Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   bitte um Auswertung meines LOG.Files (https://www.trojaner-board.de/9058-bitte-um-auswertung-meines-log-files.html)

mali 01.11.2004 15:24
bitte um Auswertung meines LOG.Files
 
Hallo zusammen,

habe Probleme mit about.blank und viel mehr ........

Danke für die Hilfe

Gruß Mali


Logfile of HijackThis v1.98.2
Scan saved at 15:16:40, on 01.11.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Lexmark X74-X75\lxbbbmon.exe
C:\Programme\a2\a2guard.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINNT\system32\taskmgr.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=30090
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.t-online.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.t-online.de
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.btx.dtag.de:80;ftp=ftp-proxy.btx.dtag.de:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
F3 - REG:win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {3DD14D71-DCF0-4A35-A6E5-B73129511D33} - C:\WINNT\system32\gma.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\System32\jfi.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\Downloaded Program Files\win00sys.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programme\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Programme\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [a²] "C:\Programme\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com/newhelp.chm::/newhelp.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...e1e2729109a237
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/248cf1f50e88e1e...zip/RdxIE2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://housecall.trendmicro-europe.c...ll/Xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - http://xpehbam.biz/a/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/s/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-098693046834} - http://www.xpehbam.biz/exploit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8023BF96-4597-4C9F-A5CA-8B3C5DC65149}: NameServer = 192.168.100.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{84AFB25F-E9C8-479A-8627-DA615AC897AD}: NameServer = 192.168.120.252,192.168.120.253
O18 - Filter: text/html - {C28A57BD-99F1-4DC5-A137-575500390158} - C:\WINNT\system32\gma.dll
O18 - Filter: text/plain - {C28A57BD-99F1-4DC5-A137-575500390158} - C:\WINNT\system32\gma.dll
O19 - User stylesheet: C:\WINNT\color.css
O19 - User stylesheet: C:\WINNT\my.css (HKLM)

Shadowdance 01.11.2004 16:12
Hallo mali,

überprüfe mit dem online-scan von Kaspersky:

C:\WINNT\ex.htm
C:\WINNT\color.css
C:\WINNT\my.css (HKLM)

Teile uns das Ergebnis der Überprüfung mit. Sende die Datei(en), wenn sie infiziert ist(sind), an partytime-germany.ice@web.de, mit Verweis auf diesen Thread.

Boote in den VGA-Modus und fixe dann mit Hijack This (Häkchen setzen und fix checked klicken):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = ht*p://super-spider.com/sp.htm?id=30090
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailur
e
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ht*p://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ht*p://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = ht*p://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ht*p://1-se.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\System32\jfi.dll (file missing)
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\Downloaded Program Files\win00sys.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - DefaultPrefix: ht*p://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: ht*p://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: ht*p://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - ht*p://63.219.181.7/cax.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - ht*p://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!ht*p://line-plus.com/newhelp.chm::/newhelp.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ht*p://public.windupdates.com/get_f...1e 2729109a237
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - ht*p://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - ht*p://www.mt-download.com/MediaTicketsInstaller.cab

wenn Du diese Einträge nicht kennst/brauchst, bitte fixen:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\homepage.htm
F3 - REG:win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {3DD14D71-DCF0-4A35-A6E5-B73129511D33} - C:\WINNT\system32\gma.dll
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!ht*p://line-plus.com/newhelp.chm::/newhelp.ex e
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - ht*p://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - ht*p://207.188.7.150/248cf1f50e88e1...tzip/RdxIE2.cab
O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - ht*p://xpehbam.biz/a/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - ht*p://www.xpehbam.biz/s/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-098693046834} - ht*p://www.xpehbam.biz/exploit.exe

Beende:
y.exe

Lösche:
C:\WINNT\system32\services\y.exe

Boote in den normalen Modus.

Lade den eScan runter, erstelle dafür einen Ordner (=Verzeichnis) c:\bases, update den eScan online und führe ihn offline im abgesicherten Modus aus.

Beachte bitte, dass der eScan ab Version 4.5.1 die gefundene Malware nicht löscht.

"Öffne die mwav.log -> Bearbeiten -> Suchen -> infected eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen." (Zitat Cidre) Teile uns das Ergebnis des eScan mit: welche Viren wurden auf Deinem Rechner gefunden. Erstelle ein neues Hijack This Logfile und poste es.

SD


Alle Zeitangaben in WEZ +1. Es ist jetzt 05:09 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131