@cidre und alle experten: bitte um hilfe (logfiles)!

cyberjack07 · 18.05.2005, 10:18

hallo zusammen,

da ich auf meinen eintrag von gestern selber geantwortet habe, sieht es so aus, als hätte ich schon ne antwort erhalten. da das leider nicht so ist, hier nochmal mein problem...gibt´s noch ne andere lösung als system aufsetzen?

***********
habe mir vor 2 tagen einen trojaner eingefangen, der sich vor allem durch folgendes bemerbar macht:

internet-verbindung wird gekappt, nachdem mcaffee eine virusscan-warnung rausgibt:

name:svchost2.exe
ordner: c:\windows
erkannt als: backdoor -cgz
anwendung: iexplore.exe

das ganze passiert bei jedem internet-start.

folgende analysen habe ich laufen lassen...bite sag mir jemand, was ich tun soll, oder ob eine windows-neuinstallation die einzige lösung ist:

1. ergebnisse bitdefender:

C:\WINDOWS\cmssx.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\cmssx.dll
Gelöscht

C:\WINDOWS\geffge.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\geffge.dll
Gelöscht

C:\WINDOWS\hgfrre.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\hgfrre.dll
Gelöscht

C:\WINDOWS\sddda.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\sddda.dll
Gelöscht

C:\WINDOWS\smssrs.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\smssrs.dll
Gelöscht

C:\WINDOWS\svchost.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\svchost.dll
Desinfektion fehlgeschlagen

C:\WINDOWS\svchost.dll
Löschung fehlgeschlagen

C:\WINDOWS\svchost.exe
Infiziert: Trojan.Agent.CL

C:\WINDOWS\svchost.exe
Gelöscht

C:\WINDOWS\uytlkk.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\uytlkk.dll
Gelöscht

C:\WINDOWS\wqgff.dll
Infiziert: Trojan.Agent.CL

C:\WINDOWS\wqgff.dll
Gelöscht

2.hijackthis (nach neustart)

Logfile of HijackThis v1.99.1
Scan saved at 21:56:36, on 17.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\Nokia\Services\ServiceLayer.exe
C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclTray.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\Pico\AV Explorer\CamCtrl.Exe
C:\Dokumente und Einstellungen\14cheb\Eigene Dateien\virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Programme\INSTAFINK\instafink.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\svchost.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - C:\Programme\GMX\GMX Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ServiceLayer] C:\Programme\Gemeinsame Dateien\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programme\Nokia\Nokia PC Suite 5\DataLayer\Application\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: CamCtl.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.de/scan8/oscan8.cab
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AMD PowerNow! (tm) Technology Service (GemServ) - Advanced Micro Devices - C:\Programme\AMD\PowerNow!\GemServ.exe
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

3. ergebnisse escan im abgesicherten modus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Tue May 17 23:26:58 2005 => File C:\WINDOWS\svchost.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 17 23:27:44 2005 => System found infected with AltnetBDE Spyware/Adware (adm4.adm4)! Action taken: No Action Taken.
Tue May 17 23:27:44 2005 => System found infected with AltnetBDE Spyware/Adware (adm25.adm25)! Action taken: No Action Taken.
Tue May 17 23:27:50 2005 => System found infected with altnet Spyware/Adware (smdat32a.sys)! Action taken: No Action Taken.
Tue May 17 23:28:14 2005 => System found infected with AltnetBDE Spyware/Adware (altnet signing module.exe)! Action taken: No Action Taken.
Tue May 17 23:28:14 2005 => System found infected with AltnetBDE Spyware/Adware (adm.exe)! Action taken: No Action Taken.
Tue May 17 23:28:14 2005 => System found infected with AltnetBDE Spyware/Adware (adm25.dll)! Action taken: No Action Taken.
Tue May 17 23:28:16 2005 => System found infected with cws.smartsearch Spyware/Adware (C:\WINDOWS\svchost.exe)! Action taken: No Action Taken.
Tue May 17 23:28:56 2005 => File C:\WINDOWS\cmssx.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 17 23:29:00 2005 => File C:\WINDOWS\lsasss.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 17 23:29:03 2005 => File C:\WINDOWS\sddda.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 17 23:29:05 2005 => File C:\WINDOWS\smssrs.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 17 23:29:06 2005 => File C:\WINDOWS\svchost.exe infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 17 23:29:08 2005 => File C:\WINDOWS\uytlkk.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Wed May 18 00:04:31 2005 => File C:\WINDOWS\cmssx.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Wed May 18 00:06:27 2005 => File C:\WINDOWS\lsasss.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Wed May 18 00:07:13 2005 => File C:\WINDOWS\sddda.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Wed May 18 00:10:05 2005 => File C:\WINDOWS\smssrs.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Wed May 18 00:10:20 2005 => File C:\WINDOWS\svchost.exe infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Wed May 18 00:16:04 2005 => File C:\WINDOWS\uytlkk.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Wed May 18 00:17:31 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Tue May 17 23:26:57 2005 => File C:\Programme\INSTAFINK\instafink.dll tagged as "not-a-virus:AdWare.ToolBar.404Search.h". Action Taken: No Action Taken.
Tue May 17 23:31:51 2005 => File C:\DOKUME~1\14cheb\LOKALE~1\Temp\__unin__.exe tagged as "not-a-virus:AdWare.Altnet.g". Action Taken: No Action Taken.
Tue May 17 23:37:43 2005 => File C:\Dokumente und Einstellungen\14cheb\Eigene Dateien\Programme\overnet0.42.exe tagged as "not-a-virus:AdWare.ToolBar.Ucmore.a". Action Taken: No Action Taken.
Tue May 17 23:38:14 2005 => File C:\Dokumente und Einstellungen\14cheb\Eigene Dateien\virus\process viewer\pv.exe tagged as not-a-virus:RiskWare.PrcView.3724. No Action Taken.
Tue May 17 23:38:28 2005 => File C:\Dokumente und Einstellungen\14cheb\Lokale Einstellungen\Temp\__unin__.exe tagged as "not-a-virus:AdWare.Altnet.g". Action Taken: No Action Taken.
Tue May 17 23:45:01 2005 => File C:\Program Files\Altnet\Download Manager\asmps.dll tagged as "not-a-virus:AdWare.Altnet.b". Action Taken: No Action Taken.
Tue May 17 23:47:22 2005 => File C:\Programme\DivX\DivX Player 2.1\uninstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Tue May 17 23:48:44 2005 => File C:\Programme\INSTAFINK\InstaFinderK_inst.exe tagged as "not-a-virus:AdWare.ToolBar.404Search.h". Action Taken: No Action Taken.
Tue May 17 23:49:55 2005 => File C:\Programme\Kazaa\TopSearch.dll tagged as "not-a-virus:AdWare.Altnet.d". Action Taken: No Action Taken.
Tue May 17 23:51:52 2005 => File C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL tagged as "not-a-virus:AdWare.ToolBar.MyWay.m". Action Taken: No Action Taken.
Tue May 17 23:52:21 2005 => File C:\Programme\PerfectNav\BHO\PerfectNav150c.dll tagged as "not-a-virus:AdWare.Perfnav.a". Action Taken: No Action Taken.
Tue May 17 23:55:40 2005 => File C:\RECYCLER\S-1-5-21-4219374948-2363382051-3856832267-1005\Dc1.zip tagged as not-a-virus:RiskWare.PrcView.3724. No Action Taken.
Wed May 18 00:15:59 2005 => File C:\WINDOWS\Temp\Altnet\adm.exe tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
Wed May 18 00:15:59 2005 => File C:\WINDOWS\Temp\Altnet\adm25.dll tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
Wed May 18 00:15:59 2005 => File C:\WINDOWS\Temp\Altnet\adm4.dll tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
Wed May 18 00:15:59 2005 => File C:\WINDOWS\Temp\Altnet\admdloader.dll tagged as "not-a-virus:AdWare.BrilliantDigital.3039". Action Taken: No Action Taken.
Wed May 18 00:15:59 2005 => File C:\WINDOWS\Temp\Altnet\admfdi.dll tagged as "not-a-virus:AdWare.Altnet.j". Action Taken: No Action Taken.
Wed May 18 00:15:59 2005 => File C:\WINDOWS\Temp\Altnet\admprog.dll tagged as "not-a-virus:AdWare.Altnet.a". Action Taken: No Action Taken.
Wed May 18 00:15:59 2005 => File C:\WINDOWS\Temp\Altnet\Setup.exe tagged as "not-a-virus:AdWare.Altnet.b". Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Wed May 18 00:17:31 2005 => Total Virus(es) Found: 44
Wed May 18 00:17:31 2005 => Total Errors: 257
Wed May 18 00:17:31 2005 => Time Elapsed: 00:50:40
Wed May 18 00:17:31 2005 => Total Objects Scanned: 67194
Tue May 17 23:26:13 2005 => Virus Database Date: 2005/05/16
Wed May 18 00:17:31 2005 => Virus Database Date: 2005/05/16
Wed May 18 00:18:22 2005 => Virus Database Date: 2005/05/16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

vielen dank!!!

christian

@cidre und alle experten: bitte um hilfe (logfiles)!

Log-Analyse und Auswertung: @cidre und alle experten: bitte um hilfe (logfiles)!

@cidre und alle experten: bitte um hilfe (logfiles)!

Ähnliche Themen: @cidre und alle experten: bitte um hilfe (logfiles)!