Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   infected by "Exploit.HTML.Mht" Virus! (https://www.trojaner-board.de/37897-infected-by-exploit-html-mht-virus.html)

squiq 12.04.2007 15:39

infected by "Exploit.HTML.Mht" Virus!
 
Hallo zusammen,

im Moment arbeite ich auf Windows XP SP2 mit AntiVir und AVG als Virenscanner und Ad-Aware und Spybot.

Habe heute einmal spasseshalber eScan drüber laufen lassen und nachfolgendes entdeckt:

File C:\Dokumente und Einstellungen\M**s\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\zr0i3cv4.default\Cache\D9EE634Bd01 infected by "Exploit.HTML.Mht" Virus! Action Taken: File Renamed.

Wenn ich die Meldung richtig verstehe, dann versteckt sich im Browser Cache ein Fießling :lmaa: . Natürlich habe ich sofort manuell nochmals den Cache gelöscht.

Nur ist mein System jetzt wirklich rein?
Ich würde mich über unterstützung von Euch freuen :D

Anbei mein HiJackThis Logfile:

Vielen Dank für Eure Hilfe

Squiq

Logfile of HijackThis v1.99.1
Scan saved at 16:36:16, on 12.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programme\AntiVir PersonalEdition Classic\sched.exe
D:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
d:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\drivers\PhiBtn.exe
C:\WINDOWS\System32\drivers\Tray900.exe
C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
D:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\Programme\FRITZ!DSL\StCenter.exe
D:\Programme\FRITZ!DSL\FwebProt.exe
C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
D:\Programme\Mozilla Firefox\firefox.exe
C:\DOKUME~1\Ma**hias\LOKALE~1\Temp\mexe.com
C:\DOKUME~1\Ma**hias\LOKALE~1\Temp\ScanningProcess.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOKUME~1\Ma**hias\LOKALE~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe
O4 - HKLM\..\Run: [avgnt] "D:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: FRITZ!DSL Protect.lnk = D:\Programme\FRITZ!DSL\FwebProt.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = D:\Programme\FRITZ!DSL\StCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: d:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: d:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: d:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: d:\programme\fritz!dsl\sarah.dll
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - h**p://h20270.***2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - h**ps://h17000.***1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - h**p://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - D:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - D:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - d:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBaseGuardian - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
O23 - Service: InterBaseServer - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

squiq 12.04.2007 16:48

...anbei noch das Ergebnis von eScan. Ein zweiter Scan blieb zum Glück ohne Meldungen :-)

Aber ist das System jetzt auch sauber?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Microsoft Windows XP [Version 5.1.2600]
Thu Apr 12 14:59:58 2007 => Version 9.1.9 (C:\DOKUME~1\M*\LOKALE~1\Temp\mexe.com)
Thu Apr 12 00:17:45 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 00:19:48 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 01:35:28 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 01:37:48 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 02:13:04 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 03:40:01 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 09:18:39 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 10:13:36 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 10:13:48 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 10:13:52 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 10:23:11 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 10:31:29 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 10:32:56 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 14:59:21 2007 => Virus Database Date: 4/11/2007
Thu Apr 12 14:59:53 2007 => Virus Database Date: 4/12/2007
Thu Apr 12 16:16:00 2007 => Virus Database Date: 4/12/2007
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thu Apr 12 00:22:03 2007 => System found infected with wareout Adware (3.dat)! Action taken: Entries Removed.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Thu Apr 12 00:48:12 2007 => File C:\Dokumente und Einstellungen\M*\Anwendungsdaten\Thunderbird\Profiles\98f2a9ff.default\Mail\pop.gmx.net\Inbox//[From M* *i T*l <i**i@gmx.de>][Date Wed, 31 May 2006 23:50:41 +0200]/UNNAMED//[From M* *i T*... infected by "Email-Worm.Win32.Warezov.ev" Virus! Action Taken: No Action Taken.
Thu Apr 12 02:30:29 2007 => File C:\Dokumente und Einstellungen\M*\Anwendungsdaten\Thunderbird\Profiles\98f2a9ff.default\Mail\pop.gmx.net\Inbox//[From M* *i T*l <i**i@gmx.de>][Date Wed, 31 May 2006 23:50:41 +0200]/UNNAMED//[From M* *i T*... infected by "Email-Worm.Win32.Warezov.ev" Virus! Action Taken: No Action Taken.
Thu Apr 12 09:38:37 2007 => File C:\Dokumente und Einstellungen\M*\Anwendungsdaten\Thunderbird\Profiles\98f2a9ff.default\Mail\pop.gmx.net\Inbox//[From M* *i T*l <i**i@gmx.de>][Date Wed, 31 May 2006 23:50:41 +0200]/UNNAMED//[From M* *i T*... infected by "Email-Worm.Win32.Warezov.ev" Virus! Action Taken: No Action Taken.
Thu Apr 12 15:24:36 2007 => File C:\Dokumente und Einstellungen\M*\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\zr0i3cv4.default\Cache\D9EE634Bd01 infected by "Exploit.HTML.Mht" Virus! Action Taken: File Renamed.
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Thu Apr 12 00:22:03 2007 => Offending file found: C:\DOKUME~1\M*\LOKALE~1\ANWEND~1\hp\DIGITA~1\cache\3.dat
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Thu Apr 12 00:21:57 2007 => Offending Folder found: C:\Dokumente und Einstellungen\M*\Anwendungsdaten\load
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Thu Apr 12 00:21:09 2007 => Offending Key found: HKLM\Software\magnet !!!
Thu Apr 12 00:21:55 2007 => Offending Key found: HKCU\\magnet !!!
Thu Apr 12 00:21:55 2007 => Offending Key found: HKLM\System\CurrentControlSet\Services\iprip !!!
Thu Apr 12 00:21:55 2007 => Offending Key found: HKLM\System\ControlSet002\Services\iprip !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

squiq 14.04.2007 11:41

..................?


Alle Zeitangaben in WEZ +1. Es ist jetzt 12:41 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131