Username: han
Computer name: HNPC1

Version information:
BUILD.DAT : 217 12749 Bytes 05.12.2006 17:00:00
AVSCAN.EXE : 7.0.3.4 208936 Bytes 19.12.2006 08:27:00
AVSCAN.DLL : 7.0.3.1 35880 Bytes 13.12.2006 12:22:27
LUKE.DLL : 7.0.3.2 143400 Bytes 13.12.2006 12:22:28
LUKERES.DLL : 7.0.2.0 9256 Bytes 13.12.2006 12:22:28
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31.05.2006 16:33:59
ANTIVIR1.VDF : 6.36.1.24 2212864 Bytes 14.11.2006 07:50:21
ANTIVIR2.VDF : 6.37.0.89 783360 Bytes 31.12.2006 13:00:26
ANTIVIR3.VDF : 6.37.0.94 16384 Bytes 02.01.2007 13:00:26
AVEWIN32.DLL : 7.3.0.21 1999360 Bytes 27.12.2006 16:59:29
AVPREF.DLL : 7.0.2.0 23592 Bytes 13.12.2006 12:22:27
AVREP.DLL : 6.37.0.5 1007656 Bytes 16.12.2006 16:22:16
AVRPBASE.DLL : 7.0.0.0 2162728 Bytes 13.05.2006 16:46:30
AVPACK32.DLL : 7.2.0.5 368680 Bytes 26.10.2006 14:24:20
AVREG.DLL : 7.0.1.1 30760 Bytes 13.12.2006 12:22:27
NETNT.DLL : 6.32.0.0 6696 Bytes 27.09.2005 07:56:49
RCIMAGE.DLL : 7.0.1.3 2097192 Bytes 13.12.2006 12:22:23
RCTEXT.DLL : 7.0.12.1 77864 Bytes 13.12.2006 12:22:23

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: C:\Programme\AntiVir PersonalEdition Classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Expanded search settings.........: 0x00001000

Start of the scan: Donnerstag, 4. Januar 2007 15:40

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Modules have been scanned
Scan process 'avcenter.exe' - '1' Modules have been scanned
Scan process 'javaw.exe' - '1' Modules have been scanned
Scan process 'iPodService.exe' - '1' Modules have been scanned
Scan process 'ctfmon.exe' - '1' Modules have been scanned
Scan process 'iTunesHelper.exe' - '1' Modules have been scanned
Scan process 'qttask.exe' - '1' Modules have been scanned
Scan process 'StopHid.exe' - '1' Modules have been scanned
Scan process 'mHotkey.exe' - '1' Modules have been scanned
Scan process 'hpgs2wnf.exe' - '1' Modules have been scanned
Scan process 'realsched.exe' - '1' Modules have been scanned
Scan process 'avgnt.exe' - '1' Modules have been scanned
Scan process 'cledx.exe' - '1' Modules have been scanned
Scan process 'jusched.exe' - '1' Modules have been scanned
Scan process 'winampa.exe' - '1' Modules have been scanned
Scan process 'CloneCDTray.exe' - '1' Modules have been scanned
Scan process 'daemon.exe' - '1' Modules have been scanned
Scan process 'PDVDServ.exe' - '1' Modules have been scanned
Scan process 'rundll32.exe' - '1' Modules have been scanned
Scan process 'hpgs2wnd.exe' - '1' Modules have been scanned
Scan process 'rundll32.exe' - '1' Modules have been scanned
Scan process 'StatusClient.exe' - '1' Modules have been scanned
Scan process 'delttray.exe' - '1' Modules have been scanned
Scan process 'explorer.exe' - '1' Modules have been scanned
Scan process 'wmiprvse.exe' - '1' Modules have been scanned
Scan process 'wdfmgr.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'nvsvc32.exe' - '1' Modules have been scanned
Scan process 'MDM.EXE' - '1' Modules have been scanned
Scan process 'avguard.exe' - '1' Modules have been scanned
Scan process 'sched.exe' - '1' Modules have been scanned
Scan process 'alg.exe' - '1' Modules have been scanned
Scan process 'spoolsv.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'Smc.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'lsass.exe' - '1' Modules have been scanned
Scan process 'services.exe' - '1' Modules have been scanned
Scan process 'winlogon.exe' - '1' Modules have been scanned
Scan process 'csrss.exe' - '1' Modules have been scanned
Scan process 'smss.exe' - '1' Modules have been scanned
43 processes with 43 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( 30 files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\atapi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\dtscsi.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd0189.sys
[WARNING] The file could not be opened!


End of the scan: Donnerstag, 4. Januar 2007 16:20
Used time: 40:53 min

The scan has been done completely.

5519 Scanning directories
248828 Files were scanned
0 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
5 Files cannot be scanned
248828 Files not concerned
1094 Archives were scanned
5 Warnings
28 Notes