Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Mich hats auch erwischt, log bitte anschauen (https://www.trojaner-board.de/14217-mich-hats-erwischt-log-bitte-anschauen.html)

oban 20.02.2005 23:23
Mich hats auch erwischt, log bitte anschauen
 
Nun werd ich die Plagegeister leider nicht selber los. :schrei:
Hoffe ihr könnt mir helfen wieder Ordnung einzubringen.

Danke sehr. Hier nun mein log.

Logfile of HijackThis v1.99.1
Scan saved at 23:13:46, on 20.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Programme\cFosSpeed\spd.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\d3jm32.exe
D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
D:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Programme\QuickTime\qttask.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\Programme\D-Tools\daemon.exe
D:\Programme\CloneCD\CloneCDTray.exe
D:\WINDOWS\System32\RunDll32.exe
D:\PROGRA~1\ICQ\ICQ.exe
D:\Programme\cFosSpeed\cFos_Speed.exe
D:\Programme\Java\jre1.5.0_01\bin\jusched.exe
D:\WINDOWS\atltn32.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
D:\Programme\Microsoft Office\Office\OSA.EXE
D:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Programme\TheaterTek\AutoKiller.exe
D:\Programme\Logitech\SetPoint\KEM.exe
D:\Programme\GetRight\getright.exe
D:\Programme\Logitech\SetPoint\KHALMNPR.EXE
D:\Programme\GetRight\getright.exe
D:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
D:\Programme\Internet Explorer\iexplore.exe
D:\Programme\Google\Google Desktop Search\GoogleDesktopIndex.exe
D:\Programme\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Programme\Google\Google Desktop Search\GoogleDesktopOE.exe
F:\@@@ Torrent @@@\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.beisammen.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Programme\GetRight\xx2gr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F0E16BEF-D89D-E599-8205-FED1F4920959} - D:\WINDOWS\mfchv32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "D:\Programme\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [cFosSpeed] D:\Programme\cFosSpeed\cFos_Speed.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [atltn32.exe] D:\WINDOWS\atltn32.exe
O4 - HKLM\..\RunOnce: [d3jm32.exe] D:\WINDOWS\d3jm32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "D:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Office-Start.lnk = D:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Autorun Killer.lnk = D:\Programme\TheaterTek\AutoKiller.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Programme\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Programme\GetRight\getright.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with GetRight - D:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.trustcenter.de/activex/xenroll.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAF4C505-DB7B-4E7D-828A-ACB2487273EB}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - D:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - D:\Programme\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - D:\WINDOWS\system32\apppq.exe (file missing)


Ad-aware und Spybot habe ich mehrfach drüber laufen lassen, doch hat sich da deffinitiv etwas hartnächigeres festgesetzt. Malware vom feinsten :kloppen: grmpff

Ich bin einfach zu unsicher was mit Hijackthis zu fixen ist. Und bevor gar nichts mehr geht, frag ich lieber jemanden der davon ahnung hat.

Schonmal danke an die "Meister" hier

dartus 21.02.2005 00:13
Hi,

führe bitte dies mal aus:

1. erstelle einen Ordner "C:\bases"(wichtig!)
2. Downloade Dir escan und befolge diese Anleitung (dauert etwa eine Stunde),
3. starte nach dem Scan wieder in den normalen Modus dauert,
4. öffne die Datei "mwav.log", klicke auf "bearbeiten" danach auf "suchen"
5. gebe dann "infected" ein,
6. suche weiter bei Treffern, markiere diese und kopiere sie ins Forum,
7. neben den Treffern auch das Gesamtergebnis (befindet sich ganz unter im Logfile) posten.

Beispiel:
Wed Feb 02 19:48:56 2005 => Total Files Scanned:
Wed Feb 02 19:48:56 2005 => Total Virus(es) Found:
.
.
.
.


dartus

The Don - D.R. 21.02.2005 00:37
hi
ich würde dir raten dein system zu patchen
dir fehlt service pack 2 und der IExplorer ist nicht aufm neusten stand

fixe die hier:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F0E16BEF-D89D-E599-8205-FED1F4920959} -
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.trustcenter.de/activex/xenroll.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/content...er/imloader.cab


bei einigen bin ich mir noch nicht sicher

lade dir eScan herunter
http://www.mwti.net/antivirus/free_utilities.asp

und hier die anleitung:
http://www.trojaner-board.de/42731-escan-anleitung.html


greez

The Don - D.R. 21.02.2005 00:39
ja machs so wie dartus sagte

er war ein bisschen schneller ^^

oban 21.02.2005 13:11
Habe eure Empfehlungen umgesetzt, danke schonmal, hier das escan log

Mon Feb 21 06:20:38 2005 => File D:\WINDOWS\cermjo.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:45 2005 => File D:\WINDOWS\ltbwnb.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:45 2005 => File D:\WINDOWS\kfkwm.dll infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:45 2005 => File D:\WINDOWS\iavbec.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:45 2005 => File D:\WINDOWS\nrrqgv.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:45 2005 => File D:\WINDOWS\fcxkjz.dat infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:45 2005 => File D:\WINDOWS\crad.exe infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:45 2005 => File D:\WINDOWS\vvptxa.dat infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\nadrwy.log infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\ipvb.exe.bak infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\cxwgts.dat infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\atlih32.exe infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\jcdros.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\tqyydf.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\kfnojz.dat infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:47 2005 => File D:\WINDOWS\qcgjtl.log infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:47 2005 => File D:\WINDOWS\srqxbl.dat infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:20:47 2005 => File D:\WINDOWS\vtquql.dat infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:22:36 2005 => File D:\WINDOWS\System32\iepl.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:22:36 2005 => File D:\WINDOWS\System32\ppdfr.dll infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:22:36 2005 => File D:\WINDOWS\System32\ipts32.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:22:36 2005 => File D:\WINDOWS\System32\tmp.exe infected by

"not-a-virus:AdWare.ToolBar.Perez.b" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:22:37 2005 => File D:\WINDOWS\System32\mfcvx32.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

D:\DOKUME~1\pan\LOKALE~1\TEMPOR~1\Content.IE5\NG3VAOP7\i[1].hta infected by

"Trojan-Dropper.VBS.Inor.by" Virus. Action Taken: No Action Taken.

D:\DOKUME~1\pan\LOKALE~1\TEMPOR~1\Content.IE5\NG3VAOP7\loader7[1].htm infected by

"Trojan-Downloader.VBS.Psyme.ap" Virus. Action Taken: No Action Taken.

D:\DOKUME~1\pan\LOKALE~1\TEMPOR~1\Content.IE5\KXKXM78L\counter[1].gif infected by

"Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

D:\DOKUME~1\pan\LOKALE~1\TEMPOR~1\Content.IE5\KXKXM78L\go[1].hta infected by

"Trojan-Dropper.VBS.Inor.a" Virus. Action Taken: No Action Taken.

D:\DOKUME~1\pan\LOKALE~1\TEMPOR~1\Content.IE5\Z5FNA89C\activ-x[1].htm infected by

"Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:49:43 2005 => File D:\WINDOWS\system32\iepl.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:49:43 2005 => File D:\WINDOWS\system32\ppdfr.dll infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:49:44 2005 => File D:\WINDOWS\system32\ipts32.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:49:44 2005 => File D:\WINDOWS\system32\tmp.exe infected by

"not-a-virus:AdWare.ToolBar.Perez.b" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:49:44 2005 => File D:\WINDOWS\system32\mfcvx32.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:55:56 2005 => File D:\WINDOWS\cermjo.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:29 2005 => File D:\WINDOWS\ltbwnb.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:29 2005 => File D:\WINDOWS\kfkwm.dll infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:29 2005 => File D:\WINDOWS\iavbec.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:29 2005 => File D:\WINDOWS\nrrqgv.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:30 2005 => File D:\WINDOWS\fcxkjz.dat infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:30 2005 => File D:\WINDOWS\crad.exe infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:30 2005 => File D:\WINDOWS\vvptxa.dat infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:30 2005 => File D:\WINDOWS\nadrwy.log infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:30 2005 => File D:\WINDOWS\ipvb.exe.bak infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:30 2005 => File D:\WINDOWS\cxwgts.dat infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:30 2005 => File D:\WINDOWS\atlih32.exe infected by "Backdoor.Win32.Small.dc"

Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:31 2005 => File D:\WINDOWS\jcdros.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:31 2005 => File D:\WINDOWS\tqyydf.dat infected by

"Trojan-Downloader.Win32.Agent.jb" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:31 2005 => File D:\WINDOWS\kfnojz.dat infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:31 2005 => File D:\WINDOWS\qcgjtl.log infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:31 2005 => File D:\WINDOWS\srqxbl.dat infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 06:57:31 2005 => File D:\WINDOWS\vtquql.dat infected by

"Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Einstellungen\Temporary Internet Files\Content.IE5\NG3VAOP7\i[1].hta infected by

"Trojan-Dropper.VBS.Inor.by" Virus. Action Taken: No Action Taken.

Einstellungen\Temporary Internet Files\Content.IE5\NG3VAOP7\loader7[1].htm infected by

"Trojan-Downloader.VBS.Psyme.ap" Virus. Action Taken: No Action Taken.

Einstellungen\Temporary Internet Files\Content.IE5\KXKXM78L\counter[1].gif infected by

"Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Einstellungen\Temporary Internet Files\Content.IE5\KXKXM78L\go[1].hta infected by

"Trojan-Dropper.VBS.Inor.a" Virus. Action Taken: No Action Taken.

Einstellungen\Temporary Internet Files\Content.IE5\Z5FNA89C\activ-x[1].htm infected by

"Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.

Mon Feb 21 07:54:41 2005 => File D:\System Volume
Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP116\A0027349.dll infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 07:54:41 2005 => File D:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP116\A0027351.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 07:54:41 2005 => File D:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP116\A0027349.dll infected by

"not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

Mon Feb 21 07:54:41 2005 => File D:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP116\A0027351.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 07:54:41 2005 => File D:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP117\snapshot\MFEX-7.DAT infected

by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

Mon Feb 21 07:54:42 2005 => File D:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP117\A0027356.exe infected by

"Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

Mon Feb 21 07:54:45 2005 => File D:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP119\A0027388.exe infected by

"Trojan.Win32.StartPage.tj" Virus. Action Taken: No Action Taken.

Mon Feb 21 09:57:46 2005 => Scanning File F:\Heimkino\Htpc Pack - Girder 3.3.1C\Girder

v3.3.1C\iNFECTED.nfo

Mon Feb 21 10:17:28 2005 => File F:\Sicherung MT\Favoriten\Send free nice cards to your

friends....url infected by "Trojan.JS.Logo" Virus. Action Taken: No Action Taken.

Mon Feb 21 10:20:15 2005 => File F:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP119\A0027422.exe infected by

"Trojan-Dropper.Win32.Delf.dh" Virus. Action Taken: No Action Taken.

Mon Feb 21 10:20:23 2005 => File F:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP119\A0027431.msi infected by

"Trojan-Downloader.Win32.Delf.au" Virus. Action Taken: No Action Taken.

Mon Feb 21 10:20:23 2005 => File F:\System Volume

Information\_restore{B7268E4A-5CC9-470D-B860-BA8973D3B1EE}\RP119\A0027432.exe infected by

"Trojan-Dropper.Win32.Delf.fl" Virus. Action Taken: No Action Taken.

Mon Feb 21 10:37:56 2005 => ***** Scanning complete. *****

Mon Feb 21 10:37:56 2005 => Total Files Scanned: 162811
Mon Feb 21 10:37:56 2005 => Total Virus(es) Found: 90
Mon Feb 21 10:37:56 2005 => Total Disinfected Files: 0
Mon Feb 21 10:37:56 2005 => Total Files Renamed: 0
Mon Feb 21 10:37:56 2005 => Total Deleted Files: 0
Mon Feb 21 10:37:56 2005 => Total Errors: 1213
Mon Feb 21 10:37:56 2005 => Time Elapsed: 04:17:24
Mon Feb 21 10:37:56 2005 => Virus Database Date: 2005/02/21
Mon Feb 21 10:37:56 2005 => Virus Database Count: 118965

Mon Feb 21 10:37:56 2005 => Scan Completed.

oban 21.02.2005 13:16
Dann habe ich nochmals ein aktuelles Hijackthis Log angefertigt da sich inzwischen auich meine Startseite verändert hat. Ätzende Popups beim Seitenaufruf aufgehen.
Ein angebliches Windows Security Center popup, mich vor Aktivitäten auf meinem Rechner "warnt".
Ich habs ungeklickt nach rechts geschoben.

Hier das Log.



Logfile of HijackThis v1.99.1
Scan saved at 12:59:15, on 21.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Programme\cFosSpeed\spd.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\d3jm32.exe
D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
D:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Programme\QuickTime\qttask.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\Programme\D-Tools\daemon.exe
D:\Programme\CloneCD\CloneCDTray.exe
D:\WINDOWS\System32\RunDll32.exe
D:\Programme\cFosSpeed\cFos_Speed.exe
D:\PROGRA~1\ICQ\ICQ.exe
D:\Programme\Java\jre1.5.0_01\bin\jusched.exe
D:\WINDOWS\atltn32.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
D:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
D:\Programme\Microsoft Office\Office\OSA.EXE
D:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Programme\TheaterTek\AutoKiller.exe
D:\Programme\Logitech\SetPoint\KEM.exe
D:\Programme\GetRight\getright.exe
D:\Programme\GetRight\getright.exe
D:\Programme\Logitech\SetPoint\KHALMNPR.EXE
D:\Programme\Google\Google Desktop Search\GoogleDesktopIndex.exe
D:\Programme\Google\Google Desktop Search\GoogleDesktopCrawl.exe
D:\Programme\Google\Google Desktop Search\GoogleDesktopOE.exe
D:\Programme\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
F:\@@@ Torrent @@@\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://D:\WINDOWS\system32\ppdfr.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.beisammen.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Programme\GetRight\xx2gr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F0E16BEF-D89D-E599-8205-FED1F4920959} - D:\WINDOWS\mfchv32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "D:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "D:\Programme\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [cFosSpeed] D:\Programme\cFosSpeed\cFos_Speed.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [atltn32.exe] D:\WINDOWS\atltn32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Google Desktop Search] "D:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Office-Start.lnk = D:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Autorun Killer.lnk = D:\Programme\TheaterTek\AutoKiller.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Programme\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Programme\GetRight\getright.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with GetRight - D:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.trustcenter.de/activex/xenroll.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAF4C505-DB7B-4E7D-828A-ACB2487273EB}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - D:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - D:\Programme\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Security Service (NSS) (%AF夶À¨) - Unknown owner - D:\WINDOWS\d3jm32.exe" /s (file missing)



Hoffe ihr könnt mir da helfen.

Danke

dartus 21.02.2005 13:34
Hi oban,

derartiges war vorauszusehen:

Zitat:
Mon Feb 21 06:20:46 2005 => File D:\WINDOWS\atlih32.exe infected by "Backdoor.Win32.Small.dc"
Grund Dein ungepatchtes System.

Hier wird Dir bei einem Trojaner mit Backdoorfunktionalität Format C: empfohlen, um wieder ein vertrauenwürdiges System herzustellen.

Hier eine erstklassige Anleitung:

http://www.trojaner-board.de/showthread.php?t=12154

Thema Datensicherung:

http://www.trojaner-board.de/showpo...98&postcount=11

dartus


Alle Zeitangaben in WEZ +1. Es ist jetzt 23:48 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19