trojaner hijack ich hab keinen plan davon

der blabla · 19.06.2004, 02:15

immer wenn ich den ie starte bekomme ich eine startseite mit res://... egal was ich in den internetoptionen verändere !

habe versch virenscanner laufen lassen (norton ad-aware stinger cwschredder) adaware findet was behebt das dann auch ist aber beim nächsten search wieder da die anderen finden nix nur mein auto protect im norton geht auch nicht !
das ist mein hijack thios logfile achja systemrecovery ist aus

Logfile of HijackThis v1.97.7
Scan saved at 03:14:43, on 19.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
E:\noton\Norton Ghost\GhostStartService.exe
E:\noton\Norton AntiVirus\navapsvc.exe
E:\noton\Norton Utilities\NPROTECT.EXE
E:\noton\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\srxTitan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\atlyq32.exe
C:\TOBITM~1\Server\ClipInc-Server.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\sistray.EXE
E:\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
E:\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Programme\South River Technologies\Titan FTP Server\srxTray.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\syssn32.exe
E:\noton\Norton Ghost\GhostStartTrayApp.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Meaya\Popup Ad Filter\PopFilter.exe
C:\Programme\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.exe
E:\Winamp\winamp.exe
E:\ICQ\Icq.exe
C:\Programme\FlashGet\flashget.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\mwavscan.com
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\kavss.exe
C:\Programme\Opera7\Opera.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\~AceTemp\hijackthis1977\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mpdsb.dll/sp.html#842544178
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mpdsb.dll/index.html#842544178
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mpdsb.dll/index.html#842544178
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mpdsb.dll/sp.html#842544178
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mpdsb.dll/index.html#842544178
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mpdsb.dll/sp.html#842544178
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7A23E735-EC07-BB26-5CF0-DCDEBB6EADC9} - C:\WINDOWS\sdkvf.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\noton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\noton\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Lamp] e:\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "e:\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "e:\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Titan FTP Server Tray App] C:\Programme\South River Technologies\Titan FTP Server\srxTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF6f1c.dll
O4 - HKLM\..\Run: [syssn32.exe] C:\WINDOWS\system32\syssn32.exe
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] E:\noton\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Programme\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKLM\..\RunOnce: [atlyq32.exe] C:\WINDOWS\atlyq32.exe
O4 - HKLM\..\RunOnce: [apiby.exe] C:\WINDOWS\system32\apiby.exe
O4 - HKLM\..\RunOnce: [crzf32.exe] C:\WINDOWS\crzf32.exe
O4 - HKLM\..\RunOnce: [d3tc32.exe] C:\WINDOWS\system32\d3tc32.exe
O4 - HKLM\..\RunOnce: [atlve.exe] C:\WINDOWS\atlve.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = C:\Programme\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Allow Popups - C:\Programme\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Backward &Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {11010101-1001-1111-1000-110164567732} - ms-its:mhtml:file://C:MAIN.MHT!http://www.008i.com//x//f//10213//inst.chm::/f10213.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b37e6f...dxIE601_de.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Lutz · 19.06.2004, 09:37

Hallo 'derblabla' und Willkommen an Board,

setze bitte zuerst einmal eScan im abgesicherten Modus und die Tools Ad-aware, Spybot Search&Destroy, sowie den CWShredder ein. Links hierzu findest Du im ersten Link in meiner Signatur.

Poste danach ein neues Log von HijackThis, wenn Dein Problem noch nicht behoben ist.

der blabla · 19.06.2004, 10:35

Logfile of HijackThis v1.97.7
Scan saved at 11:29:04, on 19.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\winace\WinAce.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\~AceTemp\hijackthis1977\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A23E735-EC07-BB26-5CF0-DCDEBB6EADC9} - C:\WINDOWS\sdkvf.dll (file missing)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\noton\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\noton\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Lamp] e:\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "e:\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "e:\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Titan FTP Server Tray App] C:\Programme\South River Technologies\Titan FTP Server\srxTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF6f1c.dll
O4 - HKLM\..\Run: [syssn32.exe] C:\WINDOWS\system32\syssn32.exe
O4 - HKLM\..\Run: [ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] E:\noton\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Programme\Meaya\Popup Ad Filter\PopFilter.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = C:\Programme\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Allow Popups - C:\Programme\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Backward &Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {11010101-1001-1111-1000-110164567732} - ms-its:mhtml:file://C:MAIN.MHT!http://www.008i.com//x//f//10213//inst.chm::/f10213.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08b37e6f...dxIE601_de.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

und dann hab ich noch was von spybot

Avenue A, Inc.: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

Advertising.com: Verfolgender Cookie (Opera 7: Administrator) (Cookie, nothing done)

DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\S-1-5-21-1757981266-1383384898-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

trojaner hijack ich hab keinen plan davon

Log-Analyse und Auswertung: trojaner hijack ich hab keinen plan davon