mszx23.exe "Backdoor.Win32.Haxdoor.bh"

cratchy · 29.01.2005, 20:41

Brauche Hilfe!

Hab nen üblen Bösewicht auf meinem Rechner der nicht weg will.
Bei Systemstart, geht popup auf. zonelab zeigt ungefähr 10 Programme an die ins Netz wollen...
eScann findet die auch alle. aber selbst wenn ich im abgesicherten modus wieder starte ist jedesmal die "mszx23.exe" wieder da! (Window/System32).

hier mein hijack-log:

Logfile of HijackThis v1.99.0
Scan saved at 20:29:54, on 29.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\mszx23.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Andreas\LOKALE~1\Temp\Rar$EX00.531\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://a-search.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.53/search.cgi?b11234
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.53/search.cgi?a11234
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.53/search.cgi?a11234
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.53/search.cgi?b11234
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.53/search.cgi?a11234
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.53/search.cgi?a11234
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.53/search.cgi?b11234
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26EC4DF8-9588-4DEB-BC78-0D83F8246262} - C:\WINDOWS\System32\msadf.dll (file missing)
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\webdlg32.dll (file missing)
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll (file missing)
O2 - BHO: Pop Class - {A9AEE0DD-89E1-40EE-8749-A18650CC2175} - C:\WINDOWS\winsx.dll (file missing)
O2 - BHO: (no name) - {C7602FAF-C4CF-407C-8771-10AF46AD9A92} - C:\WINDOWS\System32\protect32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll (file missing)
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\webdlg32.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programme\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: AcrobatAssistent.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: winupdate10339852[1].exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix: http://69.50.191.50/1/?
O13 - Home Prefix:
O13 - Mosaic Prefix:
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: *.bestsearch.cc
O15 - Trusted Zone: *.dapsol.com
O15 - Trusted Zone: *.bestsearch.cc (HKLM)
O15 - Trusted Zone: *.dapsol.com (HKLM)
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49551ECC-0720-47E2-85B0-97ADD5EE7EB8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{96116CC1-9537-4FDE-B544-17FB0ABE75B4}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A982CF27-FFFD-4B8F-A54D-C43D168C48A2}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8558DD5-F9AC-4625-9CD4-7CC70D6BA593}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{49551ECC-0720-47E2-85B0-97ADD5EE7EB8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{49551ECC-0720-47E2-85B0-97ADD5EE7EB8}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: text/html - {C4656594-C361-41DE-BC86-E65A9E812617} - C:\WINDOWS\System32\protect32.dll
O18 - Filter: text/plain - {C4656594-C361-41DE-BC86-E65A9E812617} - C:\WINDOWS\System32\protect32.dll
O23 - Service: Adobe LM Service - Unknown - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Schonmal danke!

mszx23.exe "Backdoor.Win32.Haxdoor.bh"

Plagegeister aller Art und deren Bekämpfung: mszx23.exe "Backdoor.Win32.Haxdoor.bh"

mszx23.exe "Backdoor.Win32.Haxdoor.bh"

Ähnliche Themen: mszx23.exe "Backdoor.Win32.Haxdoor.bh"