Werde about:blank hijacker nicht los: könnt Ihr bitte mal mein HJT Log checken?

rockme · 23.12.2005, 18:09

Logfile of HijackThis v1.99.1
Scan saved at 17:43:31, on 23.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\mfcai.exe
C:\WINDOWS\winbl32.exe
C:\Program Files\AVPersonalPremium\AVWUPSRV.EXE
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\SvcTools\1.3.1\bin\lnchr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\TEMP\WGD894.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Daemon Tools\daemon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\SvcTools\1.3.1\bin\lnchr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\DOCUME~1\bdrothen\LOCALS~1\Temp\20.tmp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\***\Desktop\Viren\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\owzti.dll/sp.html#53142%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\owzti.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\owzti.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\owzti.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\owzti.dll/sp.html#53142%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\owzti.dll/sp.html#53142%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\owzti.dll/sp.html#53142%
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\Program Files\WinSweep\ws.js
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {52BF7431-38AF-F288-81A9-E5DD23CF1ECF} - C:\WINDOWS\system32\netbi.dll
O2 - BHO: Class - {91F2320F-2CDC-8D34-BE50-5910E44FC8F4} - C:\WINDOWS\system32\sysal32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {D6D035D0-A506-A6E1-D7C2-A97C44056448} - C:\WINDOWS\system32\apimv32.dll
O2 - BHO: Class - {E13A31A0-7CFD-0459-0AD2-0E8AE6563D00} - C:\WINDOWS\system32\addgq.dll
O2 - BHO: Class - {EE2A819A-7B6D-3396-6030-52CEC509153A} - C:\WINDOWS\addgf32.dll
O3 - Toolbar: &WINSWEEP Toolbar - {E915E62E-41DA-40D0-8106-3438B4D24394} - C:\Program Files\WinSweep\SurfBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Enterra Icon Keeper] "C:\Program Files\Enterra\Icon Keeper\IcnKeepr.exe" ssp /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [awxDTools] rundll32 C:\PROGRA~1\DAEMON~1\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SMA1.3.1] c:\SvcTools\1.3.1\bin\lnchr.exe --context=user --control-dir=c:\SvcTools\1.3.1\ctrl
O4 - HKLM\..\Run: [NAVNet] "C:\Documents and Settings\bdrothen\Start Menu\Programs\Startup\ms.exe" /m
O4 - HKLM\..\Run: [3C.tmp] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\3C.tmp.exe
O4 - HKLM\..\Run: [3D.tmp] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\3D.tmp.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [3C.tmp.exe] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\3C.tmp.exe
O4 - HKLM\..\Run: [3D.tmp.exe] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\3D.tmp.exe
O4 - HKLM\..\Run: [16.tmp] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\16.tmp.exe
O4 - HKLM\..\Run: [16.tmp.exe] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\16.tmp.exe
O4 - HKLM\..\Run: [22.tmp] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\22.tmp.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [20.tmp] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\20.tmp.exe
O4 - HKLM\..\Run: [32.tmp] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [22.tmp.exe] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\22.tmp.exe
O4 - HKLM\..\Run: [20.tmp.exe] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\20.tmp.exe
O4 - HKLM\..\Run: [32.tmp.exe] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\32.tmp.exe
O4 - HKLM\..\Run: [sdkrd.exe] C:\WINDOWS\system32\sdkrd.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\bdrothen\LOCALS~1\Temp\E.tmp.exe
O4 - HKLM\..\Run: [netfb32.exe] C:\WINDOWS\netfb32.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [winbl32.exe] C:\WINDOWS\winbl32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O8 - Extra context menu item: &Google-Suche - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://acs.pandasoftware.com
O15 - Trusted Zone: http://activescan.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.es
O15 - Trusted Zone: *.everdream.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {226906C8-B911-11D5-82A3-0000F81A655B} (DreamFactory Control) - https://www.dreamfactory.com/codebase/dfacactx.cab
O16 - DPF: {4B2829E9-2545-4775-A9DC-5AF38B054486} - https://na1.salesforce.com/setup/sforce/office/SForceOffice.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135264132437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135265638765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB883AA5-F28E-462B-B2D7-8E3717FE933C} - https://na1.salesforce.com/setup/sforce/vm/SFCom.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.salesforce.com
O17 - HKLM\Software\..\Telephony: DomainName = internal.salesforce.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.salesforce.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.salesforce.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\mfcai.exe
O23 - Service: AntiVir Service (AntiVirService) - AntiVir PersonalProducts GmbH - C:\Program Files\AVPersonalPremium\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonalPremium\AVWUPSRV.EXE
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Everdream VNC Server (EverdreamVNC) - Unknown owner - C:\SvcTools\VNC\WinVncEv.exe" -service (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Software Management Agent 1.3.1 (SMA1.3.1) - Everdream - c:\SvcTools\1.3.1\bin\lnchr.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

cosinus · 23.12.2005, 18:50

Sieht nicht so gut aus...

> C:\WINDOWS\system32\mfcai.exe
> C:\WINDOWS\winbl32.exe
> C:\WINDOWS\TEMP\WGD894.EXE

Sieh nach aktiven Netzwerwerkwürmern aus. Bitte diese Dateien bei Jotti prüfen lassen und Auswertung hier posten.

> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\owzti.dll/sp.html#53142%
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\owzti.dll/sp.html#53142%
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\owzti.dll/sp.html#53142%
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\owzti.dll/sp.html#53142%
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\owzti.dll/sp.html#53142%
> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\owzti.dll/sp.html#53142%
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\owzti.dll/sp.html#53142%
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = file://C:\Program Files\WinSweep\ws.js
> R3 - Default URLSearchHook is missing

Scheinen u.a. Einträge des Hijackers zu sein. Bitte auch die Datei C:\Program Files\WinSweep\ws.js bei Jotti prüfen lassen.

Und...ohje..wie ich gerade weitersehe hast Du eine ganze Schädlingssammlung auf Deinem PC (*.tmp.exe und sowas). Eine Bereinigung wäre hier unangebracht:

> C:\DOCUME~1\bdrothen\LOCALS~1\Temp\3C.tmp.exe
> C:\DOCUME~1\bdrothen\LOCALS~1\Temp\3D.tmp.exe
> C:\DOCUME~1\bdrothen\LOCALS~1\Temp\16.tmp.exe
> C:\DOCUME~1\bdrothen\LOCALS~1\Temp\22.tmp.exe
> C:\Program Files\WinHound\WinHound.exe
> C:\DOCUME~1\bdrothen\LOCALS~1\Temp\20.tmp.exe
> C:\DOCUME~1\bdrothen\LOCALS~1\Temp\32.tmp.exe
> C:\WINDOWS\system32\sdkrd.exe
> C:\WINDOWS\netfb32.exe

Darunter sind bestimmt einige Backdoors, die Du mit einer Bereinigung unmöglich entfernen kannst. Die Dateien kannst ja auch mal bei Jotti prüfen lassen.
Kann es sein, dass Du fleißig mit dem IE surfst?

hoerni26 · 24.12.2005, 11:30

Hallo,

also ich würd sagen das es am sichersten wäre dein system wie in meiner signatur beschrieben neu aufzusetzen...
ist das einfachste und vor allem sicherste..

gruß

Werde about:blank hijacker nicht los: könnt Ihr bitte mal mein HJT Log checken?

Log-Analyse und Auswertung: Werde about:blank hijacker nicht los: könnt Ihr bitte mal mein HJT Log checken?