Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   bitte um Auswertung meines LOG.Files (https://www.trojaner-board.de/9058-bitte-um-auswertung-meines-log-files.html)

mali 01.11.2004 15:24
bitte um Auswertung meines LOG.Files
 
Hallo zusammen,

habe Probleme mit about.blank und viel mehr ........

Danke für die Hilfe

Gruß Mali


Logfile of HijackThis v1.98.2
Scan saved at 15:16:40, on 01.11.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
C:\Programme\Lexmark X74-X75\lxbbbmgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Lexmark X74-X75\lxbbbmon.exe
C:\Programme\a2\a2guard.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINNT\system32\taskmgr.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=30090
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.t-online.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.t-online.de
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.btx.dtag.de:80;ftp=ftp-proxy.btx.dtag.de:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
F3 - REG:win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {3DD14D71-DCF0-4A35-A6E5-B73129511D33} - C:\WINNT\system32\gma.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\System32\jfi.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\Downloaded Program Files\win00sys.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programme\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Programme\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [a²] "C:\Programme\a2\a2guard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Search - C:\WINNT\ex.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com/newhelp.chm::/newhelp.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...e1e2729109a237
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/248cf1f50e88e1e...zip/RdxIE2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://housecall.trendmicro-europe.c...ll/Xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - http://xpehbam.biz/a/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - http://www.xpehbam.biz/s/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-098693046834} - http://www.xpehbam.biz/exploit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8023BF96-4597-4C9F-A5CA-8B3C5DC65149}: NameServer = 192.168.100.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{84AFB25F-E9C8-479A-8627-DA615AC897AD}: NameServer = 192.168.120.252,192.168.120.253
O18 - Filter: text/html - {C28A57BD-99F1-4DC5-A137-575500390158} - C:\WINNT\system32\gma.dll
O18 - Filter: text/plain - {C28A57BD-99F1-4DC5-A137-575500390158} - C:\WINNT\system32\gma.dll
O19 - User stylesheet: C:\WINNT\color.css
O19 - User stylesheet: C:\WINNT\my.css (HKLM)

Shadowdance 01.11.2004 16:12
Hallo mali,

überprüfe mit dem online-scan von Kaspersky:

C:\WINNT\ex.htm
C:\WINNT\color.css
C:\WINNT\my.css (HKLM)

Teile uns das Ergebnis der Überprüfung mit. Sende die Datei(en), wenn sie infiziert ist(sind), an partytime-germany.ice@web.de, mit Verweis auf diesen Thread.

Boote in den VGA-Modus und fixe dann mit Hijack This (Häkchen setzen und fix checked klicken):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = ht*p://super-spider.com/sp.htm?id=30090
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailur
e
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ht*p://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ht*p://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = ht*p://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ht*p://1-se.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = ht*p://homepage.com%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\System32\jfi.dll (file missing)
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\Downloaded Program Files\win00sys.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O13 - DefaultPrefix: ht*p://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: ht*p://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: ht*p://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - ht*p://63.219.181.7/cax.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - ht*p://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!ht*p://line-plus.com/newhelp.chm::/newhelp.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - ht*p://public.windupdates.com/get_f...1e 2729109a237
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - ht*p://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - ht*p://www.mt-download.com/MediaTicketsInstaller.cab

wenn Du diese Einträge nicht kennst/brauchst, bitte fixen:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\homepage.htm
F3 - REG:win.ini: run=C:\WINNT\system32\services\y.exe
O2 - BHO: (no name) - {3DD14D71-DCF0-4A35-A6E5-B73129511D33} - C:\WINNT\system32\gma.dll
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!ht*p://line-plus.com/newhelp.chm::/newhelp.ex e
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - ht*p://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - ht*p://207.188.7.150/248cf1f50e88e1...tzip/RdxIE2.cab
O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - ht*p://xpehbam.biz/a/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-090006046834} - ht*p://www.xpehbam.biz/s/load.exe
O16 - DPF: {AD688740-5246-40C3-AF27-098693046834} - ht*p://www.xpehbam.biz/exploit.exe

Beende:
y.exe

Lösche:
C:\WINNT\system32\services\y.exe

Boote in den normalen Modus.

Lade den eScan runter, erstelle dafür einen Ordner (=Verzeichnis) c:\bases, update den eScan online und führe ihn offline im abgesicherten Modus aus.

Beachte bitte, dass der eScan ab Version 4.5.1 die gefundene Malware nicht löscht.

"Öffne die mwav.log -> Bearbeiten -> Suchen -> infected eingeben -> Weitersuchen -> Treffer markieren/kopieren und ins Forum übertragen." (Zitat Cidre) Teile uns das Ergebnis des eScan mit: welche Viren wurden auf Deinem Rechner gefunden. Erstelle ein neues Hijack This Logfile und poste es.

SD


Alle Zeitangaben in WEZ +1. Es ist jetzt 16:06 Uhr.

Copyright ©2000-2026, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55