Search for... Pls Help!

davYd · 01.07.2004, 14:21

Hi Leute,

bin heute ausm Urlaub gekomm und hab auf einmal immer wenn ich den IE öffne son komisches Pop-Up und da is so ne "Search for..." - Site.

Hab mir mal die threads weng durchgeschaut - hab eScan laufen lassen und HJT:

eScan:

Zitat:

File C:\WINNT\system32\comj.dll infected by Backdoor.Agent.ac
File C:\WINNT\system32\comj.dll infected by Backdoor.Agent.ac
File C:\WINNT\system32\d.exe infected by Trojan.Win32.StartPage.bb
File C:\WINNT\system32\d.exe infected by Trojan.Win32.StartPage.bb
File C:\WINNT\system32\notepad.exe.tmp infected by TrojanDropper.Win32.Small.hx
File C:\WINNT\system32\notepad.exe.tmp infected by TrojanDropper.Win32.Small.hx
File C:\WINNT\_MSRSTRT.EXE infected by not-a-virus:Tool.Win32.Reboot
File C:\baton.chm infected by Trojan.Win32.Dialer.by
File C:\baton.chm infected by Trojan.Win32.Dialer.by
File C:\Dokumente und Einstellungen\Administrator\SetHomepage.exe infected by Trojan.Win32.StartPage.ee
File C:\Dokumente und Einstellungen\Administrator\SetHomepage.exe infected by Trojan.Win32.StartPage.ee
File C:\Programme\AVPersonal\INFECTED\OK.CLASS-50C4EC1F-3EFFCC88.CLASS.VIR infected by Trojan.Java.Nocheat
File C:\Programme\AVPersonal\INFECTED\OK.CLASS-50C4EC1F-3EFFCC88.CLASS.VIR infected by Trojan.Java.Nocheat
File C:\Programme\AVPersonal\INFECTED\qttasks.VIR infected by TrojanClicker.Win32.Small.d
File C:\Programme\AVPersonal\INFECTED\qttasks.VIR infected by TrojanClicker.Win32.Small.d
File C:\Programme\Gamers.Interactive\Gamers.IRC\add-on\minigames\sheep\esheep.exe infected by not-a-virus:Simulator.Win16.Sheep
File C:\Programme\Gamers.Interactive\Gamers.IRC\backup\mirc.exe infected by not-a-virus:RiskWare.mIRC.6.01
File C:\Programme\Gamers.Interactive\Gamers.IRC\mirc.exe infected by not-a-virus:RiskWare.mIRC.6.03

HJT:

Zitat:

Logfile of HijackThis v1.97.7
Scan saved at 15:19:10, on 01.07.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Aston\aston.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\NetLimiter\NetLimiter.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\David\Desktop\DeeEnEs.exe
C:\Programme\Opera\Opera.exe
C:\WINNT\explorer.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\David\[ .security ]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F0 - system.ini: Shell=C:\PROGRA~1\Aston\aston.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINNT\mschlc.dll
O2 - BHO: (no name) - {A603B6F1-DAAA-4C40-A0EB-0AAE66C2AB87} - C:\WINNT\system32\jhaal.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Programme\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [DeeEnEs] C:\Dokumente und Einstellungen\Administrator\Desktop\David\Desktop\DeeEnEs.exe
O4 - Global Startup: DeeEnEs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: LEO Dictionary - C:\WINNT\Web\DE_EN.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: Add bid (HKCU)
O9 - Extra 'Tools' menuitem: Add bid (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/206d88b1b95627c...dxIE601_de.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.102.242.16/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...867.5303587963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29E7CD70-56DB-4F6F-B59F-0E07ADA77AAD}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D341787B-DE46-4B64-8F18-4A0DA92B9F88}: NameServer = 217.237.151.97 194.25.2.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{29E7CD70-56DB-4F6F-B59F-0E07ADA77AAD}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{29E7CD70-56DB-4F6F-B59F-0E07ADA77AAD}: NameServer = 192.168.0.1

IE: 6.0.2800.1106
Win: 2k

Falls ihr noch was braucht bitte sagts - thx

davYd

Lutz · 01.07.2004, 14:32

Hallo,

Lasse eScan bitte noch mal im abgesicherten Modus laufen!

Fixe anschließend

Zitat:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1} - C:\WINNT\mschlc.dll
O2 - BHO: (no name) - {A603B6F1-DAAA-4C40-A0EB-0AAE66C2AB87} - C:\WINNT\system32\jhaal.dll

und
alle O16-Einträge, die Du nicht eindeutig zuordnen kannst

Boote anschließend im normalen Modus und erstelle ein neues Log.

davYd · 01.07.2004, 14:49

Danke für die schnelle Antwort - alles gemacht wie gesagt und alles geht wieder...

Ganz großes THX an dich und euch - ihr seid spitze.

davYd

Search for... Pls Help!

Log-Analyse und Auswertung: Search for... Pls Help!