Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Home Search Assistan, Shopping Wizard, Search Extender (https://www.trojaner-board.de/8539-home-search-assistan-shopping-wizard-search-extender.html)

hamburgtaxi 17.10.2004 22:16
Home Search Assistan, Shopping Wizard, Search Extender
 
Habe diese bescheuerten Trojaner drauf!


Logfile of HijackThis v1.98.2
Scan saved at 22:47:17, on 17.10.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\D3RC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\WIRELESS LAN UTILITY\SIWAKE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\WIRELESS LAN UTILITY\SISCFG.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\NTCY32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\ATLLN32.EXE
C:\WINDOWS\ATLLN32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\ATLLN32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTCY32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\ATLLN32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\NTZI32.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\SYSTEM\NTFF.EXE
C:\WINDOWS\ATLLN32.EXE
C:\WINDOWS\ATLLN32.EXE
C:\WINDOWS\APINB.EXE
C:\PROGRAMME\OPERA75\OPERA.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\nzeqx.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\nzeqx.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\nzeqx.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\nzeqx.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\nzeqx.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\nzeqx.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\nzeqx.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2B2B2C0A-8F1B-89F0-6D9F-8F53718E5709} - C:\WINDOWS\JAVAAO32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [D3RC.EXE] C:\WINDOWS\D3RC.EXE
O4 - HKLM\..\RunServices: [NTZI32.EXE] C:\WINDOWS\NTZI32.EXE
O4 - HKLM\..\RunServices: [NTFF.EXE] C:\WINDOWS\SYSTEM\NTFF.EXE
O4 - HKLM\..\RunServices: [NTCY32.EXE] C:\WINDOWS\NTCY32.EXE
O4 - HKLM\..\RunServices: [ATLLN32.EXE] C:\WINDOWS\ATLLN32.EXE
O4 - HKLM\..\RunServices: [APINB.EXE] C:\WINDOWS\APINB.EXE
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\WINDOWS\TEMP\djtopr1150.exe"
O4 - HKCU\..\Run: [Iras] C:\WINDOWS\Anwendungsdaten\rocu.exe
O4 - HKCU\..\Run: [Huat] C:\WINDOWS\Anwendungsdaten\wrai.exe
O4 - Startup: SiWake.lnk = C:\Programme\Wireless LAN Utility\SiWake.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com//x//f//12802/msits.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...a29296baabe1d6
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL




Was muss ich denn jetzt tun?? :heulen:
Bitte helft mir!

Shadowdance 18.10.2004 00:07
@ hamburgtaxi

lade den eScan (Anleitung beachten!) runter, erstelle dafür einen neuen Ordner (=Verzeichnis) c:\bases, update den eScan online und führe ihn offline im abgesicherten Modus aus.

Beachte bitte, dass der eScan ab Version 4.5.1 die gefundene Malware nicht automatisch löscht.

"Öffne die mwav.log -> Bearbeiten -> Suchen -> infected eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen" Teile uns das Ergebnis des eScan mit: welche Viren wurden auf Deinem Rechner gefunden.

SD

hamburgtaxi 18.10.2004 10:05
escan hat folgendes ergeben:
habe das log auf "infected" durchsucht:

Mon Oct 18 10:36:07 2004 => File C:\WINDOWS\JAVAAO32.DLL infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:07 2004 => *** Reg Key Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2B2B2C0A-8F1B-89F0-6D9F-8F53718E5709} deleted because ImagePath file infected by a Virus
Mon Oct 18 10:36:08 2004 => File C:\WINDOWS\D3RC.EXE infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:08 2004 => *** SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices has RunningProcess defined as C:\WINDOWS\D3RC.EXE (which is infected)!
Mon Oct 18 10:36:08 2004 => *** Reg Value SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\D3RC.EXE deleted because it is infected by a Virus
Mon Oct 18 10:36:09 2004 => File C:\WINDOWS\SYSTEM\NTFF.EXE infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:09 2004 => *** SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices has RunningProcess defined as C:\WINDOWS\SYSTEM\NTFF.EXE (which is infected)!
Mon Oct 18 10:36:09 2004 => *** Reg Value SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\NTFF.EXE deleted because it is infected by a Virus
Mon Oct 18 10:36:09 2004 => File C:\WINDOWS\ATLLN32.EXE infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:09 2004 => *** SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices has RunningProcess defined as C:\WINDOWS\ATLLN32.EXE (which is infected)!
Mon Oct 18 10:36:09 2004 => *** Reg Value SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ATLLN32.EXE deleted because it is infected by a Virus
Mon Oct 18 10:36:28 2004 => File C:\WINDOWS\LOCALNRD.DLL infected by "not-a-virus:AdvWare.BiSpy.n" Virus. Action Taken: File Renamed.
Mon Oct 18 10:36:28 2004 => File C:\WINDOWS\PREINSLN.EXE infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
Mon Oct 18 10:36:34 2004 => File C:\WINDOWS\appur.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:39 2004 => File C:\WINDOWS\crnk32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:40 2004 => File C:\WINDOWS\appok.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:40 2004 => File C:\WINDOWS\addaq.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:41 2004 => File C:\WINDOWS\taskmon.exe.$$$ infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:42 2004 => File C:\WINDOWS\nem219.dll infected by "TrojanDownloader.Win32.Dyfuca.gen" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:43 2004 => File C:\WINDOWS\CONSCORR.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:43 2004 => File C:\WINDOWS\MULTIMPP.DLL infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
Mon Oct 18 10:36:44 2004 => File C:\WINDOWS\winnb32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:45 2004 => File C:\WINDOWS\iprq32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:45 2004 => File C:\WINDOWS\ipfy.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:45 2004 => File C:\WINDOWS\winlk32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:46 2004 => File C:\WINDOWS\ntmx.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:46 2004 => File C:\WINDOWS\netgx.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:47 2004 => File C:\WINDOWS\ntgr32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:47 2004 => File C:\WINDOWS\fjrciq.dat infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:48 2004 => File C:\WINDOWS\pwt.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:48 2004 => File C:\WINDOWS\atljc32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:49 2004 => File C:\WINDOWS\lsezcx.dat infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:49 2004 => File C:\WINDOWS\sfuqh.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:50 2004 => File C:\WINDOWS\scanregw.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:50 2004 => File C:\WINDOWS\npgqvb.dat infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:50 2004 => File C:\WINDOWS\appzh32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:51 2004 => File C:\WINDOWS\apild.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:54 2004 => File C:\WINDOWS\msxmidi.exe infected by "TrojanDownloader.Win32.Small.ug" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:54 2004 => File C:\WINDOWS\msopt.dll infected by "TrojanDownloader.Win32.Small.kq" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:54 2004 => File C:\WINDOWS\ntzi32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:57 2004 => File C:\WINDOWS\2_0_1browserhelper2.dll infected by "TrojanClicker.Win32.Delf.r" Virus. Action Taken: File Deleted.
Mon Oct 18 10:36:59 2004 => File C:\WINDOWS\ntcy32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.

die im Betreff genannten Programme sind nun immer noch da, oder?? Wie krieg ich sie los?

MountainKing 18.10.2004 10:12
Hast du E-Scan wie beschrieben im abgesicherten Modus ausgeführt?

hamburgtaxi 18.10.2004 10:52
in "Eigenschaften von Software" werden die Programme noch angezeigt, ich kann sie dort nicht deinstallieren, aber ich glaube, sie werden nicht mehr ausgeführt. wie kann ich das feststellen?
(Vielen Dank schon mal bis hierher!)

Shadowdance 18.10.2004 19:11
@ hamburgtaxi

Zitat:
Zitat von hamburgtaxi
in "Eigenschaften von Software" werden die Programme noch angezeigt, ich kann sie dort nicht deinstallieren, aber ich glaube, sie werden nicht mehr ausgeführt. wie kann ich das feststellen?
Windows Explorer -> "Extras/Ordneroptionen" -> "Ansicht" -> "Alle Dateien und Ordner anzeigen" aktivieren

Du kannst Folgendes machen: "Öffne die mwav.log -> Bearbeiten -> Suchen -> infected eingeben -> Weitersuchen -> Treffer markieren/kopieren in die Windows Suche übertragen -> löschen!"

Poste bitte ein neues Hijack This Logfile.

SD


Alle Zeitangaben in WEZ +1. Es ist jetzt 08:23 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58