|
Log-Analyse und Auswertung: Hijack-log: Habe Trojaner/Startpage.qr !!Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
06.02.2005, 23:40 | #1 |
| Hijack-log: Habe Trojaner/Startpage.qr !! Hallo, meine Tochter hat den Trojaner Stratpage.qr. Was múss ich löschen? Gruß Dieter ****************************************** Logfile of HijackThis v1.98.2 Scan saved at 23:34:13, on 06.02.2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE C:\PROGRAMME\RFA\RFAGENT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS1982.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMME\YAHOO!\MESSENGER\YCOMP.DLL O2 - BHO: (no name) - {A5D10477-1FF8-CF3B-EF8C-2ACDEB824A32} - C:\WINDOWS\ANWENDUNGSDATEN\DEFYJUGS\FREE MEAL.EXE (file missing) O2 - BHO: (no name) - {51FC34FC-6538-4113-8CD2-E7AF1277C2B1} - C:\WINDOWS\SYSTEM\LEFO.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\MESSENGER\YCOMP.DLL O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min O4 - HKLM\..\Run: [rfagent] C:\PROGRAMME\RFA\rfagent.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .a<a>sx: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .m1v: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://www.lycos.de/ O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O18 - Filter: text/html - {6EA381DD-3E04-4F09-B016-C5567CF15804} - C:\WINDOWS\SYSTEM\LEFO.DLL O18 - Filter: text/plain - {6EA381DD-3E04-4F09-B016-C5567CF15804} - C:\WINDOWS\SYSTEM\LEFO.DLL ************************************* |
07.02.2005, 09:00 | #2 |
| Hijack-log: Habe Trojaner/Startpage.qr !! @DiRuKu
__________________manchmal hilft die boardsuche ungemein. http://www.sophos.de/virusinfo/analy...startpaei.html update dein IE wechsle dann in den abgesicherten modus und fixe mit HJT R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.htm O2 - BHO: (no name) - {A5D10477-1FF8-CF3B-EF8C-2ACDEB824A32} - C:\WINDOWS\ANWENDUNGSDATEN\DEFYJUGS\FREE MEAL.EXE (file missing) O2 - BHO: (no name) - {51FC34FC-6538-4113-8CD2-E7AF1277C2B1} - C:\WINDOWS\SYSTEM\LEFO.DLL O18 - Filter: text/html - {6EA381DD-3E04-4F09-B016-C5567CF15804} - C:\WINDOWS\SYSTEM\LEFO.DLL O18 - Filter: text/plain - {6EA381DD-3E04-4F09-B016-C5567CF15804} - C:\WINDOWS\SYSTEM\LEFO.DLL danach manuell löschen C:\WINDOWS\SYSTEM\LEFO.DLL neu booten, neue aktuelle version von HJT downloaden neues HJT logfile posten incredimail ist, wenn ich mich nicht täusche, werbefinanziert. steige lieber auf thunderbird um. chaosman
__________________ |
09.02.2005, 19:40 | #3 |
| Hijack-log: Habe Trojaner/Startpage.qr !! Hallo,
__________________habe alles so gemacht, der Trojaner ist nun weg. Super! Vielen Dank. Gruß Dieter Hier nun nochmals mein aktulles Logfile mit dem neusten HijackThis: ******************************************************** Logfile of HijackThis v1.99.0 Scan saved at 11:22:32, on 07.02.2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS1990.EXE C:\WINDOWS\SYSTEM\STIMON.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knuddels.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMME\YAHOO!\MESSENGER\YCOMP.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\MESSENGER\YCOMP.DLL O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min O4 - HKLM\..\Run: [rfagent] C:\PROGRAMME\RFA\rfagent.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAMME\YAHOO!\MESSENGER\YPAGER.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .a<a>sx: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .m1v: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://www.lycos.de/ O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab30149.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab |
09.02.2005, 19:48 | #4 |
| Hijack-log: Habe Trojaner/Startpage.qr !! @DiRuKu update doch bitte dein IE wechsle in den abgesicherten modus und fixe mit HJT R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure neu booten. chaosman
__________________ Bonus vir semper tiro |
Themen zu Hijack-log: Habe Trojaner/Startpage.qr !! |
.inf, bho, button, desktop, explorer, file missing, free, hijack, hijackthis, icq, internet, internet explorer, löschen, messenger, microsoft, object, programme, registry, rundll, rundll32.exe, software, start, sun java, system, temp, trojaner, windows, windows\temp, yahoo |