|
My Log.... Having problems. Hello, my log here: Logfile of HijackThis v1.99.0 Scan saved at 23:35:06, on 14.01.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe C:\Programme\SED\SED.exe C:\Programme\AVPersonal\AVGNT.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\msupd5.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Pulse\Pulse.exe C:\Dokumente und Einstellungen\Scotty69\Eigene Dateien\pr0gz\mIRC\mirc.exe C:\Dokumente und Einstellungen\Scotty69\Eigene Dateien\pr0gz\_ ZFDown203\mirc32.exe C:\WINDOWS\System32\rsguqrzr.exe C:\Dokumente und Einstellungen\Scotty69\Eigene Dateien\pr0gz\FlashFXPv21924.dLs\FlashFXP.exe C:\Dokumente und Einstellungen\Scotty69\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://arcor.de/login O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {029629AD-283E-CBBE-BC89-9D4666ADC3C5} - C:\WINDOWS\System32\hkaxsbel.dll O2 - BHO: (no name) - {DF6E4D57-260F-491F-219D-B344911C9251} - C:\WINDOWS\System32\vpgezlny.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [SESync] "C:\Programme\SED\SED.exe" O4 - HKLM\..\Run: [rsguqrzr] C:\WINDOWS\System32\rsguqrzr.exe O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Pulse] C:\Programme\Pulse\Pulse.exe -splash O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: klamm.de - {EB52F380-B8AE-11d5-AE8E-52544025AABB} - http://www.klamm.de/?id=150826 (file missing) (HKCU) O9 - Extra 'Tools' menuitem: klamm.de - {EB52F380-B8AE-11d5-AE8E-52544025AABB} - http://www.klamm.de/?id=150826 (file missing) (HKCU) O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104787459484 O17 - HKLM\System\CCS\Services\Tcpip\..\{C71697A1-AB9B-4B69-B26C-6F3C1544F465}: NameServer = 217.237.150.141 217.237.150.97 O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe Problems are advertising from... I don't know... Mediabuy or so, I'm a noob, sorry, please help me. /edit: For a few seconds, this page run: http://www.northernarizonamls.com/sc...757910,-AS,-N1 |
Nobody here who could help? |
Hi, you should update your system to Service Pack 2. Get E-Scan: http://www.trojaner-board.de/42731-escan-anleitung.html create the directory c:\bases and unzip (!) the mwav.exe into that directory. Use kavupd.exe to get the latest signatures. Start a full scan (all files) in safe mode (!). Search the logfile and post everything E-Scan flagged as "infected". Youre definitely infected with a hijacker but I´m afraid theres a real backdoor too. thats why you should check everything before we proceed. |
Thank you for your answer, here's the result: Sun Jan 16 15:51:30 2005 => File C:\WINDOWS\system32\guard.tmp infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken. Sun Jan 16 15:51:58 2005 => File C:\WINDOWS\mm15201518.Stub.exe infected by "not-a-virus:AdWare.EZula.ah" Virus. Action Taken: No Action Taken. Sun Jan 16 15:52:01 2005 => File C:\WINDOWS\sahagent-1002.exe infected by "not-a-virus:AdWare.Sahat.h" Virus. Action Taken: No Action Taken. Sun Jan 16 15:52:03 2005 => File C:\WINDOWS\unstall.exe infected by "not-a-virus:AdWare.MediaMotor.a" Virus. Action Taken: No Action Taken. Sun Jan 16 15:52:06 2005 => File C:\WINDOWS\system32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken. Sun Jan 16 15:52:34 2005 => File C:\WINDOWS\system32\guard.tmp infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken. Sun Jan 16 15:52:42 2005 => File C:\WINDOWS\system32\jtpm0771e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken. Sun Jan 16 15:53:48 2005 => File C:\DOKUME~1\Scotty69\LOKALE~1\Temp\Del6.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken. Sun Jan 16 15:53:48 2005 => File C:\DOKUME~1\Scotty69\LOKALE~1\Temp\SskUpdater.exe infected by "not-a-virus:AdWare.SurfSide.c" Virus. Action Taken: No Action Taken. Sun Jan 16 15:54:02 2005 => File C:\DOKUME~1\Scotty69\LOKALE~1\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken. Sun Jan 16 15:58:17 2005 => File C:\Dokumente und Einstellungen\Scotty69\Lokale Einstellungen\Temp\Del6.tmp infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: No Action Taken. Sun Jan 16 15:58:18 2005 => File C:\Dokumente und Einstellungen\Scotty69\Lokale Einstellungen\Temp\SskUpdater.exe infected by "not-a-virus:AdWare.SurfSide.c" Virus. Action Taken: No Action Taken. Sun Jan 16 15:58:34 2005 => File C:\Dokumente und Einstellungen\Scotty69\Lokale Einstellungen\Temp\uninstall.exe infected by "not-a-virus:AdWare.ToolBar.EliteBar.q" Virus. Action Taken: No Action Taken. Sun Jan 16 16:14:22 2005 => File C:\WINDOWS\mm15201518.Stub.exe infected by "not-a-virus:AdWare.EZula.ah" Virus. Action Taken: No Action Taken. Sun Jan 16 16:14:54 2005 => File C:\WINDOWS\sahagent-1002.exe infected by "not-a-virus:AdWare.Sahat.h" Virus. Action Taken: No Action Taken. Sun Jan 16 16:19:15 2005 => File C:\WINDOWS\system32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken. Sun Jan 16 16:20:11 2005 => File C:\WINDOWS\system32\guard.tmp infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken. Sun Jan 16 16:20:17 2005 => File C:\WINDOWS\system32\jtpm0771e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken. Sun Jan 16 16:21:15 2005 => File C:\WINDOWS\Temp\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken. Sun Jan 16 16:21:15 2005 => File C:\WINDOWS\Temp\nsdtmp09.dll infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken. Sun Jan 16 16:21:16 2005 => File C:\WINDOWS\Temp\suicidetb.exe infected by "not-a-virus:AdWare.ToolBat.EliteBar.z" Virus. Action Taken: No Action Taken. Sun Jan 16 16:21:23 2005 => File C:\WINDOWS\unstall.exe infected by "not-a-virus:AdWare.MediaMotor.a" Virus. Action Taken: No Action Taken. I do nothing until now, because I'm waiting for your help. |
Did you check to scan all files? The reason I wanted the test is: O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINDOWS\System32\msupd5.exe Thats definitely malware (it says miscrosoft instead of microsoft) and its running as a service and I need to know what it is. If its not a backdoor and only belongs to some hijacker/Adware we can avoid e new install and fix it. Buy I need to know exactly what it is before. Get http://www.clearprog.de/index.php?lang=en You can already deactivate system recovery, boot into to safe mode and fix with HJT: O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {029629AD-283E-CBBE-BC89-9D4666ADC3C5} - C:\WINDOWS\System32\hkaxsbel.dll O2 - BHO: (no name) - {DF6E4D57-260F-491F-219D-B344911C9251} - C:\WINDOWS\System32\vpgezlny.dll O4 - HKLM\..\Run: [SESync] "C:\Programme\SED\SED.exe" O4 - HKLM\..\Run: [rsguqrzr] C:\WINDOWS\System32\rsguqrzr.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Clean your temporary files with clearprog. Delete the files in that entries as well as the other things E-Scan has found. Start into normal mode and activate the system recovery. Post a new logfile of HJT. We might need this program later if we cant fix it that way: http://forums.subratam.org/index.php?showtopic=1725 |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 17:04 Uhr. |
Copyright ©2000-2025, Trojaner-Board