bitte um hilfe, trojaner öffnet durch google nur xxx seiten Einstellungen

[georges5]

bitte um hilfe.
immer wenn bei google was eingebe und was suche öffnet sich eine xxx seite.
habe schon sämtliche virenscanner drüber laufen lassen.
hier mein hijackthis log file.

Logfile of HijackThis v1.99.1
Scan saved at 19:10:52, on 01.02.2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Internet Explorer\ieuser.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Users\Stefan\AppData\Local\Temp\Temp1_hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O1 - Hosts: ::1 localhost
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Player - {83FD1F86-B40A-41EE-8512-929F005ED2A8} - C:\Windows\orgnavi.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] "C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [IaNvSrv] "C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe"
O4 - HKLM\..\Run: [OSD] "C:\Program Files\C&E\OSD\osd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [recinfo450] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: FSCLBaseUpdaterService - Unknown owner - c:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SiteAdvisor-Dienst (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)



wer kann mir helfen...

[Gast_peks_*]

Der orgnavi.dll Eintrag is verdächtig, wenn ich da mal so google nach suchen lasse...aber warte mal auf die Windows-Experten..

[georges5]

alles lkar danke fürs erste mal, dann warte ich noch ein wenig...

[raman]

Teste die Datei einfach bei Virustotal.com und poste das Ergebnis.

Nutze dann Combofix und Hijackthis 2.02 in der Reihenfolge....

Combofix

Lade es von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop
Alle Fenster schliessen und combofix.exe starten und bestaetige die folgende Abfrage mit 1 und drueckt Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Waehrend des Scans bitte nichts am Rechner unternehmen
Es kann moeglich sein, das der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.

Hijackthis 2.02 bekommst du hier: http://www.trendsecure.com/portal/en-US/th.../HiJackThis.zip

[georges5]

...bin gerade dabei die datei mit virscan.org zu scannen, bis jetzt bei 33% einen Infektionsgrad,
kann ich die datei zum beispiel mit killbox oder keylogger einfach löschen??

[raman]

Das machen wir nachher mit Hijackthi

[georges5]

so einmal hijachthis log
und darunter das ergebnis von virustotal.com


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:11, on 02.02.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\C&E\OSD\osd.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Stefan\AppData\Local\Temp\Temp2_hijackthis_199.zip\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Stefan\AppData\Local\Temp\Temp1_HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O1 - Hosts: ::1 localhost
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Player - {83FD1F86-B40A-41EE-8512-929F005ED2A8} - C:\Windows\orgnavi.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SMSERIAL] "C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [IaNvSrv] "C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe"
O4 - HKLM\..\Run: [OSD] "C:\Program Files\C&E\OSD\osd.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [recinfo450] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O13 - Gopher Prefix:
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FSCLBaseUpdaterService - Unknown owner - c:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SiteAdvisor-Dienst (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe

--
End of file - 7265 bytes



Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.2.2.10 2008.02.01 -
AntiVir 7.6.0.61 2008.02.01 ADSPY/Agen.224768.B
Authentium 4.93.8 2008.02.01 -
Avast 4.7.1098.0 2008.02.01 -
AVG 7.5.0.516 2008.02.01 -
BitDefender 7.2 2008.02.02 -
CAT-QuickHeal 9.00 2008.02.01 -
ClamAV 0.92 2008.02.02 -
DrWeb 4.44.0.09170 2008.02.02 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5504 2008.02.01 -
Ewido 4.0 2008.02.02 -
FileAdvisor 1 2008.02.02 -
Fortinet 3.14.0.0 2008.02.02 W32/Fake.B
F-Prot 4.4.2.54 2008.02.01 -
F-Secure 6.70.13260.0 2008.02.01 Trojan-Downloader.Win32.Delf.ehm
Ikarus T3.1.1.20 2008.02.02 Trojan-Downloader.Delf.OGX
Kaspersky 7.0.0.125 2008.02.02 Trojan-Downloader.Win32.Delf.ehm
McAfee 5221 2008.02.01 -
Microsoft 1.3204 2008.02.02 Trojan:Win32/Delflob.I
NOD32v2 2845 2008.02.02 -
Norman 5.80.02 2008.02.01 -
Panda 9.0.0.4 2008.02.01 -
Prevx1 V2 2008.02.02 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.02 -
Sunbelt 2.2.907.0 2008.02.02 -
Symantec 10 2008.02.02 -
TheHacker 6.2.9.205 2008.02.01 -
VBA32 3.12.6.0 2008.02.02 -
VirusBuster 4.3.26:9 2008.02.01 -
Webwasher-Gateway 6.6.2 2008.02.02 Ad-Spyware.Agen.224768.B
weitere Informationen
File size: 224768 bytes
MD5: 8ecfbcd0ebf0ce59d568400542dee8d0
SHA1: 86a418ec0bae546961709cfdfd2598ba2e3e166a
PEiD: ASPack v2.12 -> Alexey Solodovnikov
packers: Aspack

danke im voraus

[raman]

Was sagt Combofix?

[georges5]

...hab ich noch nicht brauch ich (du) das zwingend????

[raman]

Das waere Hilfreich, aber schauen wir mal.

Hake in Hijackthis folgendes an, schliesse dann alle Browserfenster und druecke "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: Player - {83FD1F86-B40A-41EE-8512-929F005ED2A8} - C:\Windows\orgnavi.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O4 - HKLM\..\Run: [recinfo450] c:\RecInfo\RecInfo.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)


starte neu und mache einen Kontrollscan mit AVPtool. Nimm die neuste Version:

http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/

[georges5]

so jetzt aber

ComboFix 08-02.02.5 - Stefan 2008-02-02 12:41:58.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.1033 [GMT 1:00]
ausgeführt von:: C:\Users\Stefan\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((( Dateien erstellt von 2008-01-02 bis 2008-02-02 ))))))))))))))))))))))))))))))
.

2008-02-02 12:19 . 2008-02-02 12:19 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-02-02 10:36 . 2005-09-23 07:29 626,688 --a------ C:\Windows\System32\msvcr80.dll
2008-02-02 10:34 . 2008-02-02 11:12 <DIR> d-------- C:\Program Files\Google
2008-02-01 18:25 . 2008-02-01 18:25 <DIR> d-------- C:\Users\All Users\Grisoft
2008-02-01 18:25 . 2008-02-01 18:25 <DIR> d-------- C:\ProgramData\Grisoft
2008-02-01 17:35 . 2008-02-01 17:35 0 --ah----- C:\ProgramData.LOG2
2008-02-01 17:35 . 2008-02-01 17:35 0 --ah----- C:\ProgramData.LOG1
2008-02-01 17:29 . 2008-02-01 17:29 <DIR> d-------- C:\SiteAdvisor
2008-02-01 17:07 . 2008-02-02 10:55 <DIR> d-a------ C:\Users\All Users\TEMP
2008-02-01 17:07 . 2008-02-02 10:55 <DIR> d-a------ C:\ProgramData\TEMP
2008-01-31 21:05 . 2008-01-31 21:05 <DIR> d-------- C:\Users\All Users\Avg7
2008-01-31 21:05 . 2008-01-31 21:05 <DIR> d-------- C:\ProgramData\Avg7
2008-01-31 18:51 . 2008-02-02 10:53 <DIR> d-------- C:\Users\Stefan\AppData\Roaming\Application Data
2008-01-31 18:50 . 2008-02-02 11:05 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-30 19:51 . 2008-01-30 19:52 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-01-30 19:51 . 2008-01-30 19:52 <DIR> d-------- C:\ProgramData\Lavasoft
2008-01-30 19:40 . 2008-02-02 11:04 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-01-30 19:40 . 2008-02-02 11:04 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-01-30 19:40 . 2008-02-02 10:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-30 17:27 . 2008-01-30 17:27 224,768 --a------ C:\Windows\orgnavi.dll
2008-01-30 17:27 . 2008-01-30 17:27 51 --a------ C:\tmp.bat
2008-01-20 15:19 . 2008-01-20 15:19 <DIR> d-------- C:\Windows\PCHEALTH
2008-01-20 15:19 . 2008-01-20 15:19 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-20 15:16 . 2008-01-20 15:16 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-01-20 15:14 . 2008-01-20 15:14 <DIR> dr-h----- C:\MSOCache
2008-01-13 17:03 . 2008-01-13 17:03 <DIR> d-------- C:\Users\Stefan\AppData\Roaming\Apple Computer
2008-01-13 17:03 . 2008-01-13 17:03 <DIR> d-------- C:\Program Files\iTunes
2008-01-13 17:03 . 2008-01-13 17:03 <DIR> d-------- C:\Program Files\iPod
2008-01-13 17:03 . 2008-01-13 17:03 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-13 17:03 . 2008-01-13 17:03 1,409 --a------ C:\Windows\QTFont.for
2008-01-13 17:02 . 2008-01-13 17:02 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-13 16:59 . 2008-01-13 17:03 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-01-13 16:59 . 2008-01-13 17:03 <DIR> d-------- C:\ProgramData\Apple Computer
2008-01-13 16:59 . 2008-01-13 17:00 <DIR> d-------- C:\Program Files\QuickTime
2008-01-09 17:49 . 2008-01-09 17:49 804,352 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 17:49 . 2008-01-09 17:49 217,272 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 17:49 . 2008-01-09 17:49 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 17:49 . 2008-01-09 17:49 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 17:49 . 2008-01-09 17:49 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 17:48 . 2008-01-09 17:48 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 17:48 . 2008-01-09 17:48 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-09 17:48 . 2008-01-09 17:48 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-09 17:48 . 2008-01-09 17:48 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-09 17:48 . 2008-01-09 17:48 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-09 17:48 . 2008-01-09 17:48 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-09 17:48 . 2008-01-09 17:48 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-09 17:48 . 2008-01-09 17:48 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-09 17:48 . 2008-01-09 17:48 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-01-09 17:48 . 2008-01-09 17:48 11,776 --a------ C:\Windows\System32\sbunattend.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 16:36 --------- d-----w C:\ProgramData\Avira
2008-02-01 16:01 27,430 ----a-w C:\Users\Stefan\AppData\Roaming\nvModes.dat
2008-01-22 14:00 --------- d-----w C:\ProgramData\Microsoft Help
2008-01-20 14:20 --------- d-----w C:\Program Files\MSBuild
2008-01-20 14:20 --------- d-----w C:\Program Files\Microsoft Works
2008-01-12 16:15 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 16:48 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 16:48 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 16:48 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 16:48 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 16:48 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-27 18:27 --------- d-----w C:\Program Files\ICQLite
2007-12-23 13:00 --------- d-----w C:\Users\Stefan\AppData\Roaming\Ahead
2007-12-17 13:30 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-12 20:57 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 20:57 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 20:57 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 20:56 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 20:56 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 20:56 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 20:56 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 20:56 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 20:56 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 20:56 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 20:56 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 20:55 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 20:55 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-09 18:11 --------- d-----r C:\Users\Stefan\AppData\Roaming\Brother
2007-12-04 20:00 --------- d-----w C:\Users\Stefan\AppData\Roaming\Samsung
2007-11-15 19:17 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 19:17 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 19:17 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 19:17 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 19:17 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 19:17 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 19:17 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 19:17 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 19:17 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 19:17 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-04 13:47 80,896 ----a-w C:\Windows\System32\wudriver.dll
2007-11-04 13:47 549,720 ----a-w C:\Windows\System32\wuapi.dll
2007-11-04 13:47 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2007-11-04 13:47 43,352 ----a-w C:\Windows\System32\wups2.dll
2007-11-04 13:47 33,624 ----a-w C:\Windows\System32\wups.dll
2007-11-04 13:47 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2007-11-04 13:47 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2007-11-04 13:46 31,232 ----a-w C:\Windows\System32\wuapp.exe
2007-11-04 13:46 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2007-10-24 08:12 174 --sha-w C:\Program Files\desktop.ini
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FD1F86-B40A-41EE-8512-929F005ED2A8}]
2008-01-30 17:27 224768 --a------ C:\Windows\orgnavi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 17:48 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 11:15 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-24 08:40 1006264]
"NvSvc"="RUNDLL32.exe" [2006-11-02 10:45 44544 C:\Windows\System32\rundll32.exe]
"NvCplDaemon"="RUNDLL32.exe" [2006-11-02 10:45 44544 C:\Windows\System32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-11-02 10:45 44544 C:\Windows\System32\rundll32.exe]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 16:10 4468736 C:\Windows\RtHDVCpl.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 17:31 630784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-05-03 23:00 174872]
"IaNvSrv"="C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-05-03 23:00 33048]
"OSD"="C:\Program Files\C&E\OSD\osd.exe" [2007-07-10 17:29 557056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-26 19:46 153136]
"recinfo450"="c:\RecInfo\RecInfo.exe" [2007-09-14 13:53 2768896]
"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 11:15 3144800]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 22:57 36640]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)

R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;C:\Windows\system32\DRIVERS\iaNvStor.sys [2007-05-03 23:00]
R0 Si3531;SiI-3531 SATA Controller;C:\Windows\system32\DRIVERS\Si3531.sys [2007-01-30 08:31]
R2 FSCLBaseUpdaterService;FSCLBaseUpdaterService;"c:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe" [2007-06-04 14:20]
R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler;C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [2006-12-08 09:52]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys [2007-04-04 04:57]
R3 NETw4v32;Intel® Wireless WiFi Link Adaptertreiber für Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-02-25 05:14]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-04-30 12:42]
S4 nvrd32;NVIDIA nForce RAID Driver;C:\Windows\system32\drivers\nvrd32.sys [2007-07-02 16:37]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deaaceea-d023-11dc-bbb5-00030d745eac}]
\shell\AutoRun\command - G:\LaunchU3.exe

.
Inhalt des "geplante Tasks" Ordners
"2007-11-08 20:35:01 C:\Windows\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-11-08 20:35:01 C:\Windows\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 12:43:51
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-02-02 12:44:53
.
2008-01-22 14:00:54 --- E O F ---

[georges5]

kaspersky funktioniert nicht muss ich den im abgesicherten modus starten

[raman]

Sind seit dem Neustart wieder Popups aufgetreten?

[georges5]

ja, habe mir jetzt mit der systemwiederherstellung geholfen, seitdem sind sie weg!
die orgnavi.dll ist nicht mehr unter C:/windows zu finden, hoffe das wars.
danke dir für deine überragende unterstützung

[raman]

Die Systemwiederherstellung von Vista ist recht effektiv. Soweit ich das herausgefunden habe, wird diese Datei haeufig bei sogenannten "Fake-Codecs" installiert. Also nicht immer gleich alles installieren, nur weil irgendeine Seite das verlangt!