Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   bitte hjt auswertung... (https://www.trojaner-board.de/12172-bitte-hjt-auswertung.html)

Marcello78 14.01.2005 23:58
bitte hjt auswertung...
 
hallo

hab glaube ich verschiedene probleme mit meinem pc. ich poste hier mal mein hjt-log:


Logfile of HijackThis v1.99.0
Scan saved at 22:55:03, on 14.01.2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.sunrise.ch/en/hom/default.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.sunrise.ch/en/hom/default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by sunrise freesurf
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAMME\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programme\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAMME\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: Erinnerungen in Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26cac9e9...dxIE601_de.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www3.photo-druck.de/XUpload.ocx
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://s03.picserver.info/upload/ImageUploader3.cab

ich bedanke mich schon jetzt für eure hilfe.

Chris14 15.01.2005 14:31
ok alles klar new.net, search-toolbars und höchstwarscheinlich trojan-downloader..
dann führe das aus:

1.escan & lspfix
-lade dir lspfix runter und entpacke es nach c:\.
(wenn du es nicht entpacken kannst, lade dir noch Winzip runter,installiere es, rechtsklick auf das heruntergeladene lspfix, winzip auswählen, extrahieren nach hier auswählen)
-lade dir escan runter und gehe genau nach dieser anleitung vor

2.einträge löschen
-fixe mit hijackthis diese einträge:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.sunrise.ch/en/hom/default.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.sunrise.ch/en/hom/default.asp
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAMME\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programme\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAMME\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...meInstaller.exe


3.dateien löschen
-lösche den ordner C:\Programme\NewDotNet und C:\PROGRAMME\MYWAY

4.hijacker entfernen
-führe das zuvor gedownloadete lspfix aus, klicke auf finish.

5.ergebnisse
-gehe wieder in den normalen modus
-öffne die datei mwav.log,klicke auf bearbeiten dann auf suchen
-gebe infected ein
-suche weiter,markiere die treffer und kopiere sie ins forum
-poste ein neues hijackthis log

riesurf 15.01.2005 15:26
http://www.hijackthis.de/index.php

Hier kannst du deine Daten online auswerten lassen. Hab ich mal für dich gemacht. Sieht nicht gut aus. Scheinst auch keinen Virenscanner zu benutzen. Ich würd mir auch einen anderen Browser als den Internet Explorer zulegen. Wenn du ihn aber unnbedingt benutzen willst, solltest du ihn wenigstens updaten.

Virenscanner kostenlos
http://www.bitdefender.com/bd/site/d...php?menu_id=21
http://www.free-av.com/
http://www.avast.com/
http://free.grisoft.com/freeweb.php/doc/2/
Browser
http://filepony.de/download-firefox/start/central.html

Anti Spy
http://www.vollversion.de/download/m...nger_1469.html
http://www.spybot.info/de/tutorial/index.html
http://www.lavasoftusa.com/software/adaware/
http://www.mwti.net/antivirus/escan/escan.asp

Schau mal ob noch was zu retten ist. Frag sonst noch ein paar andere User.
Viel Erfolg !!

riesurf

Marcello78 15.01.2005 16:11
@Chris

Danke schön. ich werde das heute abend mal durchführen und poste dann die treffer von escan und das neue hjt-log.

@riesurf
Danke für den Tip :daumenhoc

Marcello78 15.01.2005 18:50
so ich hab nun den escan mal gemacht. hier die "infected":

Fri Jan 14 22:59:42 2005 => File C:\WINDOWS\WEBHDLL.DLL infected by
"not-a-virus:AdWare.WebHancer" Virus. Action Taken: No Action Taken.
Fri Jan 14 22:59:42 2005 => File C:\WINDOWS\WEBHDLL.DLL infected by
"not-a-virus:AdWare.WebHancer" Virus. Action Taken: No Action Taken.
Fri Jan 14 22:59:42 2005 => File C:\WINDOWS\WEBHDLL.DLL infected by
"not-a-virus:AdWare.WebHancer" Virus. Action Taken: No Action Taken.
Fri Jan 14 22:59:42 2005 => File C:\WINDOWS\WEBHDLL.DLL infected by
"not-a-virus:AdWare.WebHancer" Virus. Action Taken: No Action Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:48 2005 => File C:\WINDOWS\NDNuninstall4_88.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:50 2005 => File C:\WINDOWS\NDNuninstall5_20.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:50 2005 => File C:\WINDOWS\NDNuninstall5_40.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:50 2005 => File C:\WINDOWS\NDNuninstall5_48.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:50 2005 => File C:\WINDOWS\NDNuninstall5_64.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:50 2005 => File C:\WINDOWS\NDNuninstall6_10.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 22:59:51 2005 => File C:\WINDOWS\NDNuninstall6_22.exe
infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action
Taken.
Fri Jan 14 23:01:12 2005 => File C:\WINDOWS\SYSTEM\faszinierende
kreaturen.exe infected by "TrojanDownloader.Win32.Agent.am" Virus. Action
Taken: No Action Taken.
Fri Jan 14 23:02:55 2005 => File C:\WINDOWS\TEMP\asmfiles.cab infected
by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.
Fri Jan 14 23:04:25 2005 => File C:\WINDOWS\TEMP\WZS12F3.TMP\nrpr.exe
infected by "Trojan.Win32.Premeter" Virus. Action Taken: No Action
Taken.
Fri Jan 14 23:05:08 2005 => File C:\WINDOWS\TEMP\__unin__.exe infected
by "not-a-virus:AdWare.Altnet.b" Virus. Action Taken: No Action Taken.
Fri Jan 14 23:05:34 2005 => File
C:\WINDOWS\TEMPOR~1\CONTENT.IE5\X49I2R3M\counter[1].js infected by "Exploit.HTML.Mht" Virus. Action Taken: No
Action Taken.
Fri Jan 14 23:44:11 2005 => Total Disinfected Files: 0


nun das neue hjt-log:

Logfile of HijackThis v1.99.0
Scan saved at 18:28:57, on 15.01.2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by sunrise freesurf
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: Erinnerungen in Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26cac9e9...dxIE601_de.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www3.photo-druck.de/XUpload.ocx
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://s03.picserver.info/upload/ImageUploader3.cab

hab in der automatischen hjt-auswertung bereits nachgeschaut, sieht sauber aus (im gegensatz zu vorher..), glaube ich ....wie seht ihr das? ich bedanke mich ganz herzlich.


Alle Zeitangaben in WEZ +1. Es ist jetzt 08:26 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131