Hallo zusammen,
ich habe seit gestern einen heftigen permanenetn upload von ca. 200kb.
scan mit antivir, spybot und adaware 8alle in der neusten version) haben nichts gebracht. leider bin ich zu planlos um meine logs selber zu lesen. wäre also für eure hilfe sehr dankbar!

gruß
nordisch

Logfile of HijackThis v1.98.0
Scan saved at 20:36:35, on 14.09.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\Mixer.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programme\T-DSL SpeedManager\SpeedMgr.exe
C:\WINDOWS\System32\WinSound.exe
C:\WINDOWS\System32\winupdate32.exe
C:\WINDOWS\System32\winsound1.exe
C:\WINDOWS\System32\AntiVirus.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programme\T-DSL SpeedManager\tsmsvc.exe
C:\WINDOWS\System32\WinSound.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\swankk\Desktop\frank\tools\HiJackThis_Last.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\Programme\T-DSL SpeedManager\SpeedMgr.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Sound] WinSound.exe
O4 - HKLM\..\Run: [Microsoft Update Win32] winupdate32.exe
O4 - HKLM\..\Run: [Win32 USB2 service] winsound1.exe
O4 - HKLM\..\Run: [Microsoft Update] AntiVirus.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\RunServices: [Windows Sound] WinSound.exe
O4 - HKLM\..\RunServices: [Microsoft Update Win32] winupdate32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 service] winsound1.exe
O4 - HKLM\..\RunServices: [Microsoft Update] AntiVirus.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - HKCU\..\Run: [Windows Sound] WinSound.exe
O4 - HKCU\..\Run: [Microsoft Update Win32] winupdate32.exe
O4 - HKCU\..\Run: [Microsoft Update] AntiVirus.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O12 - Plugin for .mov: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://81.1.41.137/activex/AxisCamControl.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.alfa-romeo.de/obs/include...e/MSSurVid.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC633C72-CD26-4FF7-AC3A-BA2EF49BB3E0}: NameServer = 213.191.92.86 213.191.74.19

Du hast ne wahrscheinlich einiges an Malware auf deinem System.
Scanne mal hiermit im abgesicherten Modus: http://www.trojaner-board.de/showthread.php?t=6083

Welche Malware wurde gefunden?

Erstelle nach dem Scan ein neues HijackThis-Log und poste es.

@nordisch
zusätzlich
lade doch mal den HJT in der neuesten version 1.98.2 , update bitte dein XP und IE.


chaosman

moin,
das hats wirklich gebracht. der pc war ja so richtig verseucht. das komische , es is eigentlich der rechner meiner freundin (hab da also kein schweinkram mit gemacht!)
Ich glaub ich muß mal ihre surfgewohnheiten überprüfen!

vielen dank auf jeden fall für die schnelle und kompetente hilfe!!!


gruß
nordisch

hier nochmal alles was er gefunden hat:

File C:\WINDOWS\System32\winupdate32.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\winsound1.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\WinSound.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\AntiVirus.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\Akdmam32.exe infected by "TrojanSpy.Win32.Qukart.gen" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\Ankcbgob.exe infected by "TrojanSpy.Win32.Qukart.gen" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\phqghu.exe infected by "TrojanSpy.Win32.Qukart.gen" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\TFTP2804 infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\tmp1.com infected by "Worm.Win32.Wilab.b" Virus. Action Taken: File Deleted.
File C:\anaalor.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\swankk\Lokale Einstellungen\Temp\nshC67.tmp\msbb.exe infected by "not-a-virus:AdvWare.180solutions" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\swankk\Lokale Einstellungen\Temp\nshC67.tmp\new_net.exe infected by "not-a-virus:AdvWare.NewDotNet" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\swankk\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\IT8765ID\versteckt[2].htm infected by "Trojan.JS.NoClose.c" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\swankk\Lokale Einstellungen\Temp\Temporary Internet Files\Content.IE5\KDE7SHE3\versteckt[1].htm infected by "Trojan.JS.NoClose.c" Virus. Action Taken: File Deleted.
File C:\Programme\AVPersonal\INFECTED\syscfg32.VIR infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: File Renamed.
File C:\Programme\AVPersonal\INFECTED\syscfg32.VIR00 infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: File Renamed.
File C:\Programme\AVPersonal\INFECTED\syscfg32.VIR01 infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: File Renamed.
File C:\Programme\AVPersonal\INFECTED\syscfg32.VIR02 infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0027756.dll infected by "not-a-virus:AdvWare.NewDotNet" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028779.exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028781.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028785.com infected by "Worm.Win32.Wilab.b" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028903.exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028905.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028930.exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028932.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028939.exe infected by "Worm.Win32.Padobot.m" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028940.dll infected by "Backdoor.Padodor.v" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028941.exe infected by "Worm.Win32.Padobot.m" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028943.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028944.dll infected by "Backdoor.Padodor.v" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028954.exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028958.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028962.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028963.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP278\A0028964.exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0028998.exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0028999.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029025.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029026.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029027.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029028.exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029029.exe infected by "TrojanSpy.Win32.Qukart.gen" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029030.exe infected by "TrojanSpy.Win32.Qukart.gen" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029031.exe infected by "TrojanSpy.Win32.Qukart.gen" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{965DD0CB-C8C5-4D94-ACC7-5074EDB6399E}\RP279\A0029032.com infected by "Worm.Win32.Wilab.b" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4DUBWPUV\kk[1].gif infected by "TrojanSpy.Win32.Qukart.gen" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\H5UVG56J\warez[3].exe infected by "Backdoor.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\SPYN0HU3\xfk[1].exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File C:\xfkors.exe infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: File Deleted.
File E:\pic\HAC2\MOV\DIVX502BUNDLE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Du solltest das System neu aufsetzen, bei dir waren/sind Backdoorprogramme aktiv, die weitreichende Manipulation von Außen erlauben.

http://oschad.de/wiki/index.php/Kompromittierung


Lektüre:

http://www.mathematik.uni-marburg.de...ompromise.html
http://www.mathematik.uni-marburg.de...c-removal.html
http://faq.underflow.de/