| lol123321 | 15.07.2010 09:42 |
Help please "HiJackThis + Netstat -ab"-Log
Hallo liebe Trojaner-Board Community :D
Ich beschäftige mich seit einiger Zeit mit Computer Sicherheit. Ich bin mir bei meinen Logs doch bei manchem nicht so sicher.
Hier als erster mal ein "Netstat -ab" log: Code:
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. Alle Rechte vorbehalten.
C:\Windows\system32>netstat -ab
Aktive Verbindungen
Proto Lokale Adresse Remoteadresse Status
TCP 0.0.0.0:135 ************:0 ABHÖREN
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP 0.0.0.0:990 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP 0.0.0.0:49152 ************:0 ABHÖREN
[wininit.exe]
TCP 0.0.0.0:49153 ************:0 ABHÖREN
Eventlog
[svchost.exe]
TCP 0.0.0.0:49154 ************:0 ABHÖREN
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 ************:0 ABHÖREN
[lsass.exe]
TCP 0.0.0.0:49166 ************:0 ABHÖREN
PolicyAgent
[svchost.exe]
TCP 0.0.0.0:49167 ************:0 ABHÖREN
[services.exe]
TCP 1.2.96.108:49481 fx-in-f104:http WARTEND
TCP 1.2.96.108:49482 fx-in-f104:http WARTEND
TCP 1.2.96.108:49483 fx-in-f104:http WARTEND
TCP 1.2.96.108:49484 fx-in-f104:http WARTEND
TCP 1.2.96.108:49486 fx-in-f139:http WARTEND
TCP 1.2.96.108:49498 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49499 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49500 www:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49508 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49528 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49529 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49530 mu-in-f138:http FIN_WARTEN_1
[System]
TCP 1.2.96.108:49556 fx-in-f165:http WARTEND
TCP 1.2.96.108:49559 fx-in-f154:http WARTEND
TCP 1.2.96.108:49560 fx-in-f154:http WARTEND
TCP 1.2.96.108:49561 fx-in-f154:http WARTEND
TCP 1.2.96.108:49582 fx-in-f138:http FIN_WARTEN_1
[System]
TCP 127.0.0.1:5354 ************:0 ABHÖREN
[mDNSResponder.exe]
TCP 127.0.0.1:5679 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP 127.0.0.1:7438 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP 127.0.0.1:27015 ************:0 ABHÖREN
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:49477 ************:49476 WARTEND
TCP 169.254.10.244:139 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP ***.***.***.***:139 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP [::]:135 ************:0 ABHÖREN //[::] ???
RpcSs
[svchost.exe]
TCP [::]:445 ************:0 ABHÖREN
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
TCP [::]:990 ************:0 ABHÖREN
WcesComm
[svchost.exe]
TCP [::]:49152 ************:0 ABHÖREN
[wininit.exe]
TCP [::]:49153 ************:0 ABHÖREN
Eventlog
[svchost.exe]
TCP [::]:49154 ************:0 ABHÖREN
Schedule
[svchost.exe]
TCP [::]:49155 ************:0 ABHÖREN
[lsass.exe]
TCP [::]:49166 ************:0 ABHÖREN
PolicyAgent
[svchost.exe]
TCP [::]:49167 ************:0 ABHÖREN
[services.exe]
TCP [::1]:5679 ************:0 ABHÖREN
WcesComm
[svchost.exe]
UDP 0.0.0.0:123 *:*
W32Time
[svchost.exe]
UDP 0.0.0.0:427 *:*
HPSLPSVC
[svchost.exe]
UDP 0.0.0.0:500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:4500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:50617 *:*
[spoolsv.exe]
UDP 0.0.0.0:59035 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:60477 *:*
[mDNSResponder.exe]
UDP 127.0.0.1:1900 *:*
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:54216 *:*
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:65287 *:*
[ehRecvr.exe]
UDP 169.254.10.244:137 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP 169.254.10.244:138 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP 169.254.10.244:427 *:*
HPSLPSVC
[svchost.exe]
UDP 169.254.10.244:1900 *:*
SSDPSRV
[svchost.exe]
UDP 169.254.10.244:5353 *:*
[mDNSResponder.exe]
UDP 169.254.10.244:54215 *:*
SSDPSRV
[svchost.exe]
UDP ***.***.***.***:137 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP ***.***.***.***:138 *:*
Es konnten keine Besitzerinformationen ermittelt werden.
x: Fehler bei der Windows Sockets-Initialisierung: 5
UDP ***.***.***.***:427 *:*
HPSLPSVC
[svchost.exe]
UDP ***.***.***.***:1900 *:*
SSDPSRV
[svchost.exe]
UDP ***.***.***.***:5353 *:*
[mDNSResponder.exe]
UDP ***.***.***.***:54214 *:*
SSDPSRV
[svchost.exe]
UDP [::]:123 *:*
W32Time
[svchost.exe]
UDP [::]:500 *:*
IKEEXT
[svchost.exe]
UDP [::]:5355 *:*
Dnscache
[svchost.exe]
UDP [::]:60478 *:*
[mDNSResponder.exe]
UDP [::]:63818 *:*
Dnscache
[svchost.exe]
UDP [::1]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [::1]:54212 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::100:7f:fffe%9]:1900 *:* //Was meint das? IPv6? Wie kann man da einen IP Lookup machen? Ist das normal?
SSDPSRV
[svchost.exe]
UDP [fe80::100:7f:fffe%9]:54213 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::8ce8:151d:9958:31c4%8]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::8ce8:151d:9958:31c4%8]:54210 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::b181:1718:cbaa:af4%19]:1900 *:*
SSDPSRV
[svchost.exe]
UDP [fe80::b181:1718:cbaa:af4%19]:5353 *:*
[mDNSResponder.exe]
UDP [fe80::b181:1718:cbaa:af4%19]:54211 *:*
SSDPSRV
[svchost.exe]
C:\Windows\system32>
IP LookUP:
- 1.2.96.108 Code:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 1.0.0.0 - 1.255.255.255
CIDR: 1.0.0.0/8
NetName: APNIC-1
NetHandle: NET-1-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or hxxp://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to hxxp://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate:
Updated: 2010-01-27
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net
# ARIN WHOIS database, last updated 2010-07-14 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
#
# Attention! Changes are coming to ARIN's Whois service on June 26.
# See https://www.arin.net/features/whois for details on the improvements.
Deferred to specific whois server: whois.ripe.net...
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See hxxp://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '0.0.0.0 - 255.255.255.255'
inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
source: RIPE # Filtered
organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see hxxp://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see hxxp://www.iana.org/ipaddress/ip-addresses.htm
remarks: and hxxp://www.iana.org/assignments/as-numbers
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: Internet Assigned Numbers Authority
address: see hxxp://www.iana.org.
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at hxxp://www.iana.org.
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered
IP LookUP:
- 169.254.10.244 Code:
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
NetName: LINKLOCAL-RFC3927-IANA-RESERVED
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This is the "link local" block. It was set
Comment: aside for this special use in the Standards
Comment: Track document, RFC 3927 and was further
Comment: documented in the Best Current Practice
Comment: RFC 5735, which can be found at:
Comment: hxxp://www.rfc-editor.org/rfc/rfc3927.txt
Comment: hxxp://www.rfc-editor.org/rfc/rfc5735.txt
Comment: It is allocated for communication between hosts
Comment: on a single link. Hosts obtain these addresses
Comment: by auto-configuration, such as when a DHCP
Comment: server cannot be found.
Comment: A router MUST NOT forward a packet with an IPv4
Comment: Link-Local source or destination address,
Comment: irrespective of the router's default route configuration
Comment: or routes obtained from dynamic routing protocols.
Comment: A router which receives a packet with an IPv4
Comment: Link-Local source or destination address MUST NOT
Comment: forward the packet. This prevents forwarding of
Comment: packets back onto the network segment from which
Comment: they originated, or to any other segment.
RegDate: 1998-01-27
Updated: 2010-03-15
OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
# ARIN WHOIS database, last updated 2010-07-14 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html
#
# Attention! Changes are coming to ARIN's Whois service on June 26.
# See https://www.arin.net/features/whois for details on the improvements.
HiJackThis-LOG: Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at **:**:**, on **.**.**
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\taskeng.exe
C:\Users\************\Programme\CoreTemp32\Core Temp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
C:\Windows\system32\Notepad.exe
C:\Windows\system32\DllHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=*****
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=*****
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=*****
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=*****
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {********-****-****-****-************} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {********-****-****-****-************} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: HP Smart BHO Class - {********-****-****-****-************} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Home Server Banner - {********-****-****-****-************} - C:\Program Files\Windows Home Server\WHSDeskBands.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O8 - Extra context menu item: An OneNote s&enden - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Users\************\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O9 - Extra button: (no name) - {********-****-****-****-************} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {********-****-****-****-************} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O18 - Filter hijack: text/xml - {********-****-****-****-************} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {********-****-****-****-************} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
| 