Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   ewizard - Eure Hilfe oder neues Notebook... (https://www.trojaner-board.de/16873-ewizard-hilfe-neues-notebook.html)

tobsen 20.04.2005 12:50
"Hilfe !!!!" - Kennt jemand diesen Trojaner ???
 
Hi, erst Mal ein fettes Lob an alle, die hier helfen :)

Folgendes Problem: CPU wird immer wieder lahmgelegt durch zehntausende IE-Seiten mit ewizard, IE ist aber gar nicht mehr installiert. Habe AVK Internet Security drüberlaufen lassen, nützt alles nix, kein Internet, keine updates möglich. Folgendes Log erscheint:

Logfile of HijackThis v1.99.1
Scan saved at 13:35:38, on 20.04.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKService.exe
C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKWCtl.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Programme\FinePixViewer\QuickDCF.exe
C:\Programme\AntiVirenKit InternetSecurity\Firewall\kavpf.exe
C:\Programme\Sony Corporation\Image Transfer\SonyTray.exe
C:\Programme\Lexmark X125\LEX125SU.exe
C:\Programme\AntiVirenKit InternetSecurity\Webfilter\Webfilter.exe
C:\Programme\Palm\HOTSYNC.EXE
C:\Programme2\Microsoft Office\Office\OSA.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\ANTIVI~1\WEBFIL~1\ADSCLE~1.EXE
C:\Programme2\Microsoft Office\Office\excel.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Tobias\LOKALE~1\Temp\Rar$EX00.052\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Tobias\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\Tobias\LOKALE~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {A955F6B2-2EDB-6FAF-C425-E8A517A01556} - ExchangeMaster.dll (file missing)
O2 - BHO: Poly HTML Filter BHO - {0140DF95-9128-4053-AE72-F43F0CFCA062} - C:\WINDOWS\system32\SiKernel.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: SIPAKBHO Class - {40FB69E1-9B7B-453F-B238-37D8E9528929} - C:\Programme\AntiVirenKit InternetSecurity\Webfilter\PAKIEPlugins.dll
O2 - BHO: (no name) - {64E5D4F4-97B1-4306-9975-9D0CDB775798} - C:\WINDOWS\System32\cdhd.dll
O2 - BHO: Name - {9B294BDE-8A37-40A8-8751-20FA173A6903} - C:\WINDOWS\System32\msjnm.dll (file missing)
O2 - BHO: Offliner AdFilter Helper - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - C:\WINDOWS\system32\SiPlugins.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebFilter-Leiste - {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\PAKIEGUI.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programme\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [windir] C:\WINDOWS\System32\datadir.exe
O4 - HKLM\..\Run: [B657D8DE] C:\WINDOWS\TEMP\~7AE0.tmp.exe
O4 - HKLM\..\Run: [runhost] C:\WINDOWS\System32\loghost.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\nsqad.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [winexpolrer] C:\WINDOWS\System32\runexpolrer.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [logdata] C:\WINDOWS\System32\diagcrypt.exe
O4 - HKLM\..\Run: [sysexpolerx] C:\WINDOWS\System32\expoler.exe %srun%
O4 - HKLM\..\Run: [wvsvc] wvsvc.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\nstc\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [runload32] NopeZ.exe
O4 - HKLM\..\Run: [Bogobot] syspanel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunServices: [wvsvc] wvsvc.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [wvsvc] wvsvc.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Programme\ClockSync\Sync.exe" /q
O4 - HKCU\..\Run: [WareOut] "C:\Programme\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [hyandex] ATLIEHELPER.exe
O4 - HKCU\..\Run: [srbho] forces_elite.exe
O4 - HKCU\..\Run: [10010] xxtoolbar.exe
O4 - Startup: HotSync Manager.LNK = C:\Programme\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft-Indexerstellung.lnk = C:\Programme2\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office-Start.lnk = C:\Programme2\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: WkCalRem.LNK = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Firewall.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Lexmark X125 Einstellungsdienstprogramm.lnk = C:\Programme\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Webfilter.lnk = C:\Programme\AntiVirenKit InternetSecurity\Webfilter\Webfilter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add selected links to Link Container - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Show domain links - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_domain_links.htm
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\WareOut\WareOut.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Programme\WareOut\WareOut.exe (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0381B3E0-30FE-4B66-98FB-043E4E688682}: NameServer = 69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{34DD1CC6-D5B9-470B-8A86-96A38E19FB4A}: NameServer = 69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D2EA322-2433-4E0C-BA9E-097B684C122F}: NameServer = 69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{79FFE927-9792-4546-95B2-B4CBB188CFF9}: NameServer = 69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD7C0737-4DD4-478E-9994-4A14314999BB}: NameServer = 69.50.188.180,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E375C1-EC01-4681-8D95-97F67C1AB324}: NameServer = 69.50.188.180,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{0381B3E0-30FE-4B66-98FB-043E4E688682}: NameServer = 69.50.188.180,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{0381B3E0-30FE-4B66-98FB-043E4E688682}: NameServer = 69.50.188.180,195.225.176.37
O18 - Filter: text/html - {A30E626F-2C80-494D-89A1-B9CD4A0EA8A2} - C:\WINDOWS\System32\cdhd.dll
O18 - Filter: text/plain - {A30E626F-2C80-494D-89A1-B9CD4A0EA8A2} - C:\WINDOWS\System32\cdhd.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - Unknown owner - C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKWCtl.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBaseGuardian - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
O23 - Service: InterBaseServer - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Danke Euch vorab für Eure Hilfe.....

tobsen

chaosman 20.04.2005 14:46
@tobsen
lade SpSeHjix
laufen lassen
danach escan
download
anleitung
Öffne die mwav.log im Ordner C:\bases_x -> Bearbeiten -> Suchen -> infected oder tagged eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen.
Zitat Cidre

chaosman


Alle Zeitangaben in WEZ +1. Es ist jetzt 11:30 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19