Trojaner-Board - Kann das jemand auslesen

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Kann das jemand auslesen (https://www.trojaner-board.de/24862-jemand-auslesen.html)

Kann das jemand auslesen

Sun Dec 25 17:50:25 2005 => Total Errors: 61
Sun Dec 25 17:50:25 2005 => Time Elapsed: 01:18:22
Sun Dec 25 17:50:25 2005 => Virus Database Date: 2005/12/12
Sun Dec 25 17:50:25 2005 => Virus Database Count: 164615

Sun Dec 25 17:50:25 2005 => Scan Completed.

Virus log information

File C:\Programme\little_helper2\little_helper2.exe tagged as "not-a-virus:AdWare.Win32.Helper.b". Action Taken: No Action Taken.
Object "zipitpro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "lop.com Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "casinoclient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "casinoclient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zipitpro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Programme\Mobile Phone Manager\bin\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Mobile Phone Manager\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Joline\Anwendungsdaten\InstallShield\Driver\8\Intel 32\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Joline\Anwendungsdaten\InstallShield\Driver\8\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Joline\Anwendungsdaten\InstallShield\Driver\". Action Taken: No Action Taken.
Entry "HKLM\Software\Micros

oft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Joline\Anwendungsdaten\InstallShield\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 1\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 1\xtras\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 2\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 2\xtras\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 3\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 3\xtras\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 4\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 4\xtras\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Löwenzahn 5\xtras\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Löwenzahn 5\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 6\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "D:\Spiele\Terzio\Loewenzahn 6\xtras\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".2". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".xfb". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Active GIF Creator 2.22". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "GitarreroDemo_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{7AE38076-D8FD-4EF9-A203-98A3EF0C66C1}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MobiMB Mobile Media Browser". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.6)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Netscape Browser". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Toddler". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{6BAA26DB-2D4E-42B6-BC3F-3B58144A64B6}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7AE38076-D8FD-4EF9-A203-98A3EF0C66C1}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{8F2D21F9-F428-4EF2-8111-953EF3299EFB}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B6F867E8-F092-4C5E-7D72-AC7057DBEF45}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}". Action Taken: No Action Taken.
Entry "HKCR\.b5i" refers to invalid object "vc7.image". Action Taken: No Action Taken.
Entry "HKCR\.bin" refers to invalid object "vc7.image". Action Taken: No Action Taken.
Entry "HKCR\.bwi" refers to invalid object "vc7.image". Action Taken: No Action Taken.
Entry "HKCR\.c2d" refers to invalid object "vc7.image". Action Taken: No Action Taken.
Entry "HKCR\.xmf" refers to invalid object "vc7.image". Action Taken: No Action Taken.
Entry "HKCR\Magnet\shell\open\command" refers to invalid object ""C:\Programme\Azureus\Azureus.exe" "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroAACType\shell\open\command" refers to invalid object "D:\PROGRA~1\ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroCopyType\shell\open\command" refers to invalid object "D:\PROGRA~1\ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroCueSheetType\shell\open\command" refers to invalid object "D:\PROGRA~1\ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroErrorType\shell\open\command" refers to invalid object "D:\PROGRA~1\ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NeroHDBackupType\shell\open\command" refers to invalid object "D:\PROGRA~1\ahead\Nero\nero.exe "%1"". Action Taken: No Action Taken.
Entry "HKCR\NMUIEngine.NMUIResourceLoaderHarddisk" refers to invalid object "{03DC5606-EA66-4f02-AB52-2065524B03821}". Action Taken: No Action Taken.
File C:\Programme\little_helper2\little_helper2.exe tagged as "not-a-virus:AdWare.Win32.Helper.b". Action Taken: No Action Taken.
File C:\Programme\little_helper2\startseite.exe tagged as "not-a-virus:AdWare.Win32.Helper.b". Action Taken: No Action Taken.
File C:\Programme\little_helper2\stop.exe tagged as "not-a-virus:AdWare.Win32.Helper.a". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-789336058-2052111302-839522115-1003\Dc13.zip tagged as "not-a-virus:AdWare.Win32.Helper.b". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-789336058-2052111302-839522115-1003\Dc14.zip tagged as "not-a-virus:AdWare.Win32.Helper.b". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-789336058-2052111302-839522115-1003\Dc19\setup.exe tagged as "not-a-virus:AdWare.Win32.Helper.b". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-789336058-2052111302-839522115-1003\Dc20\setup.exe tagged as "not-a-virus:AdWare.Win32.Helper.b". Action Taken: No Action Taken.

Logfile of HijackThis v1.99.1
Scan saved at 15:29:57, on 25.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Das Problem was ich habe is folgendes,
ich surfe mit Mozilla, aber ab und zu geht ganz kurz die console auf, und dann startet der IE eine Seite, z.B firstload.de

Dann will der auch immer ein Weihnachtsprogramm.zip runterladen, hab die Sicherheitseinstellungen schon hoch gestellt, was könnte das sein??

kann mir denn keiner helfen???

Wenn ein HiJack Log dabei wäre könnte ich dir eventuell helfen so nicht :/

Logfile of HijackThis v1.99.1
Scan saved at 15:29:57, on 25.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\HHVcdV7Sys\VC7SecS.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programme\HHVcdV7Sys\VC7Play.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\Programme\little_helper2\little_helper2.exe
D:\Programme\SAMSUNG\Samsung Internet Keyboard\MMKbd.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Tismar\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [VC7Player] C:\Programme\HHVcdV7Sys\VC7Play.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: little_helper2.lnk = C:\Programme\little_helper2\little_helper2.exe
O4 - Global Startup: Samsung Internet Keyboard.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {584AB006-0510-4053-9573-09C003544B46} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {584AB006-0510-4053-9573-09C003544B46} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B81865C-8A66-4D78-884B-DE5861AB4DE2}: NameServer = 85.237.87.167,217.20.114.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4347D83-F8DE-4AF9-AC8F-4D05885D7F46}: NameServer = 85.237.87.167,217.20.114.124
O18 - Protocol: Festoon - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Programme\HHVcdV7Sys\VC7SecS.exe

Lasse diese datei bei virusscan.jotti.org/de scannen C:\Programme\little_helper2\little_helper2.exe

O4 - Global Startup: little_helper2.lnk = C:\Programme\little_helper2\little_helper2.exe
die gehört dazu

Auslastung:
0% 100%
Datei: little_helper2.exe
Status:
INFIZIERT/MALWARE
Entdeckte Packprogramme:
-

AntiVir
Adware-Spyware/Helper.B.1 adware gefunden
ArcaVir
Keine Viren gefunden
Avast
Keine Viren gefunden
AVG Antivirus
Keine Viren gefunden
BitDefender
Keine Viren gefunden
ClamAV
Keine Viren gefunden
Dr.Web
Keine Viren gefunden
F-Prot Antivirus
Keine Viren gefunden
Fortinet
Keine Viren gefunden
Kaspersky Anti-Virus
not-a-virus:AdWare.Win32.Helper.b gefunden
NOD32
Keine Viren gefunden
Norman Virus Control
W32/Helper.C gefunden
UNA
Keine Viren gefunden
VBA32
AdWare.Win32.Helper.b gefunden

wo finde ich denn die:

O4 - Global Startup: little_helper2.lnk = C:\Programme\little_helper2\little_helper2.exe
die gehört dazu

Das genügt schon gehe in den abgesicherten Modus und fixe die beiden Einträge dann poste nochmal ein Log im normalen Modus.
mfG

was meinst du mit fixen??
und welche beiden einträge??

In die Kästchen von HiJack klicken damit dort ein Kreuz ist

bei diesen Einträgen

C:\Programme\little_helper2\little_helper2.exe

O4 - Global Startup: little_helper2.lnk = C:\Programme\little_helper2\little_helper2.exe

aber im abgesicherten Modus des Pc

mfG Mk

Danke, das is nun weg, und was mach ich mit den sachen, die mwav und ad.aware gefunden haben`???