hallo
habe seit heute den w32spybot. habe mit hijach this einen scan gemacht und auf hijackthis.de einen check machen lassen habe alle gelöscht bis auf eine C:\WINDOWS\System32\SLEE81.exe running process. (SLEE81.exe)
This is a unknown process Ich vermute das des die quelle is aber der zeigt mir den bei mir im progy net an. Ich poste mal meine log. vielleicht kann mir ja einer helfe. Danke im vorraus

Logfile of HijackThis v1.97.7
Scan saved at 23:37:27, on 26.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programme\D-Tools\daemon.exe
C:\Programme\WinFast\WFTVFM\WFWIZ.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\PDSched.exe
C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\SLEE81.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\Programme\Opera\opera.exe
C:\Dokumente und Einstellungen\spliff\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Programme\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyel32.exe
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alles mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F0645-CB19-4246-A99C-CC197424340E}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97

Bitte lad dir das aktuelle HijackThis runter.Bekommst du hier:

http://filepony.de/download-hijackthis/

und poste den Log!

Hast du evtl. noch den Log deines Escans auf dem Rechner?Wenn ja-poste auch diesen.

Gruss

Cronos

Bitte lad dir das aktuelle HijackThis runter.Bekommst du hier:

http://filepony.de/download-hijackthis/

und poste den Log!

.

Gruss

Cronos

JO
hier is mein neues logfile mit dem neuen HijackThis tool.

Logfile of HijackThis v1.98.2
Scan saved at 12:48:31, on 27.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programme\D-Tools\daemon.exe
C:\Programme\WinFast\WFTVFM\WFWIZ.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\PDSched.exe
C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\SLEE81.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Opera\opera.exe
C:\Dokumente und Einstellungen\spliff\Desktop\hijackthis1982\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Programme\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyel32.exe
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alles mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F0645-CB19-4246-A99C-CC197424340E}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97

und danke für die antwort.

THX Crhis

Was ist den der ESCANS?

@chris83vhm
SLEE81.exe gehört zu steganos
http://www.what-process.com/process-...x?p=SLEE81.exe
zum w32spybot, wo würde der gefunden?
infos hier

diese dateien C:\WINDOWS\System32\PDSched.exe
C:\windows\system32\winyel32.exe
hier überprüfen lassen
und das ergebnis hier posten
wechsle in den abgesicherten modus und fixe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyel32.exe
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
danach manuell löschen
C:\windows\system32\winyel32.exe
C:\WINDOWS\System32\PDSched.exe
neu starten und ein neues HJT logfile posten
chaosman

Wenn ich "C:\WINDOWS\System32\PDSched.exe" und "C:\windows\system32\winyel32.exe" oben eingebe File to upload & scan: auf http://virusscan.jotti.org/de dann kommt bei "http://virusscan.jotti.org/de":
Service load:
0% 100%
File: PDSched.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected:
MORPHINE, ASPACK

AntiVir
Worm/SdBot.JT (0.14 seconds taken)
Avast
Win32:SdBot-388 (1.51 seconds taken)
BitDefender
Backdoor.SDBot.IE (0.32 seconds taken)
ClamAV
Trojan.SdBot.Gen-142 (0.33 seconds taken)
Dr.Web
BackDoor.Optix.12 (0.70 seconds taken)
F-Prot Antivirus
W32/Spybot.AMH (0.06 seconds taken)
Kaspersky Anti-Virus
Backdoor.SdBot.jt (0.89 seconds taken)
mks_vir
Trojan.Sdbot.Jt (0.19 seconds taken)
NOD32
IRC/SdBot.AFO (0.36 seconds taken)
Norman Virus Control
W32/SDBot.ANN (0.10 seconds taken)

Statistics
Last piece of malware found was W32/SDBot.ANN in PDSched.exe, detected by:


Scanner Malware name Time taken
AntiVir Worm/SdBot.JT 0.14 seconds
Avast Win32:SdBot-388 1.51 seconds
BitDefender Backdoor.SDBot.IE 0.30 seconds
ClamAV Trojan.SdBot.Gen-142 0.32 seconds
Dr.Web BackDoor.Optix.12 0.70 seconds
F-Prot Antivirus W32/Spybot.AMH 0.06 seconds
Kaspersky Anti-Virus Backdoor.SdBot.jt 0.88 seconds
mks_vir Trojan.Sdbot.Jt 0.19 seconds
NOD32 IRC/SdBot.AFO 0.36 seconds
Norman Virus Control W32/SDBot.ANN 0.10 seconds


Service statistics:

11090 files (7968 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge.
2330 of those 7968 files contained a virus or any other form of malware.
This page has been visited 25354 times in this time period.
This service managed to spot 136 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 1066 suspicious files without any help from scanner results.
However, 112 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 98.59% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:


Rank Malware name Uploaded Last known filename
1 backdoor.sdbot.gen 188 times outlook.dat
2 behaveslike:trojan.downloader 180 times satmat.exe
3 backdoor.agobot.3.gen 90 times lnmgr2.exe
4 tr/drop.delf.fd.1 84 times WINAMP~1.zip
5 tr/spam.avafx 68 times vbsys.dll
6 backdoor.win32.agobot.gen 43 times fiz.exe
7 tr/dldr.inservice.i 41 times LOMALKA.RU-SolarWinds_2002_Engineer_Edition_by_OZ_.zip
8 win32:trojan-gen. {other} 39 times server2.exe
9 tr/dldr.small.uv.3 34 times s1p1y.exe
10 win32:trojan-gen. 27 times f0r0r.rar
11 win32.p2p.spybot.gen 26 times BSPlayer.exe
12 behaveslike:win32.av-killer 26 times winshost.exe
13 backdoor.rbot.gen 25 times rBotupxvgc.exe
14 backdoor.wootbot.gen 24 times Kopie van 1.exe.exe
15 win32.hllw.mybot.based 23 times winserva.exe

und bei "C:\windows\system32\winyel32.exe":
Service load:
0% 100%
File: winyel32.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected:
FSG

AntiVir
TR/StartPage.NK.3 (0.15 seconds taken)
Avast
Win32:StartPage-042 (1.53 seconds taken)
BitDefender
Trojan.Clicker.BA (0.94 seconds taken)
ClamAV
Trojan.Startpage-78 (0.32 seconds taken)
Dr.Web
Trojan.StartPage.256 (0.49 seconds taken)
F-Prot Antivirus
W32/Startpage.CJ (0.06 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.StartPage.nk (0.59 seconds taken)
mks_vir
Trojan.Startpage.Nk (0.19 seconds taken)
NOD32
Win32/StartPage.NK (0.37 seconds taken)
Norman Virus Control
W32/Startpage.EC (0.10 seconds taken)

Statistics
Last piece of malware found was W32/SDBot.ANN in PDSched.exe, detected by:


Scanner Malware name Time taken
AntiVir Worm/SdBot.JT 0.14 seconds
Avast Win32:SdBot-388 1.51 seconds
BitDefender Backdoor.SDBot.IE 0.30 seconds
ClamAV Trojan.SdBot.Gen-142 0.32 seconds
Dr.Web BackDoor.Optix.12 0.70 seconds
F-Prot Antivirus W32/Spybot.AMH 0.06 seconds
Kaspersky Anti-Virus Backdoor.SdBot.jt 0.88 seconds
mks_vir Trojan.Sdbot.Jt 0.19 seconds
NOD32 IRC/SdBot.AFO 0.36 seconds
Norman Virus Control W32/SDBot.ANN 0.10 seconds


Service statistics:

11091 files (7968 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge.
2330 of those 7968 files contained a virus or any other form of malware.
This page has been visited 25356 times in this time period.
This service managed to spot 136 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 1066 suspicious files without any help from scanner results.
However, 112 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 98.59% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:


Rank Malware name Uploaded Last known filename
1 backdoor.sdbot.gen 188 times outlook.dat
2 behaveslike:trojan.downloader 180 times satmat.exe
3 backdoor.agobot.3.gen 90 times lnmgr2.exe
4 tr/drop.delf.fd.1 84 times WINAMP~1.zip
5 tr/spam.avafx 68 times vbsys.dll
6 backdoor.win32.agobot.gen 43 times fiz.exe
7 tr/dldr.inservice.i 41 times LOMALKA.RU-SolarWinds_2002_Engineer_Edition_by_OZ_.zip
8 win32:trojan-gen. {other} 39 times server2.exe
9 tr/dldr.small.uv.3 34 times s1p1y.exe
10 win32:trojan-gen. 27 times f0r0r.rar
11 win32.p2p.spybot.gen 26 times BSPlayer.exe
12 behaveslike:win32.av-killer 26 times winshost.exe
13 backdoor.rbot.gen 25 times rBotupxvgc.exe
14 backdoor.wootbot.gen 24 times Kopie van 1.exe.exe
15 win32.hllw.mybot.based 23 times winserva.exe

hoffe des stimmt so

Hallo chris83vhm,

Information zu SDBOT.JT -> "Erläuterung" beachten: "verfügt auch über Backdoortrojaner-Funktionalität, die unbefugten Fernzugriff auf den infizierten Computer mittels IRC-Kanälen ermöglicht, während er als Dienstprozess im Hintergrund aktiv ist."

Dein System ist kompromittiert. Löschen von Würmern mit Backdoor-Funktionalität reicht nicht, siehe Entfernung von Schädlingen. Du solltest Dein System formatieren, Lutz Rat zur Datensicherung beachten und nach Cidre's Rat vorgehen.

SD