| |
| |||||||
Log-Analyse und Auswertung: Help please "HiJackThis + Netstat -ab"-LogWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
15.07.2010, 09:42
| #1 |
| |  Help please "HiJackThis + Netstat -ab"-Log Hallo liebe Trojaner-Board Community  Ich beschäftige mich seit einiger Zeit mit Computer Sicherheit. Ich bin mir bei meinen Logs doch bei manchem nicht so sicher. Hier als erster mal ein "Netstat -ab" log: Code:
ATTFilter Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Windows\system32>netstat -ab
Aktive Verbindungen
Proto Lokale Adresse Remoteadresse Status
TCP 0.0.0.0:135 ************:0 ABHÖREN
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP 0.0.0.0:990 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP 0.0.0.0:49152 ************:0 ABHÖREN
[wininit.exe]
TCP 0.0.0.0:49153 ************:0 ABHÖREN
Eventlog
[svchost.exe]
TCP 0.0.0.0:49154 ************:0 ABHÖREN
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 ************:0 ABHÖREN
[lsass.exe]
TCP 0.0.0.0:49166 ************:0 ABHÖREN
PolicyAgent
[svchost.exe]
TCP 0.0.0.0:49167 ************:0 ABHÖREN
[services.exe]
TCP 1.2.96.108:49481 fx-in-f104:http WARTEND
TCP 1.2.96.108:49482 fx-in-f104:http WARTEND
TCP 1.2.96.108:49483 fx-in-f104:http WARTEND
TCP 1.2.96.108:49484 fx-in-f104:http WARTEND
TCP 1.2.96.108:49486 fx-in-f139:http WARTEND
TCP 1.2.96.108:49498 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49499 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49500 www:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49508 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49528 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49529 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49530 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49556 fx-in-f165:http WARTEND
TCP 1.2.96.108:49559 fx-in-f154:http WARTEND
TCP 1.2.96.108:49560 fx-in-f154:http WARTEND
TCP 1.2.96.108:49561 fx-in-f154:http WARTEND
TCP 1.2.96.108:49582 fx-in-f138:http FIN_WARTEN_1
[System]
TCP 127.0.0.1:5354 ************:0 ABHÖREN
[mDNSResponder.exe]
TCP 127.0.0.1:5679 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP 127.0.0.1:7438 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP 127.0.0.1:27015 ************:0 ABHÖREN
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:49477 ************:49476 WARTEND
TCP 169.254.10.244:139 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP ***.***.***.***:139 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP [::]:135 ************:0 ABHÖREN //[::] ???
RpcSs
[svchost.exe]
TCP [::]:445 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP [::]:990 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP [::]:49152 ************:0 ABHÖREN
[wininit.exe]
TCP [::]:49153 ************:0 ABHÖREN
Eventlog
[svchost.exe]
TCP [::]:49154 ************:0 ABHÖREN
Schedule
[svchost.exe]
TCP [::]:49155 ************:0 ABHÖREN
[lsass.exe]
TCP [::]:49166 ************:0 ABHÖREN
PolicyAgent
[svchost.exe]
TCP [::]:49167 ************:0 ABHÖREN
[services.exe]
TCP [::1]:5679 ************:0 ABHÖREN
WcesComm
[svchost.exe]
UDP 0.0.0.0:123 *:*
W32Time
[svchost.exe]
UDP 0.0.0.0:427 *:*
HPSLPSVC
[svchost.exe]
UDP 0.0.0.0:500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:4500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:50617 *:*
[spoolsv.exe]
UDP 0.0.0.0:59035 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:60477 *:*
[mDNSResponder.exe]
UDP 127.0.0.1:1900 *:*
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:54216 *:*
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:65287 *:*
[ehRecvr.exe]
UDP 169.254.10.244:137 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP 169.254.10.244:138 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP 169.254.10.244:427 *:*
HPSLPSVC
[svchost.exe]
UDP 169.254.10.244:1900 *:*
SSDPSRV
[svchost.exe]
UDP 169.254.10.244:5353 *:*
[mDNSResponder.exe]
UDP 169.254.10.244:54215 *:*
SSDPSRV
[svchost.exe]
UDP ***.***.***.***:137 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP ***.***.***.***:138 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP ***.***.***.***:427 *:*
HPSLPSVC
[svchost.exe]
UDP ***.***.***.***:1900 *:*
SSDPSRV
[svchost.exe]
UDP ***.***.***.***:5353 *:*
[mDNSResponder.exe]
UDP ***.***.***.***:54214 *:*
SSDPSRV
[svchost.exe]
UDP [::]:123 *:*
W32Time
[svchost.exe]
UDP [::]:500 *:*
IKEEXT
[svchost.exe]
UDP [::]:5355 *:*
Dnscache
[svchost.exe]
UDP [::]:60478 *:*
[mDNSResponder.exe]
UDP [::]:63818 *:*
Dnscache
[svchost.exe]
UDP [::1]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [::1]:54212 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::100:7f:fffe%9]:1900 *:* //Was meint das? IPv6? Wie kann man da einen IP Lookup machen? Ist das normal?
SSDPSRV
[svchost.exe]
UDP [fe80::100:7f:fffe%9]:54213 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::8ce8:151d:9958:31c4%8]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::8ce8:151d:9958:31c4%8]:54210 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::b181:1718:cbaa:af4%19]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::b181:1718:cbaa:af4%19]:5353 *:*
[mDNSResponder.exe]
UDP [fe80::b181:1718:cbaa:af4%19]:54211 *:*
SSDPSRV
[svchost.exe]
C:\Windows\system32>
IP LookUP: - 1.2.96.108 Code:
ATTFilter OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 1.0.0.0 - 1.255.255.255
CIDR: 1.0.0.0/8
NetName: APNIC-1
NetHandle: NET-1-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or hxxp://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to hxxp://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate:
Updated: 2010-01-27
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net
# ARIN WHOIS database, last updated 2010-07-14 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
#
# Attention! Changes are coming to ARIN's Whois service on June 26.
# See https://www.arin.net/features/whois for details on the improvements.
Deferred to specific whois server: whois.ripe.net...
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See hxxp://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '0.0.0.0 - 255.255.255.255'
inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
source: RIPE # Filtered
organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see hxxp://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see hxxp://www.iana.org/ipaddress/ip-addresses.htm
remarks: and hxxp://www.iana.org/assignments/as-numbers
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: Internet Assigned Numbers Authority
address: see hxxp://www.iana.org.
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at hxxp://www.iana.org.
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered
- 169.254.10.244 Code:
ATTFilter OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL-RFC3927-IANA-RESERVED
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This is the "link local" block. It was set
Comment: aside for this special use in the Standards
Comment: Track document, RFC 3927 and was further
Comment: documented in the Best Current Practice
Comment: RFC 5735, which can be found at:
Comment: hxxp://www.rfc-editor.org/rfc/rfc3927.txt
Comment: hxxp://www.rfc-editor.org/rfc/rfc5735.txt
Comment: It is allocated for communication between hosts
Comment: on a single link. Hosts obtain these addresses
Comment: by auto-configuration, such as when a DHCP
Comment: server cannot be found.
Comment: A router MUST NOT forward a packet with an IPv4
Comment: Link-Local source or destination address,
Comment: irrespective of the router's default route configuration
Comment: or routes obtained from dynamic routing protocols.
Comment: A router which receives a packet with an IPv4
Comment: Link-Local source or destination address MUST NOT
Comment: forward the packet. This prevents forwarding of
Comment: packets back onto the network segment from which
Comment: they originated, or to any other segment.
RegDate: 1998-01-27
Updated: 2010-03-15
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
# ARIN WHOIS database, last updated 2010-07-14 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
#
# Attention! Changes are coming to ARIN's Whois service on June 26.
# See https://www.arin.net/features/whois for details on the improvements.
HiJackThis-LOG: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.4 Scan saved at **:**:**, on **.**.** Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18928) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Windows\system32\taskeng.exe C:\Users\************\Programme\CoreTemp32\Core Temp.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\Notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe C:\Windows\system32\Notepad.exe C:\Windows\system32\DllHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=***** R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=***** R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=***** R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=***** R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {********-****-****-****-************} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {********-****-****-****-************} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: HP Smart BHO Class - {********-****-****-****-************} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Home Server Banner - {********-****-****-****-************} - C:\Program Files\Windows Home Server\WHSDeskBands.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\************\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 O9 - Extra button: (no name) - {********-****-****-****-************} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {********-****-****-****-************} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O18 - Filter hijack: text/xml - {********-****-****-****-************} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {********-****-****-****-************} - C:\Windows\system32\browseui.dll O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe |
|
15.07.2010, 14:38
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Help please "HiJackThis + Netstat -ab"-Log Die erste Adresse 1.2.96.108 liegt innerhalb des noch nicht reservierten Blocks 1.0.0.0/8 (also 1.0.0.0 - 1.255.255.255 )
__________________Die 169er Adresse ist eine Zeroconf-Adresse. Was das ist kannst Du ja mal selbständig herausfinden 
__________________ |
|
| Themen zu Help please "HiJackThis + Netstat -ab"-Log |
| antivir, antivir guard, attention, avira, bho, bonjour, computer, converter, desktop, document, fehler, firefox, help, hijack, hijackthis, home, internet, internet explorer, logfile, mozilla, netstat, safer networking, security, software, svchost.exe, system, trojaner-board, vista, windows |
Linear-Darstellung
