|
Log-Analyse und Auswertung: Diverse Trojaner: eScan- & HJT-Logs postedWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
03.10.2005, 18:15 | #1 |
| Diverse Trojaner: eScan- & HJT-Logs posted Hallo Zusammen 1. toller Service, welcher hier geboten wird :aplaus: 2. absolut neu hier - allfällige Regelverstösse sind auf Unwissen zurückzuführen 3. meine Probleme: Trojan Dropper Win32.Vidro.u und Vidro.x sowie Win32.qhost.df 4. mein escan log infected Mon Oct 03 16:47:55 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken. Mon Oct 03 16:47:55 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken. Mon Oct 03 16:47:55 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken. Mon Oct 03 16:47:55 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\etulq96n\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\j3lxj3py\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\p45olmph\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\qdxncb4s\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\etulq96n\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\j3lxj3py\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\p45olmph\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\qdxncb4s\common[1].js Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. Mon Oct 03 16:48:02 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. Mon Oct 03 16:48:02 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. -------------------------------- tagged Mon Oct 03 16:47:23 2005 => File C:\WINDOWS\System32\ycnvi.dll tagged as "not-a-virus:AdWare.Win32.SBSoft.h". Action Taken: No Action Taken. Mon Oct 03 16:49:52 2005 => File C:\WINDOWS\system32\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Win32.Msnagent.b". Action Taken: No Action Taken. Mon Oct 03 16:50:10 2005 => File C:\WINDOWS\system32\rdsndin.exe tagged as "not-a-virus:AdWare.Win32.FindSpy.a". Action Taken: No Action Taken. Mon Oct 03 17:51:38 2005 => File C:\WINDOWS\SYSTEM32\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Win32.Msnagent.b". Action Taken: No Action Taken. Mon Oct 03 17:52:11 2005 => File C:\WINDOWS\SYSTEM32\rdsndin.exe tagged as "not-a-virus:AdWare.Win32.FindSpy.a". Action Taken: No Action Taken. -------------------------------- summary Mon Oct 03 17:53:31 2005 => ***** Scanning complete. ***** Mon Oct 03 17:53:31 2005 => Total Objects Scanned: 70176 Mon Oct 03 17:53:31 2005 => Total Virus(es) Found: 29 Mon Oct 03 17:53:31 2005 => Total Disinfected Files: 0 Mon Oct 03 17:53:31 2005 => Total Files Renamed: 0 Mon Oct 03 17:53:31 2005 => Total Deleted Objects: 0 Mon Oct 03 17:53:31 2005 => Total Errors: 226 Mon Oct 03 17:53:31 2005 => Time Elapsed: 01:06:29 Mon Oct 03 17:53:31 2005 => Virus Database Date: 2005/09/27 Mon Oct 03 17:53:31 2005 => Virus Database Count: 151405 Mon Oct 03 17:53:31 2005 => Scan Completed. -------------------------------------------------------------------------- |
03.10.2005, 18:19 | #2 |
| Diverse Trojaner: eScan- & HJT-Logs posted Fortsetzung:
__________________5. mein HJT Log Logfile of HijackThis v1.99.1 Scan saved at 18:09:21, on 03.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Bases_X\mwavscan.com C:\Bases_X\kavss.exe C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = h**p://www.euro.dell.com/ O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [gabber] slamm.exe O4 - HKLM\..\Run: [RtlFindVal] runload32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296 O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - h**p://web1.photocolor.net/ActiveX/PhotocolorUploader.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - h**p://secure2.comned.com/signuptemplates/securelogin-devel.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7 O18 - Protocol: bw+0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe O23 - Service: F-Secure h**p Server (fsh**ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsh**ps\fsh**ps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -------------------------------------------------------------------------- 6. Vielen Dank für Eure Hilfe, Inputs und Anweisungen Cheers Joyful |
03.10.2005, 19:07 | #3 |
| Diverse Trojaner: eScan- & HJT-Logs posted @joyful
__________________lade clearprog alle Häkchen bei IE und windows setzen, löschen lade Adaware , update es. Update spybot lade LSP-Fix wechsle in den abgesicherten modus, scanne mit spybot und Adaware. Fixe danach mit HJT O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll O4 - HKLM\..\Run: [gabber] slamm.exe O4 - HKLM\..\Run: [RtlFindVal] runload32.exe alle O18 einträge lösche dananch manuell C:\WINDOWS\System32\ycnvi.dll runload32.exe slamm.exe C:\WINDOWS\system32\ntfsnlpa.exe C:\WINDOWS\system32\rdsndin.exe lasse Lsp-Fix laufen, wenn dein Inet nicht geht Anleitung http://www.bleepingcomputer.com/forums/topic3272.html neue escan durchführen chaosman
__________________ |
03.10.2005, 22:24 | #4 |
| Diverse Trojaner: eScan- & HJT-Logs posted Zweiter Scan HJT-Logfile Logfile of HijackThis v1.99.1 Scan saved at 23:13:43, on 03.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Interapple\5 Clicks\Spider.exe C:\Bases_X\mwavscan.com C:\Bases_X\kavss.exe C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = h**p://www.euro.dell.com/ O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://h**p://update.microsoft.com/w...?1125961586296 O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - http://web1.photocolor.net/ActiveX/P...orUploader.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://h**p://secure2.comned.com/sig...ogin-devel.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7 O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\****\Program\SERVIC~1.EXE O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\****\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Die IP-Adress (fett im log markiert) müsste ich die kennen? Danke und Gruss Joyful Geändert von joyful (03.10.2005 um 22:30 Uhr) |
03.10.2005, 22:25 | #5 |
| Diverse Trojaner: eScan- & HJT-Logs posted Chaosman, Besten Dank, das ging ja fix! Übrigens war mein escan log vom "19:15 posting" unvollständig...sorry. Hier mein Kommentar zu den einzelnen Schritten in rot: wechsle in den abgesicherten modus, scanne mit spybot und Adaware. spyboot = clean adaware results = adware.toolband, coolwebsearch, alexa => alles entfernt Fixe danach mit HJT O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll O4 - HKLM\..\Run: [gabber] slamm.exe O4 - HKLM\..\Run: [RtlFindVal] runload32.exe alle O18 einträge alle einträge gefixed lösche dananch manuell C:\WINDOWS\System32\ycnvi.dll Datei nicht mehr vorhanden slamm.exe registereintrag nicht mehr vorhandenrunload32.exe registereintrag nicht mehr vorhanden C:\WINDOWS\system32\ntfsnlpa.exe manuell gelöschtrunload32.exe C:\WINDOWS\system32\rdsndin.exe manuell gelöschtrunload32.exe lasse Lsp-Fix laufen, wenn dein Inet nicht geht Anleitung h**p://www.bleepingcomputer.com/forums/topic3272.html neue escan durchführen chaosman neuer escan log (Zweiter Scan): infected Mon Oct 03 21:46:50 2005 => ***** Scanning Registry and File system for Adware/Spyware ***** Mon Oct 03 21:46:50 2005 => Loading Spyware Signatures from new External Database (Size: 144406). Mon Oct 03 21:46:50 2005 => Indexed Spyware Databases Successfully Created... Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken. Mon Oct 03 21:53:42 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. Mon Oct 03 21:53:43 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. Mon Oct 03 21:54:18 2005 => File C:\WINDOWS\system32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. Mon Oct 03 21:54:26 2005 => File C:\WINDOWS\system32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken. Mon Oct 03 21:54:36 2005 => File C:\WINDOWS\system32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken. Mon Oct 03 23:02:26 2005 => File C:\WINDOWS\SYSTEM32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. Mon Oct 03 23:02:48 2005 => File C:\WINDOWS\SYSTEM32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken. Mon Oct 03 23:03:11 2005 => File C:\WINDOWS\SYSTEM32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken. -------------------------------- tagged none -------------------------------- summary Mon Oct 03 23:05:55 2005 => Total Objects Scanned: 70087 Mon Oct 03 23:05:55 2005 => Total Virus(es) Found: 12 Mon Oct 03 23:05:55 2005 => Total Disinfected Files: 0 Mon Oct 03 23:05:55 2005 => Total Files Renamed: 0 Mon Oct 03 23:05:55 2005 => Total Deleted Objects: 0 Mon Oct 03 23:05:55 2005 => Total Errors: 227 Mon Oct 03 23:05:55 2005 => Time Elapsed: 01:19:46 Mon Oct 03 23:05:55 2005 => Virus Database Date: 2005/09/27 Mon Oct 03 23:05:55 2005 => Virus Database Count: 151405 Mon Oct 03 23:05:56 2005 => Scan Completed. -------------------------------------------------------------------------- Vielen Dank & good night! Joyful |
04.10.2005, 13:33 | #6 |
| Qhost.df, Vidro.u, Vidro.x: Bitte eScan- & HJT-Logs prüfen Hallo zusammen Gibt es noch Rettung für mich und meine Kiste? Es riecht stark nach Neuaufsetzen, obwohl mir das gewaltig stinkt. Danke fürs feedback Joyful *********************************** Hier der dritte escan-log (diesmal mit admin-rights ). infected Tue Oct 04 13:04:39 2005 => ***** Scanning Registry and File system for Adware/Spyware ***** Tue Oct 04 13:04:39 2005 => Loading Spyware Signatures from new External Database (Size: 144406). Tue Oct 04 13:04:39 2005 => Indexed Spyware Databases Successfully Created... Tue Oct 04 13:04:44 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\clocksync !!! Tue Oct 04 13:04:46 2005 => Object "clocksync Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\weathercast !!! Tue Oct 04 13:04:46 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenu !!! Tue Oct 04 13:04:46 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenusearch !!! Tue Oct 04 13:04:46 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\clocksync !!! Tue Oct 04 13:04:46 2005 => Object "clocksync Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\weathercast !!! Tue Oct 04 13:04:46 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenu !!! Tue Oct 04 13:04:46 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenusearch !!! Tue Oct 04 13:04:46 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken. Tue Oct 04 13:04:47 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll Tue Oct 04 13:04:47 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Tue Oct 04 13:04:48 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll Tue Oct 04 13:04:48 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Tue Oct 04 13:04:48 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll Tue Oct 04 13:04:48 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken. Tue Oct 04 13:04:48 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll Tue Oct 04 13:04:48 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken. Tue Oct 04 13:04:51 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. Tue Oct 04 13:04:51 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. Tue Oct 04 13:05:27 2005 => File C:\WINDOWS\system32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. Tue Oct 04 13:05:34 2005 => File C:\WINDOWS\system32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken. Tue Oct 04 13:05:44 2005 => File C:\WINDOWS\system32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken. Tue Oct 04 14:09:16 2005 => File C:\WINDOWS\SYSTEM32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. Tue Oct 04 14:09:38 2005 => File C:\WINDOWS\SYSTEM32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken. Tue Oct 04 14:10:02 2005 => File C:\WINDOWS\SYSTEM32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken. ------------------------------- tagged none -------------------------------- summary Tue Oct 04 14:12:54 2005 => ***** Scanning complete. ***** Tue Oct 04 14:12:54 2005 => Total Objects Scanned: 69251 Tue Oct 04 14:12:54 2005 => Total Virus(es) Found: 21 Tue Oct 04 14:12:54 2005 => Total Disinfected Files: 0 Tue Oct 04 14:12:54 2005 => Total Files Renamed: 0 Tue Oct 04 14:12:54 2005 => Total Deleted Objects: 0 Tue Oct 04 14:12:54 2005 => Total Errors: 262 Tue Oct 04 14:12:54 2005 => Time Elapsed: 01:10:53 Tue Oct 04 14:12:54 2005 => Virus Database Date: 2005/09/27 Tue Oct 04 14:12:54 2005 => Virus Database Count: 151405 Tue Oct 04 14:12:54 2005 => Scan Completed. -------------------------------------------------------------------------- HJT-Log Logfile of HijackThis v1.99.1 Scan saved at 14:28:56, on 04.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Bases_X\mwavscan.com C:\Bases_X\kavss.exe C:\Programme\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.hattrick.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] \Program\ O4 - HKCU\..\Run: [JAguAr] br0ken.exe O4 - HKCU\..\Run: [StartCpl] _ctcp.exe O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: QuickShelf Deutsch 3.0.lnk = C:\Programme\Microsoft Nachschlagewerke\LexiROM 3.0\QS97D.EXE O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Dictionary - h**p://www.ezreference.com/_/ie-com-sp.htm O8 - Extra context menu item: &Encyclopedia - h**p://www.ezreference.com/_/ie-com-e-sp.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296 O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - h**p://web1.photocolor.net/ActiveX/PhotocolorUploader.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - h**p://secure2.comned.com/signuptemplates/securelogin-devel.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7 O23 - Service: cablecom hispeed security package (BackWeb Plug-in - edit) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\edit\Program\SERVIC~1.EXE O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\edit\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe O23 - Service: F-Secure h**p Server (fsh**ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsh**ps\fsh**ps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
04.10.2005, 22:06 | #7 | ||
| Qhost.df, Vidro.u, Vidro.x - infiziert und aktiv? Habe mich schlauer gemacht, trotzdem brauche ich noch etwas Hilfe, und zwar zu folgenden Fragen: 1a) Wie erkenne ich, ob ein Trojaner bereits aktiv war und somit das System kompromittiert ist? Vermute ich richtig, dass das im HJT-Log ersichtlich sein müsste? 1b) Falls sich Verdacht gem. 1a) bestätigt erübrigen sich wohl Erklärungen zu Punkte 2ff) und es heisst zurück zum Start bzw. zu h**p://tinyurl.com/8xwze 2) e-scan identifiziert drei *.oxe-Dateien als infiziert - falls diese vom Anti-Viren-Programm umbenannt wurden, können die ja gelöscht werden; aber sind zusätzliche Registereinträge zu modifizieren? Wie? Google, f-secure, McAfee & Co. helfen hier nicht weiter. 3) Wie kommte es, dass Zitat:
Zitat:
Geändert von joyful (04.10.2005 um 22:09 Uhr) Grund: falsch zitiert |
04.10.2005, 22:35 | #8 |
| Diverse Trojaner: eScan- & HJT-Logs posted Hallo, also im klassischen Sinne ist dein Computer wohl nicht kompromittiert, dieser Begriff wird eigentlich eher bei Backdoorbefall verwendet, wenn dritte zugriff auf deinen Computer hatten/haben, dies scheint mir bei dir nicht der Fall. Aber ich denke du hast ziemlich hartnäckige Ad/Spyware an bord, mal schauen ob ich dir da behilflich sein kann, ich versuche es mal. zu 2.) Ja die solltest du alle löschen, ob noch weitere Registryeinträge zu bearbeiten sind kann ich gerade nicht sehen. Dann gehe mal mit Start>>Ausführen Regedit in die Registry und lösche die von Escan angeführten Registryeinträge (HKCU=Hkey current user): Offending Key found: HKCU\software\microsoft\windows\currentversion\exp lorer\menuorder\start menu\programs\clocksync !!! . . . . dann im abgesicherten Modus (F8 beim booten) folgende Dateien löschen: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll C:\WINDOWS\system32\stlport_4_0_0_ddr.dll C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll cfd.exe (suchen) dann am besten noch mal Ewido drüberlaufen lassen und ein neues Escan Log (vorher die MWAV.LOG löschen) und HijackThis log posten. Grüße Wildone |
04.10.2005, 23:52 | #9 | ||
| Diverse Trojaner: eScan- & HJT-Logs posted well done Wildone, und das zu später Stunde , hiermit sei ein virtuelles Feierabendbier spendiert Ergebnis unten sieht soweit gut aus. Besten Dank! Joyful Zitat:
Zitat:
Process File cfd or cfd.exe Process Name Motive Client Foundation Description cfd.exe is a process belonging to a trouble-shooting software from Motive Communications. It enables your broadband provider to offer easy installation and ongoing services to your computer. Comment Das habe ich mal approved, als ich hispeed-internet aufgesetzt habe - somit verlässliche Quelle und Datenschutz ist (faktisch) gewährleistet. Schliesslich die aktuellen logs: Ad-Aware clean Ewido-log SBSoft wurde gesäubert! 4 cookie.falkag wurden gesäubert e-scan log posting folgt Morgen HJT-log Logfile of HijackThis v1.99.1 Scan saved at 00:24:05, on 05.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\ewido\security suite\SecuritySuite.exe C:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Programme\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = H**P://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = H**P://www.hattrick.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = H**P://www.euro.dell.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] \Program\ O4 - HKCU\..\Run: [JAguAr] br0ken.exe O4 - HKCU\..\Run: [StartCpl] _ctcp.exe O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: QuickShelf Deutsch 3.0.lnk = C:\Programme\Microsoft Nachschlagewerke\LexiROM 3.0\QS97D.EXE O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Dictionary - H**P://www.ezreference.com/_/ie-com-sp.htm O8 - Extra context menu item: &Encyclopedia - H**P://www.ezreference.com/_/ie-com-e-sp.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - H**P://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - H**P://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296 O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - H**P://web1.photocolor.net/ActiveX/PhotocolorUploader.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - H**P://secure2.comned.com/signuptemplates/securelogin-devel.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7 O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7 O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe O23 - Service: F-Secure H**P Server (fsH**Ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsH**Ps\fsH**Ps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
05.10.2005, 00:06 | #10 |
| Diverse Trojaner: eScan- & HJT-Logs posted Hallo, lass mal diesen Remover bei dir laufen, und erstelle danach ein neues HijackThis Log. Grüße wildone |
05.10.2005, 01:30 | #11 | |
| Remover usage Morgen allerseits, Zitat:
- Welches ist der zu fixenden Zufallsschlüssel, falls es einen gibt? - Wo/wie kann ich die DNS Server Einstellung zurückstellen? - Wo kann ich meine permanente IP-Adress offline abfragen? Ausserdem gehören folgende Schlüssel zur wareout-spyware. Soll ich die mit "regedit" löschen? O4 - HKCU\..\Run: [StartCpl] _ctcp.exe O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe Danke und Gruss! Joyful |
05.10.2005, 09:18 | #12 |
| Diverse Trojaner: eScan- & HJT-Logs posted Ich schon wieder... Okay, die IP-Abfrage konnte ich klären: Ausführen command.com ipconfig/all Remover Der DNS-Server Eintrag ist identisch mit dem HJT-Log O17. Ich weiss weder meine ursprünglichen IP Adressen noch wie ich das rausfinden kann. => Anleitung gemäss Remover bis und mit 5. abgearbeitet. WareOut Registry Value: O4 - HKCU\..\Run: [JAguAr] br0ken.exe O4 - HKCU\..\Run: [StartCpl] _ctcp.exe O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe => Schlüssel löschen? Dateien nicht mehr vorhanden, evt. durch ad-aware, ewido o.ä. gelöscht. |
05.10.2005, 09:38 | #13 |
| Diverse Trojaner: eScan- & HJT-Logs posted Hallo, vergiss die Punkte sechs und sieben, sowohl die Zufallsschlüssel als auch die DNS-Veränderungen sind bei dir nicht vorhanden, nur das Tool solltest du mal laufen lassen. Wenn die schlüssel immernoch da sind, diese mit HijackThis fixen, am besten im abgesicherten Modus. Neues Log posten, dieses mal im normalen Modus erstellt. [EDIT] Sehe gerade das ich bei dir die O17 Einträge übersehen habe. die solltest du auch alle fixen, da du nicht mit einem Netzwerk ins Internet gehst, hast du auch keinen "eigenen" DNS Eintrag, also kein Problem. [/EDIT] Grüße Wildone Geändert von Wildone (05.10.2005 um 09:49 Uhr) |
05.10.2005, 14:18 | #14 |
| Diverse Trojaner: eScan- & HJT-Logs posted Hi Wildone 1. Remover => ist gelaufen 2. Schlüssel inkl. O17 => mit HijackThis gefixed 3. Mit Ad-aware, spyboot s&d, XoftSpy gescannt => clean 4. E-scan => läuft noch, wird später geposted 5. Neues HJT-Log im normalen Modus erstellt => geposted Herzlichen Dank! Joyful HJT-Log Logfile of HijackThis v1.99.1 Scan saved at 14:55:08, on 05.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Programme\Logitech\iTouch\iTouch.exe C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\QuickTime\qttask.exe C:\Programme\cablecom hispeed security package\Common\FSM32.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Logitech\MouseWare\system\em_exec.exe C:\Programme\traxex\TraXEx.exe C:\Programme\WinZip\WZQKPICK.EXE C:\Programme\ewido\security suite\ewidoctrl.exe C:\Programme\ewido\security suite\ewidoguard.exe C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe C:\Programme\cablecom hispeed security package\Anti-Virus\FSGK32.EXE C:\Programme\cablecom hispeed security package\Anti-Virus\fssm32.exe C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE C:\Programme\cablecom hispeed security package\Common\FSMB32.EXE C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Programme\cablecom hispeed security package\Common\FCH32.EXE C:\Programme\cablecom hispeed security package\Common\FAMEH32.EXE C:\Programme\cablecom hispeed security package\FSPC\fspc.exe C:\Programme\cablecom hispeed security package\Anti-Virus\fsav32.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe C:\Programme\cablecom hispeed security package\FSGUI\fsguiexe.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.hattrick.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [LDM] \Program\ O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: QuickShelf Deutsch 3.0.lnk = C:\Programme\Microsoft Nachschlagewerke\LexiROM 3.0\QS97D.EXE O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Dictionary - h**p://www.ezreference.com/_/ie-com-sp.htm O8 - Extra context menu item: &Encyclopedia - h**p://www.ezreference.com/_/ie-com-e-sp.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296 O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - h**p://web1.photocolor.net/ActiveX/PhotocolorUploader.cab O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - h**p://secure2.comned.com/signuptemplates/securelogin-devel.cab O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe O23 - Service: F-Secure h**p Server (fsh**ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsh**ps\fsh**ps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe e-scan log läuft noch |
05.10.2005, 22:52 | #15 | |
| Diverse Trojaner: eScan- & HJT-Logs posted Und hier noch der e-scan log Betreffend Cydoor: Zitat:
Ansonsten sollte mein System wieder clean sein. Danke für die Rückmeldung. Cheers Joy ------------------------------- infected ------------------------------- Wed Oct 05 00:49:08 2005 => ***** Scanning Registry and File system for Adware/Spyware ***** Wed Oct 05 00:49:08 2005 => Loading Spyware Signatures from new External Database (Size: 144406). Wed Oct 05 00:49:08 2005 => Indexed Spyware Databases Successfully Created... Wed Oct 05 00:49:10 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\weathercast !!! Wed Oct 05 00:49:14 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken. Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenu !!! Wed Oct 05 00:49:14 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken. Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenusearch !!! Wed Oct 05 00:49:14 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken. Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\weathercast !!! Wed Oct 05 00:49:14 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken. Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenu !!! Wed Oct 05 00:49:14 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken. Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenusearch !!! Wed Oct 05 00:49:14 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken. Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken. Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken. Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken. Wed Oct 05 00:49:22 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. Wed Oct 05 00:49:22 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken. ------------------------------- tagged ------------------------------- none ------------------------------- summary ------------------------------- Wed Oct 05 17:01:22 2005 => ***** Scanning complete. ***** Wed Oct 05 17:01:22 2005 => Total Objects Scanned: 69499 Wed Oct 05 17:01:22 2005 => Total Virus(es) Found: 12 Wed Oct 05 17:01:22 2005 => Total Disinfected Files: 0 Wed Oct 05 17:01:22 2005 => Total Files Renamed: 0 Wed Oct 05 17:01:22 2005 => Total Deleted Objects: 0 Wed Oct 05 17:01:22 2005 => Total Errors: 258 Wed Oct 05 17:01:22 2005 => Time Elapsed: 01:10:42 Wed Oct 05 17:01:22 2005 => Virus Database Date: 2005/09/27 Wed Oct 05 17:01:22 2005 => Virus Database Count: 151405 Wed Oct 05 17:01:22 2005 => Scan Completed. |
Themen zu Diverse Trojaner: eScan- & HJT-Logs posted |
administrator, alexa, c:\windows, content.ie5, diverse, diverse trojaner, dropper, einstellungen, escan, file, files, found, gen, infected, internet, neu, not-a-virus, probleme, scanning, service, system, system32, total, trojan, trojan dropper, trojaner, win, windows |