|
Brauche Hilfe bitte hallo habe seit heute den w32spybot. habe mit hijach this einen scan gemacht und auf hijackthis.de einen check machen lassen habe alle gelöscht bis auf eine C:\WINDOWS\System32\SLEE81.exe running process. (SLEE81.exe) This is a unknown process Ich vermute das des die quelle is aber der zeigt mir den bei mir im progy net an. Ich poste mal meine log. vielleicht kann mir ja einer helfe. Danke im vorraus Logfile of HijackThis v1.97.7 Scan saved at 23:37:27, on 26.11.2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Programme\D-Tools\daemon.exe C:\Programme\WinFast\WFTVFM\WFWIZ.exe C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe C:\WINDOWS\System32\rmctrl.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\QuickTime\qttask.exe C:\WINDOWS\System32\PDSched.exe C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\SLEE81.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\Programme\Norton AntiVirus\SAVScan.exe C:\Programme\Opera\opera.exe C:\Dokumente und Einstellungen\spliff\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinFast Schedule] C:\Programme\WinFast\WFTVFM\WFWIZ.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyel32.exe O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Alles mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97 O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F0645-CB19-4246-A99C-CC197424340E}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97 |
Bitte lad dir das aktuelle Hijackthis runter.Bekommst du hier: http://filepony.de/download-hijackthis/ und poste den Log! Hast du evtl. noch den Log deines Escans auf dem Rechner?Wenn ja-poste auch diesen. Gruss Cronos |
Bitte lad dir das aktuelle Hijackthis runter.Bekommst du hier: http://filepony.de/download-hijackthis/ und poste den Log! . Gruss Cronos |
JO hier is mein neues logfile mit dem neuen hijackthis tool. Logfile of HijackThis v1.98.2 Scan saved at 12:48:31, on 27.11.2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Programme\D-Tools\daemon.exe C:\Programme\WinFast\WFTVFM\WFWIZ.exe C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe C:\WINDOWS\System32\rmctrl.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\QuickTime\qttask.exe C:\WINDOWS\System32\PDSched.exe C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\System32\SLEE81.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Programme\Opera\opera.exe C:\Dokumente und Einstellungen\spliff\Desktop\hijackthis1982\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Programme\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinFast Schedule] C:\Programme\WinFast\WFTVFM\WFWIZ.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyel32.exe O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe O4 - HKCU\..\Run: [RemoteCenter] C:\Programme\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Alles mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O17 - HKLM\System\CCS\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97 O17 - HKLM\System\CCS\Services\Tcpip\..\{E56F0645-CB19-4246-A99C-CC197424340E}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{0EF714B4-5493-466C-A6EA-DFCFB4D880D5}: NameServer = 217.237.149.225 217.237.151.97 und danke für die antwort. THX Crhis |
Was ist den der ESCANS? |
@chris83vhm SLEE81.exe gehört zu steganos http://www.what-process.com/process-...x?p=SLEE81.exe zum w32spybot, wo würde der gefunden? infos hier diese dateien C:\WINDOWS\System32\PDSched.exe C:\windows\system32\winyel32.exe hier überprüfen lassen und das ergebnis hier posten wechsle in den abgesicherten modus und fixe O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winyel32.exe O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) danach manuell löschen C:\windows\system32\winyel32.exe C:\WINDOWS\System32\PDSched.exe neu starten und ein neues HJT logfile posten chaosman |
Wenn ich "C:\WINDOWS\System32\PDSched.exe" und "C:\windows\system32\winyel32.exe" oben eingebe File to upload & scan: auf http://virusscan.jotti.org/de dann kommt bei "http://virusscan.jotti.org/de": Service load: 0% 100% File: PDSched.exe Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) Packers detected: MORPHINE, ASPACK AntiVir Worm/SdBot.JT (0.14 seconds taken) Avast Win32:SdBot-388 (1.51 seconds taken) BitDefender Backdoor.SDBot.IE (0.32 seconds taken) ClamAV Trojan.SdBot.Gen-142 (0.33 seconds taken) Dr.Web BackDoor.Optix.12 (0.70 seconds taken) F-Prot Antivirus W32/Spybot.AMH (0.06 seconds taken) Kaspersky Anti-Virus Backdoor.SdBot.jt (0.89 seconds taken) mks_vir Trojan.Sdbot.Jt (0.19 seconds taken) NOD32 IRC/SdBot.AFO (0.36 seconds taken) Norman Virus Control W32/SDBot.ANN (0.10 seconds taken) Statistics Last piece of malware found was W32/SDBot.ANN in PDSched.exe, detected by: Scanner Malware name Time taken AntiVir Worm/SdBot.JT 0.14 seconds Avast Win32:SdBot-388 1.51 seconds BitDefender Backdoor.SDBot.IE 0.30 seconds ClamAV Trojan.SdBot.Gen-142 0.32 seconds Dr.Web BackDoor.Optix.12 0.70 seconds F-Prot Antivirus W32/Spybot.AMH 0.06 seconds Kaspersky Anti-Virus Backdoor.SdBot.jt 0.88 seconds mks_vir Trojan.Sdbot.Jt 0.19 seconds NOD32 IRC/SdBot.AFO 0.36 seconds Norman Virus Control W32/SDBot.ANN 0.10 seconds Service statistics: 11090 files (7968 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge. 2330 of those 7968 files contained a virus or any other form of malware. This page has been visited 25354 times in this time period. This service managed to spot 136 pieces of malware no vendor used knew about at the time of uploading. The service also warned against 1066 suspicious files without any help from scanner results. However, 112 files reported to be OK were found out to be malware later (this is checked daily). As far as can be told, all this together makes this service 98.59% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism. Most popular malware: Rank Malware name Uploaded Last known filename 1 backdoor.sdbot.gen 188 times outlook.dat 2 behaveslike:trojan.downloader 180 times satmat.exe 3 backdoor.agobot.3.gen 90 times lnmgr2.exe 4 tr/drop.delf.fd.1 84 times WINAMP~1.zip 5 tr/spam.avafx 68 times vbsys.dll 6 backdoor.win32.agobot.gen 43 times fiz.exe 7 tr/dldr.inservice.i 41 times LOMALKA.RU-SolarWinds_2002_Engineer_Edition_by_OZ_.zip 8 win32:trojan-gen. {other} 39 times server2.exe 9 tr/dldr.small.uv.3 34 times s1p1y.exe 10 win32:trojan-gen. 27 times f0r0r.rar 11 win32.p2p.spybot.gen 26 times BSPlayer.exe 12 behaveslike:win32.av-killer 26 times winshost.exe 13 backdoor.rbot.gen 25 times rBotupxvgc.exe 14 backdoor.wootbot.gen 24 times Kopie van 1.exe.exe 15 win32.hllw.mybot.based 23 times winserva.exe und bei "C:\windows\system32\winyel32.exe": Service load: 0% 100% File: winyel32.exe Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) Packers detected: FSG AntiVir TR/StartPage.NK.3 (0.15 seconds taken) Avast Win32:StartPage-042 (1.53 seconds taken) BitDefender Trojan.Clicker.BA (0.94 seconds taken) ClamAV Trojan.Startpage-78 (0.32 seconds taken) Dr.Web Trojan.StartPage.256 (0.49 seconds taken) F-Prot Antivirus W32/Startpage.CJ (0.06 seconds taken) Kaspersky Anti-Virus Trojan.Win32.StartPage.nk (0.59 seconds taken) mks_vir Trojan.Startpage.Nk (0.19 seconds taken) NOD32 Win32/StartPage.NK (0.37 seconds taken) Norman Virus Control W32/Startpage.EC (0.10 seconds taken) Statistics Last piece of malware found was W32/SDBot.ANN in PDSched.exe, detected by: Scanner Malware name Time taken AntiVir Worm/SdBot.JT 0.14 seconds Avast Win32:SdBot-388 1.51 seconds BitDefender Backdoor.SDBot.IE 0.30 seconds ClamAV Trojan.SdBot.Gen-142 0.32 seconds Dr.Web BackDoor.Optix.12 0.70 seconds F-Prot Antivirus W32/Spybot.AMH 0.06 seconds Kaspersky Anti-Virus Backdoor.SdBot.jt 0.88 seconds mks_vir Trojan.Sdbot.Jt 0.19 seconds NOD32 IRC/SdBot.AFO 0.36 seconds Norman Virus Control W32/SDBot.ANN 0.10 seconds Service statistics: 11091 files (7968 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge. 2330 of those 7968 files contained a virus or any other form of malware. This page has been visited 25356 times in this time period. This service managed to spot 136 pieces of malware no vendor used knew about at the time of uploading. The service also warned against 1066 suspicious files without any help from scanner results. However, 112 files reported to be OK were found out to be malware later (this is checked daily). As far as can be told, all this together makes this service 98.59% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism. Most popular malware: Rank Malware name Uploaded Last known filename 1 backdoor.sdbot.gen 188 times outlook.dat 2 behaveslike:trojan.downloader 180 times satmat.exe 3 backdoor.agobot.3.gen 90 times lnmgr2.exe 4 tr/drop.delf.fd.1 84 times WINAMP~1.zip 5 tr/spam.avafx 68 times vbsys.dll 6 backdoor.win32.agobot.gen 43 times fiz.exe 7 tr/dldr.inservice.i 41 times LOMALKA.RU-SolarWinds_2002_Engineer_Edition_by_OZ_.zip 8 win32:trojan-gen. {other} 39 times server2.exe 9 tr/dldr.small.uv.3 34 times s1p1y.exe 10 win32:trojan-gen. 27 times f0r0r.rar 11 win32.p2p.spybot.gen 26 times BSPlayer.exe 12 behaveslike:win32.av-killer 26 times winshost.exe 13 backdoor.rbot.gen 25 times rBotupxvgc.exe 14 backdoor.wootbot.gen 24 times Kopie van 1.exe.exe 15 win32.hllw.mybot.based 23 times winserva.exe hoffe des stimmt so |
Hallo chris83vhm, Information zu SDBOT.JT -> "Erläuterung" beachten: "verfügt auch über Backdoortrojaner-Funktionalität, die unbefugten Fernzugriff auf den infizierten Computer mittels IRC-Kanälen ermöglicht, während er als Dienstprozess im Hintergrund aktiv ist." Dein System ist kompromittiert. Löschen von Würmern mit Backdoor-Funktionalität reicht nicht, siehe Entfernung von Schädlingen. Du solltest Dein System formatieren, Lutz Rat zur Datensicherung beachten und nach Cidre's Rat vorgehen. SD |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 19:52 Uhr. |
Copyright ©2000-2025, Trojaner-Board