Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Hijackthis.log - msgfix.exe + (https://www.trojaner-board.de/18791-hijackthis-log-msgfix-exe.html)

Gabriel@B 09.06.2005 15:02
Hijackthis.log - msgfix.exe +
 
Hallo ein Hijackthis log von einem Win 2000 Server!
Mit David AV 8.00a
Laut [URL=http://www.hijackthis.de] ist der Prozess

Code:
C:\WINNT\system32\msgfix.exe
und
Code:
C:\WINNT\system32\owned.exe
"Böse" und laut der WT Spywareliste ebenfalls. Der David Virenscanner findet aber keine Virus! Kennt jemand diese Datei?

Hier das log:
Logfile of HijackThis v1.99.1
Scan saved at 09:14:25, on 06.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
D:\EASYLO~1.0\SqlAny7\dbsrv7.exe
C:\Programme\Dell\OpenManage\ihv\CIO\IOMGR.EXE
C:\Programme\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Programme\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Programme\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\Programme\Dell\OpenManage\ihv\CIO\PORTSERV.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programme\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\TOBITA~1\TAVFDSrv.EXE
C:\Programme\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Dell\OpenManage\ihv\CIO\IOMRPCCM.EXE
C:\Programme\Dell\OpenManage\ihv\CIO\CIONOTIFIER.EXE
d:\David\APPS\DSERVER\CODE\DSERVER.EXE
C:\WINNT\Explorer.EXE
d:\David\APPS\DVGRAB\CODE\DVGRAB.EXE
d:\David\APPS\MASERVER\CODE\MASERVER.EXE
d:\David\APPS\POSTMAN\CODE\POSTMAN.EXE
d:\David\APPS\REPLICA\CODE\REPLICA.EXE
d:\David\CODE\SL.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Programme\Tobit AntiVirus For Desktops\TAVfD.exe
d:\David\TLD\CODE\CAPI\TLD.EXE
C:\WINNT\system32\msgfix.exe
C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
d:\David\APPS\WEBBOX\CODE\WEBBOX.EXE
C:\WINNT\system32\owned.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\owned.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Programme\Dell\OpenManage\ihv\CIO\IOMRPCEV.EXE
C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\bin\diagorb.exe
C:\WINNT\System32\svchost.exe
D:\Programme\Tobit InfoCenter\DVWIN32.EXE
D:\PROGRA~1\TOBITI~1\DVREMIND.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [Tobit AntiVirus for Desktops] C:\Programme\Tobit AntiVirus For Desktops\TAVfD.exe -HIDE
O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Windows Fix] owned.exe
O4 - HKLM\..\RunServices: [Configuration Loader] msgfix.exe
O4 - HKLM\..\RunServices: [Windows Fix] owned.exe
O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe
O4 - HKCU\..\Run: [Windows Fix] owned.exe
O4 - Global Startup: EASYLOG V4.0 Server.lnk = D:\EASYLOG V4.0\SqlAny7\dbsrv7.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
Sybase, Inc. - D:\EASYLO~1.0\SqlAny7\dbsrv7.exe
O23 - Service: AVSync Manager (Avsynmgr) - Unknown owner - C:\Programme\McAfee\VirusScan TC\Avsynmgr.exe
O23 - Service: CIO Array Management Service 4.01 (CIOArrayManagement) - Adaptec, Inc. - C:\Programme\Dell\OpenManage\ihv\CIO\IOMGR.EXE
O23 - Service: CIOArrayManager RPC Command - Unknown owner - C:\Programme\Dell\OpenManage\ihv\CIO\IOMRPCCM.EXE
O23 - Service: CIOArrayManager RPC Event - Unknown owner - C:\Programme\Dell\OpenManage\ihv\CIO\IOMRPCEV.EXE
O23 - Service: CIO Event Notifier (CIOEventNotifier) - Unknown owner - C:\Programme\Dell\OpenManage\ihv\CIO\CIONOTIFIER.EXE
O23 - Service: DvISE ClipInc 001 (DavidClipInc001) - Unknown owner - d:\David\APPS\CLIPINC\CODE\CLIPINC.EXE
O23 - Service: DvISE Discussion Server (DavidDiscussionServer) - Tobit Software - d:\David\APPS\DSERVER\CODE\DSERVER.EXE
O23 - Service: DvISE Grabbing Server (DavidGrabbingServer) - Tobit Software - d:\David\APPS\DVGRAB\CODE\DVGRAB.EXE
O23 - Service: DvISE Host (DavidHost) - Tobit Software - d:\David\APPS\DVHOST\CODE\DVHOST.EXE
O23 - Service: DvISE Mail Access Server (DavidMailAccessServer) - Tobit Software - d:\David\APPS\MASERVER\CODE\MASERVER.EXE
O23 - Service: DvISE PBXpense (DavidPBXpense) - Tobit Software - d:\David\APPS\PBXPENSE\CODE\PBXPENSE.EXE
O23 - Service: DvISE PostMan (DavidPostMan) - Tobit Software - d:\David\APPS\POSTMAN\CODE\POSTMAN.EXE
O23 - Service: DvISE Replica (DavidReplica) - Tobit Software - d:\David\APPS\REPLICA\CODE\REPLICA.EXE
O23 - Service: DvISE Service Layer (DavidServiceLayer) - Tobit Software - d:\David\CODE\SL.EXE
O23 - Service: DvISE TLD 001 (DavidTLD001) - Tobit Software - d:\David\TLD\CODE\CAPI\TLD.EXE
O23 - Service: DvISE TVIndex (DavidTVIndex) - Unknown owner - d:\David\APPS\TVINDEX\TVINDEX.EXE
O23 - Service: DvISE VideoCapture (DavidVideoCapture) - Tobit Software - d:\David\APPS\VIDEOCPT\CODE\VIDEOC~1.EXE
O23 - Service: DvISE WebBox (DavidWebBox) - Tobit Software - d:\David\APPS\WEBBOX\CODE\WEBBOX.EXE
O23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) - Dell Computer Corporation. - C:\Programme\Dell\OpenManage\OMSA\bin\dcevt32.exe
O23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Computer Corporation. - C:\Programme\Dell\OpenManage\OMSA\bin\dcstor32.exe
O23 - Service: McShield (Mcshield) - Unknown owner - C:\Programme\Gemeinsame Dateien\McAfee\McShield\Mcshield.exe
O23 - Service: mr2kserv - Unknown owner - C:\Programme\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: NetOp Helper ver. 7.65 (2004058) (NetOp Host for NT Service) - Danware Data A/S - C:\Programme\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NobleNet Portmapper - Unknown owner - C:\Programme\Dell\OpenManage\ihv\CIO\PORTSERV.EXE
O23 - Service: Server Administrator - Dell Computer Corporation - C:\Programme\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: Tobit AntiVirus for Desktops Service (TAVFDService) - Tobit Software - C:\PROGRA~1\TOBITA~1\TAVFDSrv.EXE
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Programme\Dell\OpenManage\Array Manager\VxSvc.exe

Was soll ich gegen diese Dateien tun? Womit bekämpfen ?
Kann sie einfach fixen oder kann das dem win schaden ?

Danke für Hilfe

Gruss Gabriel

Gabriel@B 09.06.2005 15:42
Vergessen habe ich noch

O17 - HKLM\System\CCS\Services\Tcpip\..\{052AF595-9E32-41F0-8F93-6E6DE677CA09}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{052AF595-9E32-41F0-8F93-6E6DE677CA09}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{052AF595-9E32-41F0-8F93-6E6DE677CA09}: NameServer = 213.148.129.10,213.148.130.10

Haui45 09.06.2005 15:45
Hallo,

leider hast du u.a. den folgenden Schädling auf dem Rechner:
http://castlecops.com/startuplist-5700.html

Schadroutinen z.B.:
Zitat:
# Allows others to access the computer
# Steals information
# Downloads code from the internet
# Reduces system security
# Installs itself in the Registry
=> Als einzig vernünftige Lösung bleibt dir nur das:
"System neu aufsetzen und vor der ersten Internetverbindung entsprechend absichern".


EDIT: Warum eröffnest du hier einen Thread, wenn man dir bei Wintotal schon geantwortet hat?


Alle Zeitangaben in WEZ +1. Es ist jetzt 11:40 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129