| |
| |||||||
Log-Analyse und Auswertung: Ist das ein neuer Hijacker? (about:blank, sp.dll, OPNNDB.DLL)Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
04.02.2005, 14:10
| #1 |
 |  Ist das ein neuer Hijacker? (about:blank, sp.dll, OPNNDB.DLL) Hier ein weiteres Logfile (mit Kommentaren) von einem "gehijackten" System, vielleicht kann ja jemand was damit anfangen oder es hilft anderen mit dem gleichen Problem. (sorry, daß die Erklärungen auf Englisch sind, aber ich dachte erst, ich würde es in einem anderen Forum posten) ----- Looks like I found a new IE hijacker that is not recognized by CWShredder v2.12, but fixable with HijackThis v1.99.0. It was on a friend's system still running Win98 on a Pentium II, 64 MB machine labeled as "Pentium III inside" (which is what they paid for, too!). Symptom was that the start page remained set to about:blank, but displayed a "Search for..." web page from res://c:\windows\TEMP\sp.dll/sp.html with JavaScript context menu blocking and lists of those typical "spam" keywords (mortgage, refinance, penis enlargement etc.). I actually was asked to check the system because they had seen a "your computer is infected" popup while surfing, but I didn't find any signs of an actual infection except IE hijacking. This one may have been running for several weeks already. I hadn't read of CoolWebSearch and other hijackers before (except on this system, which some time ago had its start page changed to a porn URL), and tried the normal cleaning approach: checking the registry, removing the dubious search bar / search page entries (see listing below) and deleting (or acutally, renaming) the mentioned DLL file. Reopening IE, I found the registry settings had been re-placed and the DLL file was back again. I put a 0kb read-only text file in its place, but the "Search for..." page still kept coming back (even without any DLL). Equipped with CWShredder and HijackThis I tried again. Surprisingly, CWShredder didn't find anything, but here's what HJT found: Code:
ATTFilter Logfile of HijackThis v1.99.0 Scan saved at 10:16:17, on 04.02.05 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v5.50 (5.50.4134.0600) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE <-- ZoneAlarm service C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE <-- ATI graphics drivers systray icon, now removed with control panel setting C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\STARTER.EXE <-- runs the mixer/volume utility for the sound card C:\WINDOWS\SYSTEM\STIMON.EXE <-- still image (scanner) service? C:\PROGRAMME\SAHBAK\HEBREW EMAIL SUPPORT.EXE <-- places a button in each window title bar that starts up a hebrew email client; this is ok. C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\LOADQM.EXE <-- "Microsoft QMgr", whatever that is... C:\PROGRAMME\ZONEALARM\ZONEALARM.EXE C:\OPLIMIT\OCRAWARE.EXE <-- OCR (scanner) driver C:\PROGRAMME\MSWORKS\KALENDER\WKCALREM.EXE <-- msworks calendar reminder (don't know if they use it at all) C:\ATI\ATIDESK\ATISCHED.EXE C:\OPLIMIT\OCRAWR32.EXE <-- dammit, why does scanner software need so many TSR programs?? C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\TOBIAS\ANTICRAPWARETOOLS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html <-- this DLL file kept coming back when I deleted it R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer <-- I removed the AOL branding here... O2 - BHO: (no name) - {997D668C-883F-4ACE-A483-5E8533BE04E8} - C:\WINDOWS\SYSTEM\OPNNDB.DLL <-- this DLL was only a few weeks old and apparently "is" the Hijacker O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE <-- this exefile doesn't even exist... what would it be good for? O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Atikey] Atitask.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe <-- printer control program O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [cFosInst_Check] C:\WINDOWS\OEMCFOS2\CFOSINST.EXE -install -loud <-- what is this?? O4 - HKLM\..\Run: [Hebrew Service] C:\PROGRAMME\SAHBAK\Hebrew Email Support.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [AIM] C:\PROGRAMME\AIM95\aim.exe -cnetwait.odl <-- not effective because I renamed the AIM95 folder to see if anyone would complain O4 - HKCU\..\RunServices: [AIM] C:\PROGRAMME\AIM95\aim.exe -cnetwait.odl O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE O4 - Startup: Microsoft Works Kalender Erinnerungen.lnk = C:\Programme\MSWorks\Kalender\WKCALREM.EXE O4 - Startup: ATI Scheduler.lnk = C:\ati\atidesk\atisched.exe O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\Programme\AOL 6.0\aoltray.exe <-- removed this one too, they don't use AOL anymore O4 - Global Startup: ZoneAlarm.lnk = C:\Programme\ZoneAlarm\zonealarm.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAMME\AIM95\AIM.EXE (file missing) O9 - Extra button: Sahbak - {0951AED1-3295-4843-BCDD-4D25DFB721BC} - %windir%\sahbak.lnk (file missing) O14 - IERESET.INF: START_PAGE_URL=http://www.aol.de/e55/ O16 - DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} (AMI DicomDir TreeView Control 2.1) - file://D:\CDVIEWER\CdViewer.cab O18 - Filter: text/html - {64C7B916-D425-4809-9F44-A023C9114575} - C:\WINDOWS\SYSTEM\OPNNDB.DLL <-- apparently the filters used by the hijacker O18 - Filter: text/plain - {64C7B916-D425-4809-9F44-A023C9114575} - C:\WINDOWS\SYSTEM\OPNNDB.DLL <-- apparently the filters used by the hijacker
__________________ Das Ganze ist unwahrscheinlicher als die Summe seiner Teile. |
| Themen zu Ist das ein neuer Hijacker? (about:blank, sp.dll, OPNNDB.DLL) |
| .inf, bho, branding, cleaning, computer, drivers, email, explorer, file missing, forum, hijackthis, icon, infected, internet, internet explorer, logfile, microsoft, penis, popup, programme, registry, rundll, rundll32.exe, software, sound, spam, system, temp, windows, windows\temp, your computer is infected |
Baum-Darstellung