Nach dem Start immer die selbe Virusmeldung

[Saskija]

Hallo,

ich hoffe hier sind auch einige deutsch - sprechende Besucher, sonst muss ich mich wohl doch in Englisch probieren.
Jedesmal, wenn ich meinen PC starte, dann findet Avast:
 Name: axload.dll
 Virus: Win 32:Trojan-gen. {Other}

Ich bin der Laie schlecht hin, ich habe null Ahnung warum dieser Virusmeldung nach jedem Start kommt und wie ich den Virus wegbekomme. Die empohlene Aktion ist immer nur: In den Container verschieben, wo sich mittlerweile schon 5 von denen angesammelt haben.

Heute war nach dem Start eine neue Virusmeldung da, nämlich:
Name: dat758dmp
Virus: VBS:Maleware [Gen]

Kann mir jemand sagen, was ich tuen soll?
Reicht es nicht, dass  ich ab und an das Virenprogramm durchlaufen lasse. Muss ich mir jetzt so spezielle Virusdefinitionen downloaden?
Ratlos

Lg. Saskija

[lee16]

Hallo,
Ich bin nur ein englischer Sprecher, aber ich verwende eine on-line-Übersetzung für dieses.

Können Sie diese bitte liefern:

1) welcher Version der Fenster Sie
2) den Dateinamen und den Weg des Virus haben

--lee

[Eddy]

Click on the link in my signature and follow the instructions in the malware removal section.
(There is a English, French and Dutch version)

[Saskija]

Hello, and thanks for the answers.
I think I´ve solved the poblem, since I got Avast Version 4.6, could that be?
There is no Virusreport any more, the old virusreports are in the container, or is there to do anything else?

if possible please answer in simple english   
thanks
saskija

[lee16]

The viruses are safe in the container (virus chest), its there so you decide what you want to do with it next (Delete, restore etc)

Do you know the origional filename and path (location) of the file/virus?

--lee

[Saskija]

hi,

@ Eddy: sorry, I need a german version

today, the Win32: Trojan-gen is back  :'(

-the locatioin: (I try to translate in English) C:/Dokuments and Adjustments/Local Adjustments/Temp/ICD4.tmp/axload.dll
-the malware location: the same way until Temp/dat758.tmp

-the original filename, hmm? how can i find out?

-is it dangerous to make some online bank transfers while this virus is on my pc?

-i have win xp

-Should i try to do:
1. clean out temp. files
2. Disabel system restore to clean out the infected file that's currently in a system restore file.
3. Reboot  system.
4. Re-enable System Restore if you intend to to continue using it.


soooorry for mistakes and thaanks for help

Saskija

[lee16]

-the original filename, hmm? how can i find out?

It was axload.dll 

-is it dangerous to make some online bank transfers while this virus is on my pc?

Not too sure, but best remove this malware first to be on the safe side.

-Should i try to do:
1. clean out temp. files
2. Disabel system restore to clean out the infected file that's currently in a system restore file.
3. Reboot  system.
4. Re-enable System Restore if you intend to to continue using it.

I would say do it in this order:

2.
1.
3.
4.

Have you tryied runnnig programs like Ad-Aware or Spybot?


Ad-aware: http://www.majorgeeks.com/downloadget.php?id=506&file=9&evp=8dbaff7daca8f4b55bf695220993fc0f

Spybot: http://www.majorgeeks.com/downloadget.php?id=2471&file=9&evp=2470f9bfb0cc682334ff8c4459556118

--lee

[Saskija]

Hi,

"Have you tryied runnnig programs like Ad-Aware or Spybot?"
- nope

thanks for the links, the spyware doctor found more than 50 infections, but I´m not able to pay for. do u know any other programms which are free  ?

Sas

[Saskija]

Hi again,

I tried the reboot system - thing, but Win32: Trojan-gen ist still on my pc.
Any other ideas ?

Saskija

[lee16]

Saskija,

I would not suggest you use Spyware docter, please see why by looking under the "Please Beware!" bit here: http://www.safer-networking.org/en/index.html


Did you run the two programs and deleate everything they found?

Could you also post a hijackthis log here please, you can get hijackthis from here: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

--lee

[Saskija]

Hi lee,

The 2 links u gave me are the same and they only bring me to the spyware doctor, what have I done wrong? I could´t find an other link on this page...     



Logfile of HijackThis v1.99.1
Scan saved at 22:51:21, on 17.02.2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\Netropa\Onscreen Display\OSD.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\Microsoft Office\Office\FINDFAST.EXE
C:\Programme\Microsoft Office\Office\OSA.EXE
C:\Programme\Clicktionary\Cleverlearn Clicktionary.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Katrin\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe
C:\Dokumente und Einstellungen\Katrin\Lokale Einstellungen\Temp\Temporäres Verzeichnis 2 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wiki.sl.to/?m=abc&t=&u=http:%2F%2Fwww.google.at%2F&x=C498C401-FA06-41B5-9D8F-19AF54B6AB21
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.chello.at:8080
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - C:\Programme\GMX\GMX Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
O4 - HKLM\..\Run: [Sysman32] C:\WINDOWS\sysman32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: GMX Clicktionary 2.8.lnk = C:\Programme\Clicktionary\Cleverlearn Clicktionary.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .qt: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.next-1.de/cab/axload.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6ABC861A-31E7-4D91-B43B-D3C98F22A5C0} - http://secure.aconti.net/(jbg4qw55cctnqy452h3lru55)/secureweb/secureweb.cab
O16 - DPF: {C3FDA8CE-9414-4E33-AC6B-4922922259A5} - http://xbs.mtreexxx.nl/mt/dialers/ed/intl/nam/000316/Super_Heiss.exe
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.wella.de/consumer/salon_products/kp/farbberatungk/koleston3/setup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB2AA2F-D861-4F67-953C-07223FD5DAF4}: NameServer = 195.34.133.10,195.34.133.11
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Saskija]

And now,
what should I delate 

[lee16]

About the links, try these new ones:

Spybot: http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10289035.html?tag=lst-0-2

Ad-Aware:  http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1


This is the hijackthis log analysis:

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hkcu\software\microsoft\internet explorer\searchurl
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
o1 - hosts: 127.0.0.3 n-glx.s-redirect.com
o1 - hosts: 127.0.0.3 x.full-tgp.net
o1 - hosts: 127.0.0.3 counter.sexmaniack.com
o1 - hosts: 127.0.0.3 autoescrowpay.com
o1 - hosts: 127.0.0.3 www.autoescrowpay.com
o1 - hosts: 127.0.0.3 www.awmdabest.com
o1 - hosts: 127.0.0.3 www.sexfiles.nu
o1 - hosts: 127.0.0.3 awmdabest.com
o1 - hosts: 127.0.0.3 sexfiles.nu
o1 - hosts: 127.0.0.3 allforadult.com
o1 - hosts: 127.0.0.3 www.allforadult.com
o1 - hosts: 127.0.0.3 www.iframe.biz
o1 - hosts: 127.0.0.3 iframe.biz
o1 - hosts: 127.0.0.3 www.newiframe.biz
o1 - hosts: 127.0.0.3 newiframe.biz
o1 - hosts: 127.0.0.3 www.vesbiz.biz
o1 - hosts: 127.0.0.3 vesbiz.biz
o1 - hosts: 127.0.0.3 www.pizdato.biz
o1 - hosts: 127.0.0.3 pizdato.biz
o1 - hosts: 127.0.0.3 www.aaasexypics.com
o1 - hosts: 127.0.0.3 aaasexypics.com
o1 - hosts: 127.0.0.3 www.virgin-tgp.net
o1 - hosts: 127.0.0.3 virgin-tgp.net
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra button: (no name) - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - (no file)
o9 - extra button: yahoo! messenger - {e5d12c4e-7b4f-11d3-b5c9-0050045c3c96} - c:\progra~1\yahoo!\messen~1\ypager.exe (file missing)
o9 - extra 'tools' menuitem: yahoo! messenger - {e5d12c4e-7b4f-11d3-b5c9-0050045c3c96} - c:\progra~1\yahoo!\messen~1\ypager.exe (file missing)
o16 - dpf: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
o16 - dpf: {00000000-7777-0704-0b53-2c8830e9faec} - http://gn.next-1.de/cab/axload.cab
o16 - dpf: {2fc9a21e-2069-4e47-8235-36318989db13} (ppsdkactivexscanner.mainscreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
o16 - dpf: {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - http://secure.aconti.net/(jbg4qw55cctnqy452h3lru55)/secureweb/secureweb.cab
o16 - dpf: {c3fda8ce-9414-4e33-ac6b-4922922259a5} - http://xbs.mtreexxx.nl/mt/dialers/ed/intl/nam/000316/super_heiss.exe
o16 - dpf: {dc187740-46a9-11d5-a815-00b0d0428c0c} - http://www.wella.de/consumer/salon_products/kp/farbberatungk/koleston3/setup.cab


--lee

[lee16]

Also see here for another analysis: http://hijackthis.de/logfiles/5eb470769bfa88f12e787c6224ad17f9.html

Also by looking at your host files i can see that you have allot of malware, but ill let someone who knows more about host files confirm that for me.

Anyway i suggest you run both Ad-aware and Spybot to help clean up any left overs.

--lee

[Eddy]

Also fix these ones:

O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
O4 - HKLM\..\Run: [Sysman32] C:\WINDOWS\sysman32.exe
O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe

And immediatly visit WINDOWS UPDATE and install ALL security patches/updates.
Your system is very much out of date.