Spyware (unter Anderem Beeinträchtigung der System Uhr)

NFO NilZ · 01.10.2010, 17:19

Hey Leute,

ich hoffe mal, ihr könnt mir weiterhelfen. Kenne mich nicht so gut mit PCs aus, aber bin gerne offen für neues Wissen.

Also zunächst ein paar Fakten zu meinem PC:

Prozessor: Windows Vista 32.-bit version Home Premium
Marke: Dell
Modell: inspiron 531

Jedenfalls habe ich seit 2 Tagen etwa das Problem, dass die Uhrzeit falsch gelaufen ist. Ich wurde dann benachrichtigt, dass der Computer nicht richtig geschützt sei, woraufhin ich mir "Microsoft Security Essentials" auf Vorschlag von Windows heruntergeladen habe. Dieses zeigte mir folgende Spyware an:

http://img443.imageshack.us/img443/9...rusproblem.jpg

Das Problem ist denke ich auch unter Anderem, dass ja MSE erfordert, andere Antiviren Programme auszuschalten bzw. den Windows Defender automatisch ausschaltet. Allerdings hatte ich diese Spyware ja wohl schon vorher. Nun frage ich mich, wie ich am besten vorgehen sollte eurer Meinung nach.
Hoffe auf konstruktive Kritik.

**Leonixx** · 01.10.2010, 17:41

Das ist keine Spyware sondern Trojaner.

Schritt 1
Malwarebytes laden und ausführen wie unter Tutorials beschrieben. Funde mit Auswahl entfernen löschen. Poste das Logfile.

Schritt 2
RSIT anwenden, wie im Link in meiner Sig. Poste beide Logfiles wie beschrieben.

NFO NilZ · 02.10.2010, 18:53

Danke sehr! Hier ist das Logfile:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Datenbank Version: 4052

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

02.10.2010 19:55:33
mbam-log-2010-10-02 (19-55-33).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 318902
Laufzeit: 2 Stunde(n), 14 Minute(n), 5 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 24
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 2
Infizierte Dateien: 5

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{60b244be-559d-4269-b96e-cd264d828ec9} (Rogue.PCAntispy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Uninstall\mslAgent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\System\CurrentControlSet\Service s\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\System\CurrentControlSet\Service s\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Antispy (Rogue.PCAntispy) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\ShellServiceObjectDelayLoad\systemcheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\Program Files\PCHealthCenter (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Niklas\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Smart Antivirus 2009 (Rogue.SmartAntiVirus) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Users\Niklas\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Smart Antivirus 2009\Smart Antivirus-2009.lnk (Rogue.SmartAntiVirus) -> Quarantined and deleted successfully.
C:\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\etc\.security (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Users\Niklas\AppData\Local\Temp\msfont32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\.security (Rogue.Multiple) -> Quarantined and deleted successfully.

**Leonixx** · 02.10.2010, 19:01

Du hast ein sogenanntes FakeAV auf dem System. Bevor du RSIT anwendest, erstmal Online Scan mit Eset durchführen. Poste das Log.

Ausführen wie in dieser Anleitung beschrieben.

Kostenlose Online Scanner

NFO NilZ · 03.10.2010, 02:40

Hier das log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=de4300b8a3fd7d4f8f03080639407b7e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-03 01:13:29
# local_time=2010-10-03 03:13:29 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 12892 12892 0 0
# compatibility_mode=4096 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776573 100 96 63190936 100780662 0 0
# compatibility_mode=5892 16776574 100 100 365521 123588288 0 0
# compatibility_mode=8192 67108863 100 0 277 277 0 0
# scanned=206646
# found=28
# cleaned=28
# scan_time=12849
C:\Program Files\Trend Micro\HijackThis\backups\backup-20081115-234304-627.dll a variant of Win32/Kryptik.AML trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\jar_cache18701. tmp a variant of Java/Exploit.Agent.NAC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\jar_cache20115. tmp a variant of Java/Exploit.Agent.NAC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\jar_cache2406.t mp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\jar_cache2407.t mp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\jar_cache53246. tmp a variant of Java/Exploit.Agent.NAC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\removalfile.bat Win32/Adware.Virtumonde application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\rgfrvpck.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_7385.exe a variant of Win32/MessengerPlus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_846d.exe a variant of Win32/Adware.CiDHelp application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_8d72.exe a variant of Win32/MessengerPlus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_b6a2.exe a variant of Win32/Adware.CiDHelp application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_c404.exe a variant of Win32/Adware.CiDHelp application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_d8dc.exe a variant of Win32/MessengerPlus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_e6d1.exe a variant of Win32/MessengerPlus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\Update_f10d.exe a variant of Win32/Adware.CiDHelp application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\WvvCIkkj.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\WvvCIkkj.ini2 Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\yurqmasq.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\plugtmp-437\plugin-Notes1-2.pdf JS/Exploit.Pdfka.OAN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\plugtmp-439\plugin-Notes1-1.pdf JS/Exploit.Pdfka.OAN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\plugtmp-439\plugin-Notes1.pdf JS/Exploit.Pdfka.OAN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\plugtmp-444\plugin-Notes1-1.pdf JS/Exploit.Pdfka.OAR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\Local\Temp\plugtmp-444\plugin-Notes1.pdf JS/Exploit.Pdfka.OAR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\LocalLow\Sun\Java\Deployme nt\cache\6.0\20\81fea54-2e1f5c41 Java/TrojanDownloader.Agent.NBN trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\LocalLow\Sun\Java\Deployme nt\cache\6.0\52\e649f74-4c85be47 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\AppData\LocalLow\Sun\Java\Deployme nt\cache\6.0\58\fa8f07a-6ec21923 probably a variant of Win32/Agent.DYXWUMY trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Niklas\Downloads\MsgPlusLive-470.exe a variant of Win32/Adware.CiDHelp application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

**Leonixx** · 03.10.2010, 10:29

Dr.Web Cure it laden und ausführen wie in Anleitung. Poste Logfile. Das System ist noch nicht sauber. Anleitung: DrWeb - CureIt - Trojaner-Board Anschließend RSIT Logs.

NFO NilZ · 06.10.2010, 16:09

Es gibt ein Problem.
In der Anleitung wird beschrieben, dass ich das Programm im Abgesicherten Modus starten soll, jedoch erreiche ich diesen nicht, auch nicht, wenn ich, bevor das Windows Logo erscheint, F8 mehrmals drücke.
Wie geht das noch ?

**Leonixx** · 06.10.2010, 16:29

Dann führe das Programm im Normalmodus aus. Mit F8 kommt man in die Konsole für den abgesicherten Modus. Allerdings kann diese auch von einem Schädling blockiert werden.

NFO NilZ · 08.10.2010, 18:46

Habe das Programm nun ausgeführt. Doch wie kann ich auf den Logfile zugreifen? (will den Scan durchlauf nun nicht noch einmal komplett durchmachen)

**Leonixx** · 08.10.2010, 20:46

Programm öffnen und unter dem Reiter Logdatei schauen.

Sie betrachten gerade: Spyware (unter Anderem Beeinträchtigung der System Uhr)