Mit VIren verseucht

marcelisback · 21.03.2008, 18:09

hi leute was sagt ihr zu den rot-markierten einträgen ???

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:45:35, on 21.03.2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Programme\F-Secure Internet Security\fswsclds.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Mozilla Firefox\firefox.exe
E:\internetdownload\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = h**p://www.topsearcher.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://www.topsearcher.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://home.de.netscape.com/de/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www.couldnotfind.com/search_page.html?&account_id=132047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = h**p://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: (no name) - {FFFFFFA2-C40D-475D-8C91-9A9876ACFCDD} - C:\PROGRA~1\klickTel\klickTel Toolbar\kttoolbar.dll
O3 - Toolbar: Whazit Toolbar - {C9176930-9C9F-4cba-9723-0F58C3E7CED6} - C:\WINDOWS\RGJWOYFH.dll (file missing)
O3 - Toolbar: Systran40premi.IEPlugIn - {CFB25594-4D5F-11D6-AB7B-00B0D094B576} - K:\Programme\Systran\4_0\Premium\IEPlugIn.dll (file missing)
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Programme\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &klickTel Toolbar - {FFFF8BAD-BB43-4A08-8258-BFB40A29FBD7} - C:\PROGRA~1\klickTel\klickTel Toolbar\kttoolbar.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [netupdate32] netupdate32.exe
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunServices: [netupdate32] netupdate32.exe
O4 - HKCU\..\Run: [5-1-26-62] c:\windows\5-1-26-62.exe -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [ITD7] "C:\Programme\Steganos Internet Trace Destructor 7\itd7.exe" -firstboot (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [ITD7] "C:\Programme\Steganos Internet Trace Destructor 7\itd7.exe" -firstboot (User '?')
O4 - HKUS\S-1-5-21-220523388-1580436667-1060284298-1003\..\Run: [5-1-26-62] c:\windows\5-1-26-62.exe -m (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [ITD7] "C:\Programme\Steganos Internet Trace Destructor 7\itd7.exe" -firstboot (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ITD7] "C:\Programme\Steganos Internet Trace Destructor 7\itd7.exe" -firstboot (User 'Default user')
O4 - Global Startup: Privoxy.lnk = C:\Programme\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_de_1.1.60-deleon.dll/cmsearch.html
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_de_1.1.60-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_de_1.1.60-deleon.dll/cmcache.html
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_de_1.1.60-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_de_1.1.60-deleon.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\scieplugin.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Programme\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Programme\PRMT6\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - h**p://63.217.29.115/cax.cab
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - h**p://www.0190-dialer.com/VLoading.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - h**p://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - h**p://www.xxxtoolbar.com/ist/softwares/v3.0/protect_regular.cab
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} (eConn Class) - h**p://econnect.libereco.net/econnect.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - h**p://bins.whazit.com/cerials/downloader.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - h**p://www.xxxtoolbar.com/ist/softwares/v3.0/0006_cracks.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{048CCF64-F2B8-4CC1-9AEA-18473E6C4494}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BEB17C3-3ABC-44DB-93EE-24713870C68A}: NameServer = 192.168.10.1
O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F} - C:\DOKUME~1\***\ANWEND~1\okllglthrthoo.dll (file missing)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GrooveSystemServices.dll
O18 - Protocol: haufereader - (no CLSID) - (no file)
O18 - Filter hijack: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll
O20 - Winlogon Notify: awtsr - C:\WINDOWS\system32\awtsr.dll (file missing)
O20 - Winlogon Notify: cbxxvvu - cbxxvvu.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Kaspersky Personal Security Suite V (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown owner - C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\fswsclds.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: AVX Communicator (XCOMM) - Unknown owner - C:\WINDOWS\SYSTEM32\xcommsvr.exe (file missing)

--
End of file - 12968 bytes

myrtille · 21.03.2008, 19:47

Ich würd sagen: Reste einer Vundoinfektion und sehr wahrscheinlich Backdoor.

EDIT: Also das was du markiert hast sind nur Vundo und legitime Einträge. Im Log befinden sich aber auch einige Backdooreinträge.

lg myrtille

21.03.2008, 19:47	#2
myrtille /// TB-Ausbilder	Mit VIren verseucht Ich würd sagen: Reste einer Vundoinfektion und sehr wahrscheinlich Backdoor. EDIT: Also das was du markiert hast sind nur Vundo und legitime Einträge. Im Log befinden sich aber auch einige Backdooreinträge. lg myrtille __________________

Mit VIren verseucht

Log-Analyse und Auswertung: Mit VIren verseucht

Mit VIren verseucht

Mit VIren verseucht

Ähnliche Themen: Mit VIren verseucht