Hallo,
ich erhoffe mir hier Hilfe zu bekommen im Bezug auf eine immer wiederkehrende Meldung meines avast! Virenscanners (Freeware)
Der Reihe nach:
Ich habe Bilder von einer SD-Card auf meinen PC gezogen (diese war vorher auf einem anderen Laptop). Seit dem erscheint immer wieder die Meldung, dass avast! den Zugriff auf eine Webseite blockiert hat. Es handelt sich um zwei verschiedene URL’s:

http://nnh42.name/a/
http://jsh37.net/a/
Den Infektionsdetails ist außerdem jeweils zu entnehmen:
Prozess: C:\Windows\System32\WScript.exe
Infektion: URL:Mal
Außerdem erscheinen in der Taskleiste unter “ausgeblendete Symbole” sehr viele Symbole vom Windowsupdate. Fährt man mit der Maus über sie, so verschwinden sie einfach.

Ein kompletter Scan meines Systems lieferte allerdings keine Funde.
Während ich das hier gerade schreibe, lieferte avast! außerdem noch folgende Meldung:
Infektion: JS:Iframe-AMQ [Trj]
Prozess: C:\Windows\System32\WScript.exe
URL: http://www.carbonsmart.co.uk/index.php?q

Es scheint also ein Trojaner zu sein.
Da avast! nur den Zugriff zu blockieren scheint, aber die Ursache nicht beheben kann, bin ich auf Hilfe angewisen.
Was kann ich also nun tun?

Danke im Voraus

Bitte folge dieser Anleitung: http://forum.avast.com/index.php?topic=102616.0

Willkommen im Forum,
Asyn

Hat leider etwas gedauert, aber ich hoffe nun, alle erforderlichen Dateien hochladen zu können.
Da verhindert wurde, dass die Programme im normalen Modus starten, musste ich jedes mal den “Abgesicherten Modus” wählen.

Ich hoffe, man kann mir nun weiter helfen.

Und noch die aswmbr

Hast du gut gemacht…!!
Bitte etwas Geduld, einer unserer Experten wird sich hier melden.

LG, Asyn

Hallo war die Infektion von der SD-Karte. Beim Ausführen von McShield gewährleisten die Karte eingelegt

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O2 - BHO: (no name) - {326E768D-4182-46FD-9C16-1449A49795F4} - No CLSID value found.
O2 - BHO: (no name) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - No CLSID value found.
O4 - HKU\S-1-5-21-1903657100-1192547202-2996381717-1000..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\b81bb.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js ()
[2013.03.23 15:42:11 | 000,000,000 | -HSD | C] -- C:\Program Files\b105
[2013.03.23 15:42:11 | 000,000,000 | -HSD | C] -- C:\af87
[2013.03.23 15:42:11 | 000,000,000 | -HSD | C] -- C:\Users\Momo\AppData\Roaming\ae0d
[2013.03.25 08:02:50 | 000,046,000 | ---- | M] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.25 08:02:50 | 000,046,000 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.06 18:27:36 | 000,000,032 | ---- | M] () -- C:\Windows\0
[2013.03.25 08:00:00 | 000,046,000 | ---- | C] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.25 08:00:00 | 000,046,000 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e0e0e.js
[2013.03.06 18:26:45 | 000,000,032 | ---- | C] () -- C:\Windows\0
[2013.03.06 18:26:45 | 000,000,000 | ---- | C] () -- C:\Windows\System32\0

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the SD Card and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Ich habe die Anweisungen nach Anleitung durchgeführt. Anbei die beiden Datein.
Allerdings liefert McShield keine Analyse für die SD-Card.

Außerdem habe ich mal noch einen Screenshot von den bereits erwähnten unzähligen Windows-Update Symbolen erstellt.
Wie gesagt, wenn man mit der Maus drüber fährt verschwinden sie sofort.
Es werden im Laufe der Zeit auch noch mehr.

Dies dauert ein paar läuft vollständig löschen

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef5.js ()
[2013.03.25 12:48:53 | 000,046,070 | ---- | M] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef5.js
[2013.03.25 12:48:53 | 000,046,070 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ef5.js

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

What? Maybe it’s easier for you to write in english? This sentence makes no sense.

OK my German is rubbish :o, basically it may take a few runs to kill this

Yes i think so…i hope you can help me. Or you have at least a proposal what else i can do.
Attached is the new otl.txt

I am going to try a double kill this time. OTL will not reboot, once it has run then immediately run Avenger

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O4 - HKCU..\Run: [b81bb] C:\Users\Momo\AppData\Roaming\ae0d\b81bb.js ()
O4 - Startup: C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js ()
[2013.03.25 19:37:06 | 000,046,115 | ---- | M] () -- C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
[2013.03.25 19:37:06 | 000,046,115 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
[2013.03.25 13:11:04 | 000,000,000 | -HSD | M] -- C:\Users\Momo\AppData\Roaming\ae0d

:Files
C:\Program Files\b105
C:\af87
C:\Users\Momo\AppData\Roaming\ae0d
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]

[*]Then click the Run Fix button at the top

THEN

1. Please download The Avenger by Swandog46 to your Desktop.
   [*]Right click on the Avenger.zip folder and select “Extract All…”
   [*] Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

https://dl.dropbox.com/u/73555776/avenger.jpg

Begin copying here: 
Files to delete:
C:\Users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js

Folders to delete:
C:\Program Files\b105
C:\af87
C:\Users\Momo\AppData\Roaming\ae0d

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:
   [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
   [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
   [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
   [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a freshOTL log .

OK. Attached is the avanger.txt.

The system has restarted only once.
It’s also quite difficult to restart. I’m not sure if it’s correct, that it restarts in normal mode.
Because i have to start all these programms in “safe mode”. It may not start in “normal” mode. Hope this is not a problem.

Could you now boot to normal mode please and run one further OTL scan

As i said before. The OTL programm will not start in normal mode. So i can’t run an OTL scan in normal-mode.

So even after the removal OTL will not run in normal mode ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Attached the ComboFix.txt.
I also couln’d start the programm in normal mode. So i have to start it (as ervery time) in safe-mode.

And ‘yes’ to your question; even after the “removal” OTL will not run in normal mode. It starts for a very short time (approx 1 sec) and than it closes. This was the same with ComboFix.

On completion of this run could you try normal mode again please

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::

File::
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js

Folder::
c:\users\Momo\AppData\Roaming\ae0d
C:\af87
c:\program files\b105

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“b81bb”=-
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

I tried normal mode.
Refering to the picture, i draged CFScript into ComboFix.exe
For a short time i’ve seen the red and the blue load bar. Than it closes and thats it.
What should i do now?