|
Log-Analyse und Auswertung: hijack ? ja oder neinWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
09.11.2005, 21:42 | #1 |
| hijack ? ja oder nein hallo Leute, hab hier ein HiJack Logfile und möchte die Fachleute mal bitten sich das kurz an zu schauen, der Desktop Hintergrund ist schwarz und mit einer roten Vieren Warnmeldung versehen, beim anklicken der Hintergrund Eigenschaften bekommt man nur Eigenschaften eines html.´s gezeigt, hab schon mit AdAware u Spybot nach gesehen, Spybot zeigt einen Smitfraud_C Virus an, hab auch schon im abgesichterten versucht den runter zu kriegen, 0 Chance...hab auch einige Einträge aus der Reg entfernt auch ne menge unter Zone Maps....habt Ihr die Lösung für mich ? Logfile of HijackThis v1.99.1 Scan saved at 21:24:46, on 09.11.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Dokumente und Einstellungen\cc\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://w*w.t-online.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O20 - Winlogon Notify: style32 - C:\WINDOWS\q886164.dll O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Gruß novedas |
09.11.2005, 21:45 | #2 |
| hijack ? ja oder nein Dann arbeite mal folgendes ab:
__________________http://www.trojaner-board.de/showthread.php?t=21709 BTW:Ist der Log im normalen Modus erstellt worden?
__________________ |
09.11.2005, 21:45 | #3 |
| hijack ? ja oder nein @novedas
__________________Poste mal dein komplette Log von normaler Modus Gruss Exoert |
09.11.2005, 22:52 | #4 | |
| hijack ? ja oder neinZitat:
|
09.11.2005, 23:11 | #5 |
| hijack ? ja oder nein Bin gerade die Schritt für Schritt Anleitung am durchgehen und mit E-Scan am scannen, hat schon 11 Verdächtige gefunden |
10.11.2005, 21:34 | #6 |
| hijack ? ja oder nein So, hier nun die 3 kompl. Logfiles im Normal Mod, die ich nach den Scan´s lt Anleitung wie hier in meinem Threat beschrieben durchgeführt habe. E-scan hat immer noch 8 gefunden, nun müßen die nur noch irgendwie runter,AdAware u Spybot haben nichts mehr gefunden(neuster Stand) die Logs: Logfile of HijackThis v1.99.1 Scan saved at 21:03:07, on 10.11.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programme\Spyware Doctor\swdoctor.exe C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Dokumente und Einstellungen\cc\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://w*w.t-online.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O20 - Winlogon Notify: style32 - C:\WINDOWS\q886164.dll O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe 2: [msvLclnt.dll] [0x00000560] 09/11/2005 23:01:05:172 :ModuleName = C:\Bases_X\mwavscan.com [msvLclnt.dll] [0x00000560] 09/11/2005 23:01:05:182 :Registry Key Deleted Properly!!! [msvLclnt.dll] [0x00000560] 09/11/2005 23:01:08:707 :Options Set by External applications mwavscan.com are 9896960 (0x970400): [msvLclnt.dll] [0x00000560] 09/11/2005 23:01:08:707 :Mode :PACKED,ARCHIVED,CA,WARNINGS,MAILPLAIN [msvLclnt.dll] [0x00000560] 09/11/2005 23:01:08:707 :TimeOut : ffffffff [msvLclnt.dll] [0x00000560] 09/11/2005 23:01:08:707 :Priority : NORMAL [msvLclnt.dll] [0x00000560] 09/11/2005 23:01:44:799 :VirusCount = 158608 Latest Date = 2005/11/07 [msvLclnt.dll] [0x000005c8] 09/11/2005 23:03:09:521 :[00000001] File C:\WINDOWS\q886164.dll infected by Trojan-Downloader.Win32.Delf.h [msvLclnt.dll] [0x000005c8] 09/11/2005 23:03:32:484 :[00000001] File C:\WINDOWS\system32\wininet.dll infected by Virus.Win32.Nsag.a [msvLclnt.dll] [0x000005c8] 09/11/2005 23:03:48:286 :[00000001] File C:\WINDOWS\q886164.dll infected by Trojan-Downloader.Win32.Delf.h [msvLclnt.dll] [0x000005c8] 09/11/2005 23:17:07:175 :[00000001] File C:\Programme\B5APPZ\0004\0004.exe infected by not-a-virus:Server-FTP.Win32.BulletProof.230 [msvLclnt.dll] [0x000005c8] 09/11/2005 23:34:44:846 :[00000001] File C:\Programme\B5APPZ\0048\setup.exe infected by not-a-virus:Client-IRC.Win32.mIRC.612 [msvLclnt.dll] [0x000005c8] 09/11/2005 23:36:05:782 :[00000001] File C:\Programme\B5APPZ\0061\CrackSearcher.exe infected by HackTool.Win32.CrackSearch.a [msvLclnt.dll] [0x000005c8] 09/11/2005 23:47:58:687 :[00000001] File C:\RECYCLER\S-1-5-21-1060284298-789336058-839522115-1003\Dc231.so infected by Trojan.Win32.Small.ev [msvLclnt.dll] [0x000005c8] 09/11/2005 23:47:58:978 :[00000001] File C:\RECYCLER\S-1-5-21-1060284298-789336058-839522115-1003\Dc232.so infected by Trojan-Downloader.Win32.Small.bqx [msvLclnt.dll] [0x000005c8] 09/11/2005 23:55:23:317 :[00000001] File C:\System Volume Information\_restore{4CB4962E-A602-4FC3-9E2D-BA722A073AFA}\RP1\A0001244.exe infected by not-a-virus:RemoteAdmin.Win32.WinVNC-based.h [msvLclnt.dll] [0x000005c8] 10/11/2005 00:07:34:578 :[00000001] File C:\WINDOWS\popuper.exe infected by Trojan.Win32.Puper.bi [msvLclnt.dll] [0x000005c8] 10/11/2005 00:15:34:839 :[00000001] File C:\WINDOWS\system32\hhk.dll infected by Trojan.Win32.Puper.bh [msvLclnt.dll] [0x000005c8] 10/11/2005 00:15:43:551 :[00000001] File C:\WINDOWS\system32\intell32.exe infected by Trojan-Downloader.Win32.Small.vu [msvLclnt.dll] [0x000005c8] 10/11/2005 00:15:43:882 :[00000001] File C:\WINDOWS\system32\intmon.exe infected by Trojan.Win32.Puper.bh [msvLclnt.dll] [0x000005c8] 10/11/2005 00:16:21:286 :[00000001] File C:\WINDOWS\system32\msole32.exe infected by not-virus:Hoax.Win32.Renos.q [msvLclnt.dll] [0x000005c8] 10/11/2005 00:16:43:558 :[00000001] File C:\WINDOWS\system32\ole32vbs.exe infected by Trojan.Win32.Favadd.aj [msvLclnt.dll] [0x000005c8] 10/11/2005 00:16:44:289 :[00000001] File C:\WINDOWS\system32\oleext.dll infected by Trojan.Win32.Promoter.c [msvLclnt.dll] [0x000005c8] 10/11/2005 00:16:44:449 :[00000001] File C:\WINDOWS\system32\oleext32.dll infected by Virus.Win32.Nsag.b [msvLclnt.dll] [0x000005c8] 10/11/2005 00:17:03:566 :[00000001] File C:\WINDOWS\system32\prflbmsgp32.dll infected by Trojan-Downloader.Win32.Delf.yb [msvLclnt.dll] [0x000005c8] 10/11/2005 00:17:05:369 :[00000001] File C:\WINDOWS\system32\psexec.exe infected by not-a-virus:RiskTool.Win32.PsExec.153 [msvLclnt.dll] [0x000005c8] 10/11/2005 00:17:05:950 :[00000001] File C:\WINDOWS\system32\pskill.exe infected by not-a-virus:RiskTool.Win32.PsKill.e [msvLclnt.dll] [0x000005c8] 10/11/2005 00:17:26:740 :[00000001] File C:\WINDOWS\system32\shnlog.exe infected by Trojan.Win32.Puper.bh [msvLclnt.dll] [0x000005c8] 10/11/2005 00:18:23:171 :[00000001] File C:\WINDOWS\system32\wininet.dll infected by Virus.Win32.Nsag.a [msvLclnt.dll] [0x000005c8] 10/11/2005 00:20:07:501 :[00000001] File D:\Tools\Virus\hijackthis NEU\backups\backup-20051108-203754-449.dll infected by Trojan-Downloader.Win32.Delf.yb [msvLclnt.dll] [0x000005c8] 10/11/2005 00:23:12:417 :VirusCount = 158608 Latest Date = 2005/11/07 [msvLclnt.dll] [0x00000560] 10/11/2005 01:42:00:516 :VirusCount = 158608 Latest Date = 2005/11/07 [msvLclnt.dll] [0x000007c8] 10/11/2005 19:16:53:186 :ModuleName = C:\Bases_X\mwavscan.com [msvLclnt.dll] [0x000007c8] 10/11/2005 19:16:53:197 :Registry Key Deleted Properly!!! [msvLclnt.dll] [0x000007c8] 10/11/2005 19:16:58:765 :Options Set by External applications mwavscan.com are 9896960 (0x970400): [msvLclnt.dll] [0x000007c8] 10/11/2005 19:16:58:775 :Mode :PACKED,ARCHIVED,CA,WARNINGS,MAILPLAIN [msvLclnt.dll] [0x000007c8] 10/11/2005 19:16:58:775 :TimeOut : ffffffff [msvLclnt.dll] [0x000007c8] 10/11/2005 19:16:58:775 :Priority : NORMAL [msvLclnt.dll] [0x000007c8] 10/11/2005 19:17:00:006 :VirusCount = 159192 Latest Date = 2005/11/10 [msvLclnt.dll] [0x000000e4] 10/11/2005 19:17:57:449 :[00000001] File C:\WINDOWS\q886164.dll infected by Trojan-Downloader.Win32.Delf.h [msvLclnt.dll] [0x000000e4] 10/11/2005 19:18:23:426 :[00000001] File C:\WINDOWS\q886164.dll infected by Trojan-Downloader.Win32.Delf.h [msvLclnt.dll] [0x000000e4] 10/11/2005 19:29:59:427 :[00000001] File C:\Programme\B5APPZ\0004\0004.exe infected by not-a-virus:Server-FTP.Win32.BulletProof.230 [msvLclnt.dll] [0x000000e4] 10/11/2005 19:47:51:919 :[00000001] File C:\Programme\B5APPZ\0048\setup.exe infected by not-a-virus:Client-IRC.Win32.mIRC.612 [msvLclnt.dll] [0x000000e4] 10/11/2005 19:49:13:557 :[00000001] File C:\Programme\B5APPZ\0061\CrackSearcher.exe infected by HackTool.Win32.CrackSearch.a [msvLclnt.dll] [0x000000e4] 10/11/2005 20:08:01:679 :[00000001] File C:\System Volume Information\_restore{4CB4962E-A602-4FC3-9E2D-BA722A073AFA}\RP1\A0001244.exe infected by not-a-virus:RemoteAdmin.Win32.WinVNC-based.h [msvLclnt.dll] [0x000000e4] 10/11/2005 20:29:47:757 :[00000001] File C:\WINDOWS\system32\oleext32.dll infected by Virus.Win32.Nsag.b [msvLclnt.dll] [0x000000e4] 10/11/2005 20:30:07:655 :[00000001] File C:\WINDOWS\system32\prflbmsgp32.dll infected by Trojan-Downloader.Win32.Delf.yb [msvLclnt.dll] [0x000000e4] 10/11/2005 20:30:09:578 :[00000001] File C:\WINDOWS\system32\psexec.exe infected by not-a-virus:RiskTool.Win32.PsExec.153 [msvLclnt.dll] [0x000000e4] 10/11/2005 20:30:10:099 :[00000001] File C:\WINDOWS\system32\pskill.exe infected by not-a-virus:RiskTool.Win32.PsKill.e [msvLclnt.dll] [0x000000e4] 10/11/2005 20:31:28:782 :[00000001] File C:\WINDOWS\system32\wininet.old infected by Virus.Win32.Nsag.a [msvLclnt.dll] [0x000000e4] 10/11/2005 20:33:15:155 :[00000001] File D:\Tools\Virus\hijackthis NEU\backups\backup-20051108-203754-449.dll infected by Trojan-Downloader.Win32.Delf.yb [msvLclnt.dll] [0x000000e4] 10/11/2005 20:36:47:070 :VirusCount = 159192 Latest Date = 2005/11/10 [msvLclnt.dll] [0x000007c8] 10/11/2005 20:57:20:173 :VirusCount = 159192 Latest Date = 2005/11/10 3: smitRem © log file version 2.7 by noahdfear Microsoft Windows XP [Version 5.1.2600] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key present! Running LTDFix/PSGuard.com fix! PSGuard.com key was successfully removed! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ shopping ~~~ system32 folder ~~~ intell32.exe oleext.dll wp.bmp ole32vbs.exe msole32.exe shnlog.exe intmon.exe hhk.dll logfiles ~~~ Icons in System32 ~~~ ts.ico ot.ico ~~~ Windows directory ~~~ sites.ini popuper.exe ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ wininet.dll INFECTED!! Starting replacement procedure. ~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~ ~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~ ~~~~ Checking dllcache\wininet.dll for infection ~~~~ ~~~~ dllcache\wininet.dll Clean! ~~~~ ~~~ Replaced wininet.dll from dllcache ~~~ ~~~ Upon reboot ~~~ wininet.old present! oleadm.dll not present! oleext.dll not present! ~~~ Upon completion ~~~ wininet.old not present! oleadm.dll not present! oleext.dll not present! ~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~ ~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~ so, das war alles (hat ja auch lang genug gedauert) ich hoffe IHR könnt mir helfen den Restmüll noch zu entsorgen |
10.11.2005, 21:37 | #7 |
/// Helfer-Team | hijack ? ja oder nein Und wo ist das mit der find.bat erzeugte Ergebnis des esan.
__________________ LG Der Felix Keine Hilfe per PN und E-Mail |
10.11.2005, 21:48 | #8 | |
| hijack ? ja oder neinZitat:
Das HiJack Logfile hab ich doch beachtet und mit *** editiert Gruß novedas |
10.11.2005, 21:52 | #9 |
| hijack ? ja oder nein XXX hab das MWAV.LOG übersehen, da ist ja noch eins, kann ich das hier überhaupt posten ? das hat 5,71 MB ? |
10.11.2005, 21:57 | #10 |
/// Helfer-Team | hijack ? ja oder nein
__________________ LG Der Felix Keine Hilfe per PN und E-Mail |
10.11.2005, 22:12 | #11 |
| hijack ? ja oder nein O.K. hat geklappt, sieht mit 9 kb schon besser aus. Log: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wed Nov 09 23:03:31 2005 => File C:\WINDOWS\q886164.dll infected by "Trojan-Downloader.Win32.Delf.h" Virus! Action Taken: No Action Taken. Wed Nov 09 23:03:32 2005 => File C:\WINDOWS\system32\wininet.dll infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken. Wed Nov 09 23:03:48 2005 => File C:\WINDOWS\q886164.dll infected by "Trojan-Downloader.Win32.Delf.h" Virus! Action Taken: No Action Taken. Wed Nov 09 23:04:24 2005 => System found infected with popuper Spyware/Adware (popuper.exe)! Action taken: No Action Taken. Wed Nov 09 23:04:24 2005 => System found infected with smitfraud Spyware/Adware (sites.ini)! Action taken: No Action Taken. Wed Nov 09 23:04:25 2005 => System found infected with conducent flexpak Spyware/Adware (empty.exe)! Action taken: No Action Taken. Wed Nov 09 23:04:25 2005 => System found infected with ezula Spyware/Adware (instsrv.exe)! Action taken: No Action Taken. Wed Nov 09 23:04:25 2005 => System found infected with smitfraud Spyware/Adware (intmon.exe)! Action taken: No Action Taken. Wed Nov 09 23:04:25 2005 => System found infected with smitfraud Spyware/Adware (msole32.exe)! Action taken: No Action Taken. Wed Nov 09 23:04:25 2005 => System found infected with smitfraud Spyware/Adware (ole32vbs.exe)! Action taken: No Action Taken. Wed Nov 09 23:04:25 2005 => System found infected with smitfraud Spyware/Adware (shnlog.exe)! Action taken: No Action Taken. Wed Nov 09 23:36:05 2005 => File C:\Programme\B5APPZ\0061\CrackSearcher.exe infected by "HackTool.Win32.CrackSearch.a" Virus! Action Taken: No Action Taken. Wed Nov 09 23:47:58 2005 => File C:\RECYCLER\S-1-5-21-1060284298-789336058-839522115-1003\Dc231.so infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken. Wed Nov 09 23:47:58 2005 => File C:\RECYCLER\S-1-5-21-1060284298-789336058-839522115-1003\Dc232.so infected by "Trojan-Downloader.Win32.Small.bqx" Virus! Action Taken: No Action Taken. Thu Nov 10 00:07:34 2005 => File C:\WINDOWS\popuper.exe infected by "Trojan.Win32.Puper.bi" Virus! Action Taken: No Action Taken. Thu Nov 10 00:15:34 2005 => File C:\WINDOWS\system32\hhk.dll infected by "Trojan.Win32.Puper.bh" Virus! Action Taken: No Action Taken. Thu Nov 10 00:15:43 2005 => File C:\WINDOWS\system32\intell32.exe infected by "Trojan-Downloader.Win32.Small.vu" Virus! Action Taken: No Action Taken. Thu Nov 10 00:15:43 2005 => File C:\WINDOWS\system32\intmon.exe infected by "Trojan.Win32.Puper.bh" Virus! Action Taken: No Action Taken. Thu Nov 10 00:16:21 2005 => File C:\WINDOWS\system32\msole32.exe infected by "not-virus:Hoax.Win32.Renos.q" Virus! Action Taken: No Action Taken. Thu Nov 10 00:16:43 2005 => File C:\WINDOWS\system32\ole32vbs.exe infected by "Trojan.Win32.Favadd.aj" Virus! Action Taken: No Action Taken. Thu Nov 10 00:16:44 2005 => File C:\WINDOWS\system32\oleext.dll infected by "Trojan.Win32.Promoter.c" Virus! Action Taken: No Action Taken. Thu Nov 10 00:16:44 2005 => File C:\WINDOWS\system32\oleext32.dll infected by "Virus.Win32.Nsag.b" Virus! Action Taken: No Action Taken. Thu Nov 10 00:17:03 2005 => File C:\WINDOWS\system32\prflbmsgp32.dll infected by "Trojan-Downloader.Win32.Delf.yb" Virus! Action Taken: No Action Taken. Thu Nov 10 00:17:26 2005 => File C:\WINDOWS\system32\shnlog.exe infected by "Trojan.Win32.Puper.bh" Virus! Action Taken: No Action Taken. Thu Nov 10 00:18:23 2005 => File C:\WINDOWS\system32\wininet.dll infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken. Thu Nov 10 00:20:07 2005 => File D:\Tools\Virus\hijackthis NEU\backups\backup-20051108-203754-449.dll infected by "Trojan-Downloader.Win32.Delf.yb" Virus! Action Taken: No Action Taken. Thu Nov 10 00:23:12 2005 => Total Disinfected Files: 0 Thu Nov 10 19:18:05 2005 => File C:\WINDOWS\q886164.dll infected by "Trojan-Downloader.Win32.Delf.h" Virus! Action Taken: No Action Taken. Thu Nov 10 19:18:23 2005 => File C:\WINDOWS\q886164.dll infected by "Trojan-Downloader.Win32.Delf.h" Virus! Action Taken: No Action Taken. Thu Nov 10 19:18:53 2005 => System found infected with conducent flexpak Spyware/Adware (empty.exe)! Action taken: No Action Taken. Thu Nov 10 19:18:53 2005 => System found infected with ezula Spyware/Adware (instsrv.exe)! Action taken: No Action Taken. Thu Nov 10 19:49:13 2005 => File C:\Programme\B5APPZ\0061\CrackSearcher.exe infected by "HackTool.Win32.CrackSearch.a" Virus! Action Taken: No Action Taken. Thu Nov 10 20:29:47 2005 => File C:\WINDOWS\system32\oleext32.dll infected by "Virus.Win32.Nsag.b" Virus! Action Taken: No Action Taken. Thu Nov 10 20:30:07 2005 => File C:\WINDOWS\system32\prflbmsgp32.dll infected by "Trojan-Downloader.Win32.Delf.yb" Virus! Action Taken: No Action Taken. Thu Nov 10 20:31:28 2005 => File C:\WINDOWS\system32\wininet.old infected by "Virus.Win32.Nsag.a" Virus! Action Taken: No Action Taken. Thu Nov 10 20:33:15 2005 => File D:\Tools\Virus\hijackthis NEU\backups\backup-20051108-203754-449.dll infected by "Trojan-Downloader.Win32.Delf.yb" Virus! Action Taken: No Action Taken. Thu Nov 10 20:36:46 2005 => Total Disinfected Files: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wed Nov 09 23:17:07 2005 => File C:\Programme\B5APPZ\0004\0004.exe tagged as not-a-virus:Server-FTP.Win32.BulletProof.230. No Action Taken. Wed Nov 09 23:34:44 2005 => File C:\Programme\B5APPZ\0048\setup.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.612. No Action Taken. Wed Nov 09 23:55:23 2005 => File C:\System Volume Information\_restore{4CB4962E-A602-4FC3-9E2D-BA722A073AFA}\RP1\A0001244.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.h. No Action Taken. Thu Nov 10 00:17:05 2005 => File C:\WINDOWS\system32\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.153. No Action Taken. Thu Nov 10 00:17:05 2005 => File C:\WINDOWS\system32\pskill.exe tagged as not-a-virus:RiskTool.Win32.PsKill.e. No Action Taken. Thu Nov 10 19:29:59 2005 => File C:\Programme\B5APPZ\0004\0004.exe tagged as not-a-virus:Server-FTP.Win32.BulletProof.230. No Action Taken. Thu Nov 10 19:47:51 2005 => File C:\Programme\B5APPZ\0048\setup.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.612. No Action Taken. Thu Nov 10 20:08:01 2005 => File C:\System Volume Information\_restore{4CB4962E-A602-4FC3-9E2D-BA722A073AFA}\RP1\A0001244.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.h. No Action Taken. Thu Nov 10 20:30:09 2005 => File C:\WINDOWS\system32\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.153. No Action Taken. Thu Nov 10 20:30:10 2005 => File C:\WINDOWS\system32\pskill.exe tagged as not-a-virus:RiskTool.Win32.PsKill.e. No Action Taken. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wed Nov 09 23:04:24 2005 => Offending file found: C:\WINDOWS\popuper.exe Wed Nov 09 23:04:24 2005 => Offending file found: C:\WINDOWS\sites.ini Wed Nov 09 23:04:25 2005 => Offending file found: C:\WINDOWS\system32\empty.exe Wed Nov 09 23:04:25 2005 => Offending file found: C:\WINDOWS\system32\instsrv.exe Wed Nov 09 23:04:25 2005 => Offending file found: C:\WINDOWS\system32\intmon.exe Wed Nov 09 23:04:25 2005 => Offending file found: C:\WINDOWS\system32\msole32.exe Wed Nov 09 23:04:25 2005 => Offending file found: C:\WINDOWS\system32\ole32vbs.exe Wed Nov 09 23:04:25 2005 => Offending file found: C:\WINDOWS\system32\shnlog.exe Thu Nov 10 19:18:53 2005 => Offending file found: C:\WINDOWS\system32\empty.exe Thu Nov 10 19:18:53 2005 => Offending file found: C:\WINDOWS\system32\instsrv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thu Nov 10 00:23:12 2005 => Total Virus(es) Found: 31 Thu Nov 10 20:36:46 2005 => Total Virus(es) Found: 14 Thu Nov 10 00:23:12 2005 => Total Errors: 385 Thu Nov 10 20:36:46 2005 => Total Errors: 344 Thu Nov 10 00:23:12 2005 => Time Elapsed: 01:19:15 Thu Nov 10 20:36:47 2005 => Time Elapsed: 01:18:06 Thu Nov 10 00:23:12 2005 => Total Objects Scanned: 43225 Thu Nov 10 20:36:46 2005 => Total Objects Scanned: 41999 Wed Nov 09 23:01:44 2005 => Virus Database Date: 2005/11/07 Thu Nov 10 00:23:12 2005 => Virus Database Date: 2005/11/07 Thu Nov 10 01:42:00 2005 => Virus Database Date: 2005/11/07 Thu Nov 10 19:17:00 2005 => Virus Database Date: 2005/11/10 Thu Nov 10 20:36:47 2005 => Virus Database Date: 2005/11/10 Thu Nov 10 20:57:20 2005 => Virus Database Date: 2005/11/10 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ hoffe ich bin jetzt durch ??? |
10.11.2005, 23:51 | #12 |
| hijack ? ja oder nein Kann jetzt einer mit den Log´s was anfangen oder immer noch nicht ? Wäre echt klasse ne Antwort darauf zu bekommen ! |
11.11.2005, 16:19 | #13 |
/// Helfer-Team | hijack ? ja oder nein Nein, weil Du den escan mehrmals ausgeführt hast. Es ist damit nicht ersichtlich, was momentan noch vorhanden ist. Lösche im Verzeichnis c:\bases_x die Datei mwav.log. Update escan nochmals. Danach führe den escan entsprechend der Anleitung nochmals aus. Poste dann des mit der find.bat erzeugte Log.
__________________ LG Der Felix Keine Hilfe per PN und E-Mail |
Themen zu hijack ? ja oder nein |
adobe, adobe reader, bho, browser, confused, ctfmon.exe, desktop, einstellungen, explorer, fraud, hijack, hijack logfile, hijackthis, hintergrund, internet, internet explorer, logfile, microsoft, monitor, programme, smitfraud, software, spyware, spyware doctor, system, system32, träge, virus, windows, windows xp |