| |
| |||||||
Log-Analyse und Auswertung: Mein hijack logWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
02.09.2005, 11:46
| #16 |
| |  Mein hijack log Hallo, Die Datei hclean32.exe steht nicht in dem angegebenen Regystry-Verzeichnis. mit escan habe ich den Rechner jetzt nicht laufen lassen, aber mit findt, silentrunners, kaspersky u. panda. Soll ich die Dateien: c:\winnt\system32\laodcrt32.exe c:\sorava.chm c:\winnt\system32\csgpv.exe mit killbox erledigen? file.txt von findt:PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Silentrunners:"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "NAV Agent" = "d:\NAV200~1\navapw32.exe" ["Symantec Corporation"] "NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS] "nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"] "0190 Warner" = "D:\0190WA~1\WARN0190.EXE" ["Mirko Böer"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."] "D-Link Air USB Utility" = "d:\Programme\D-Link\Air USB Utility\AirCFG.exe" ["D-Link"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"] "SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "D:\Packer\WinRar 3.3.0\rarext.dll" [null data] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "D:\Office_XP_install\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "D:\Office_XP_install\Office10\msohev.dll" [MS] "{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD" -> {CLSID}\InProcServer32\(Default) = "D:\Brennprogramme\Clone CD 4.2.0.2\ElbyVCDShell.dll" ["Elaborate Bytes"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] "{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! nwprovau\DLLName = "nwprovau.dll" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\ewido\security suite\context.dll" ["ewido networks"] FileWiperContextMenuExtension\(Default) = "{B6BF4AAE-3AB0-4691-9119-2E6C13D38EFD}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\TweakPower\FileWiper.dll" ["Kurt Zimmermann"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "d:\NAV 2002\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "D:\Packer\WinRar 3.3.0\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\ewido\security suite\context.dll" ["ewido networks"] FileWiperContextMenuExtension\(Default) = "{B6BF4AAE-3AB0-4691-9119-2E6C13D38EFD}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\TweakPower\FileWiper.dll" ["Kurt Zimmermann"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "D:\Packer\WinRar 3.3.0\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ FileWiperContextMenuExtension\(Default) = "{B6BF4AAE-3AB0-4691-9119-2E6C13D38EFD}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\TweakPower\FileWiper.dll" ["Kurt Zimmermann"] NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}" -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "d:\NAV 2002\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "D:\Packer\WinRar 3.3.0\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in "Administrator" & "All Users" startup folders: --------------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "NumPlus" -> shortcut to: "D:\DICAD\strauti\numplus.exe" [null data] "RICOH Gate L" -> shortcut to: "D:\Programme\Caplio RR30\RGateL.exe" [empty string] Enabled Scheduled Tasks: ------------------------ "Critical Battery Alarm Program" -> WARNING -- The file "Critical Battery Alarm Program.job" is corrupt! (no executable) "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 25 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "d:\NAV 2002\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "d:\NAV 2002\NavShExt.dll" ["Symantec Corporation"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Client Service für NetWare, NWCWorkstation, "C:\WINNT\system32\services.exe" [MS] COM+-Ereignissystem, EventSystem, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\es.dll" [null data]} ewido security suite control, ewido security suite control, "D:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "D:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] Norton AntiVirus Auto-Protect-Dienst, navapsvc, "d:\NAV 2002\navapsvc.exe" ["Symantec Corporation"] WZCBDL Service, WZCBDLService, "C:\Programme\WZCBDL Service\WZCBDLS.exe" ["D-Link"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 53 seconds, including 18 seconds for message boxes) ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Friday, September 02, 2005 00:34:33 Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 2/09/2005 Kaspersky Anti-Virus database records: 137874 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - Critical Areas: C:\WINNT d:\Temp\ Scan Statistics: Total number of scanned objects: 7764 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 842 sec Infected Object Name - Virus Name C:\WINNT\system32\csgpv.exe Infected: Trojan-Dropper.Win32.Vidro.u Scan process completed. Panda Incident Status Location Spyware:spyware/wareout No disinfected C:\WINNT\SYSTEM32\loadctr32.exe Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ Adware:adware/sbsoft No disinfected Windows Registry Dialer  ialer.NQ No disinfected C:\sorava.chm[on-line.exe] Virus:Exploit/CodeBase.S No disinfected C:\sorava.chm[1.htm] Spyware:Spyware/Fstb No disinfected C:\sorava.chm[htm2chm_explorer] Virus:Trj/DelCache.A Disinfected C:\WINNT\system32\csgpv.exe |
|
02.09.2005, 12:19
| #17 |
  | Mein hijack log Hallo@frank48465
__________________gehe in die Registry Start-->Ausfuehren--> regedit loeschen: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ •KillBox http://bilder.informationsarchiv.net...ls/KillBox.zip Anleitung: (bebildert) http://nikita.eddys-domain.de/killbox.html •Delete File on Reboot <--anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\WINNT\system32\csgpv.exe C:\sorava.chm C:\winnt\system32\hclean32.exe C:\winnt\system32\logo_big.exe C:\WINNT\SYSTEM32\loadctr32.exe PC neustarten scanne mit: McAfee FreeScan und Bitdefender/Online http://nikita.eddys-domain.de/onlinescan.html
__________________ |
|
02.09.2005, 19:08
| #18 |
| | Mein hijack log Perfect,
__________________keine Viruswarnungen mehr, der Rechner läuft wie am ersten Tag. Vielen herzlichen Dank für die enorme Hilfe. Habe alles so gemacht wie beschrieben, McAfee free scan lief ohne Fehlermeldungen durch, nur bitdefender ließ sich leider nicht starten (2 Fehlermeldungen: 1. "Error while updating from server, File:bdinit.xe, please retry, 2. "failed to execute live update. Eine Datei kann nicht erstellt werden, wenn sie bereits vorhanden ist"). Hoffe aber, daß das kein Problem ist. Nochmals herzlichen Dank, besonders an Sabina Frank48465 |
|
| Themen zu Mein hijack log |
| antivirus, bho, blinkt, browser, drivers, excel, explorer, helfen, helper, hijack, hijackthis, internet, internet explorer, log, monitor, nvidia, pop-ups, programme, regsvr32, rufzeichen, rundll, security, security center, server, software, symantec, system, usb, werbung, windows |
Linear-Darstellung
