Hijacker in meinem Explorer Logfile post

Rage4444 · 28.12.2004, 23:36

Halloechen!
ich habe das Problem das ich einen rechener habe der mit einem Hijacker verseucht ist.
Der Hijacker heisst coollwwwsearch UND GEHT MIR AUFN SACK ):

Ich habe schon sämtliche anti spysoftware drueber laufen lassen und keiner konnte den hijacker isolieren bzw. erkennen und löschen!!!
z.b. hatte ich : S&D dann cw shreder addaware dann autoex usw. Dann habe ich das prog. Hijacker gefunden das mir eine Liste mit verdächtigen Reg. Einträgen zeigt!! Aber welches ist das richtige oder gar alle (: vieleicht findet sich ja einer der das auch hatte und mir helfen kann das waere sehr NETT (: bitte bitte!!!!

So hier nun das Logfile von Hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 18:14:22, on 28.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
D:\ScanSoft\OmniPagePro14.0\Opware14.exe
D:\ScanSoft\OmniPagePro14.0\OpScheduler.exe
D:\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
D:\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
D:\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\ABox.exe
D:\Norton AntiVirus\SAVScan.exe
D:\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\w?nspool.exe
D:\FRITZ!\FriFax32.exe
D:\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
D:\FRITZ!\FriFax32.exe
D:\Microsoft ActiveSync\WCESMgr.exe
D:\Microsoft Office\Office10\OUTLOOK.EXE
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Dokumente und Einstellungen\-Guenter-\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\-GUENT~1\LOKALE~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\-GUENT~1\LOKALE~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C27CB4B-BEB1-43C6-A265-F2FEC5E56609} - C:\WINDOWS\System32\pldc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "D:\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "D:\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "D:\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
O4 - HKLM\..\Run: [SSPrnAgent] D:\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
O4 - HKLM\..\Run: [Jreg] "C:\Program Files\Common Files\Java\Jreg2b.exe"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [AWMON] "D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [Winsock2 driver] MMTASK9.EXE
O4 - HKLM\..\Run: [ABox] C:\WINDOWS\ABox.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\breg.exe"
O4 - HKLM\..\Run: [BTV] "C:\Program Files\BTV\btv.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Rdxvjh] C:\WINDOWS\System32\w?nspool.exe
O4 - HKCU\..\Run: [Alrt] C:\Dokumente und Einstellungen\-Guenter-\Anwendungsdaten\dscn.exe
O4 - Startup: FRITZ!fax.lnk = D:\FRITZ!\FriFax32.exe
O4 - Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Startup: OmniPage Arbeitsprozess-Starter.lnk = ?
O4 - Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: FRITZ!fax.lnk = D:\FRITZ!\FriFax32.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OmniPage Arbeitsprozess-Starter.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\program files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: PDF in Word öffnen - res://D:\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /500
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://207.234.185.217/ABoxInst_int2.exe
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104178937569
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5119CE1-55CA-4007-9D34-7C220F43C309}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7896201-7D38-4721-87BC-049032470224}: NameServer = 192.168.0.1
O18 - Filter: text/html - {37D3464C-3CB6-4306-BE75-1C23C11239BE} - C:\WINDOWS\System32\pldc.dll
O18 - Filter: text/plain - {37D3464C-3CB6-4306-BE75-1C23C11239BE} - C:\WINDOWS\System32\pldc.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - D:\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

Shadowdance · 28.12.2004, 23:47

@ Rage4444

Du hast einige Probleme auf dem Rechner. Lade daher zunächst den eScan runter, erstelle dafür einen neuen Ordner (=Verzeichnis) c:\bases, update den eScan online und führe ihn offline im abgesicherten Modus aus. Beachte, dass der eScan ab Version 4.5.1 die gefundene Malware nicht löscht, das wir von Hand gemacht. - Die Online-Anleitung bitte genau durchlesen. -

Lass uns dann das Ergebnis wissen: welche Viren wurden auf Deinem Rechner gefunden: "öffne die mwav.log -> Bearbeiten -> Suchen -> infected eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen." (Zitat Cidre)

SD

Rage4444 · 29.12.2004, 15:18

Hallo
so nun die Ergebnise von meinem e scan:
Wed Dec 29 11:50:16 2004 => File C:\WINDOWS\System32\pldc.dll infected by "Trojan.Win32.StartPage.qr" Virus. Action
Wed Dec 29 11:50:36 2004 => File C:\WINDOWS\ABox.exe infected by "not-a-virus:AdWare.AdBox.a" Virus. Action Taken: No Action Taken.
Wed Dec 29 11:50:16 2004 => File C:\WINDOWS\System32\pldc.dll infected by "Trojan.Win32.StartPage.qr" Virus. Action
Wed Dec 29 11:50:40 2004 => File C:\WINDOWS\logon.exe infected by "Trojan-Downloader.Win32.VB.fi" Virus. Action Taken: No Action Taken.
Wed Dec 29 11:51:36 2004 => File C:\WINDOWS\System32\iexpiore.exe infected by "Trojan.Win32.StartPage.ps" Virus. Action Taken: No Action
Wed Dec 29 11:51:39 2004 => File C:\WINDOWS\System32\intron.exe infected by "Trojan.Win32.StartPage.ps" Virus. Action Taken: No Action Taken.
Wed Dec 29 11:52:49 2004 => File C:\WINDOWS\System32\pldc.dll infected by "Trojan.Win32.StartPage.qr" Virus. Action Taken: No Action Taken.
Wed Dec 29 11:54:08 2004 => File C:\aigsp.chm infected by "Exploit.CodeBaseExec" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:02:14 2004 => File C:\WINDOWS\ABox.exe infected by "not-a-virus:AdWare.AdBox.a" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:02:48 2004 => File C:\WINDOWS\Downloaded Program Files\ABoxInst_int4.exe infected by "Trojan-Downloader.Win32.VB.ft" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:02:48 2004 => File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ABoxInst_int4.exe infected by "Trojan-Downloader.Win32.VB.ft" Virus. Action Taken: No Action Taken.
ed Dec 29 12:02:48 2004 => File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:02:48 2004 => File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ABoxInst_int4.exe infected by "Trojan-Downloader.Win32.VB.ft" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:02:48 2004 => File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:02:48 2004 => File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:02:49 2004 => File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:10:49 2004 => File C:\WINDOWS\logon.exe infected by "Trojan-Downloader.Win32.VB.fi" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:17:43 2004 => File C:\WINDOWS\system32\iexpiore.exe infected by "Trojan.Win32.StartPage.ps" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:17:46 2004 => File C:\WINDOWS\system32\intron.exe infected by "Trojan.Win32.StartPage.ps" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:19:18 2004 => File C:\WINDOWS\system32\pldc.dll infected by "Trojan.Win32.StartPage.qr" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:37 2004 => File D:\Norton AntiVirus\Quarantine\00A4119E.htm infected by "Exploit.CodeBaseExec" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:37 2004 => File D:\Norton AntiVirus\Quarantine\00D5496F.class infected by "Trojan.Java.ClassLoader.d" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:37 2004 => File D:\Norton AntiVirus\Quarantine\022227CB.bin infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:37 2004 => File D:\Norton AntiVirus\Quarantine\022651C7.dll infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:37 2004 => File D:\Norton AntiVirus\Quarantine\023454BC infected by "Worm.P2P.SpyBot.gen" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:37 2004 => File D:\Norton AntiVirus\Quarantine\023C6F16.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:37 2004 => File D:\Norton AntiVirus\Quarantine\0243285B.class infected by "TrojanDropper.Java.Beyond.c" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\02870242 infected by "not-a-virus:AdWare.PurityScan.z" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\06BD4263.bin infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\06BD4263.dll infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\071D1486.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\07FB7F81.class infected by "TrojanDownloader.Java.OpenStream.h" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\08432343.bin infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\08432343.dll infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\08566797.class infected by "TrojanDownloader.Java.OpenStream.h" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\08C02718.class infected by "Trojan.Java.ClassLoader.d" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:38 2004 => File D:\Norton AntiVirus\Quarantine\09BE0889 infected by "Worm.P2P.SpyBot.gen" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0B5418D4 infected by "TrojanDropper.Win32.Small.hx" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0B797AB9.class infected by "TrojanDownloader.Java.OpenStream.h" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0BA67211.htm infected by "Exploit.CodeBaseExec" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0BCF5962.bin infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0BD3035F.dll infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0C587E47.bin infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0C5B2844.dll infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Wed Dec 29 12:35:39 2004 => File D:\Norton AntiVirus\Quarantine\0C763194.bin infected by "Trojan.Win32.StartPage.is" Virus. Action Taken: No Action Taken.
Das ist nur ein auszug von meinen Problemen sooo.... (: wie bekomme ich diesen scheiss jetzt wieder von meinem Rechenr runter?????

Lieber Grüße Rage und thx im voraus (:

Hijacker in meinem Explorer Logfile post

Log-Analyse und Auswertung: Hijacker in meinem Explorer Logfile post