netstat -a -> seltsame ausgabe.
 

Hi,

ich bekomme unter cmd bei dem befehl netstat -a etwas komische ergebnisse raus. Ich hab so meine bedenken das bei mir ein trojaner am werk ist aber ich hab schon die verschiedensten virenscanner drüberlaufen lassen. Alles ohne erfolg ..

bei netstat -a sieht die ausgabe folgendermaßen aus:

Aktive Verbindungen

Proto Lokale Adresse Remoteadresse Status
TCP Hostname:epmap Hostname:0 ABHÖREN
TCP Hostname:microsoft-ds Hostname:0 ABHÖREN
TCP Hostname:1025 Hostname:0 ABHÖREN
TCP Hostname:1026 Hostname:0 ABHÖREN
TCP Hostname:1029 Hostname:0 ABHÖREN
TCP Hostname:1031 Hostname:0 ABHÖREN
TCP Hostname:1032 Hostname:0 ABHÖREN
TCP Hostname:1033 Hostname:0 ABHÖREN
TCP Hostname:1034 Hostname:0 ABHÖREN
TCP Hostname:2340 Hostname:0 ABHÖREN
TCP Hostname:2357 Hostname:0 ABHÖREN
TCP Hostname:2358 Hostname:0 ABHÖREN
TCP Hostname:2359 Hostname:0 ABHÖREN
TCP Hostname:2360 Hostname:0 ABHÖREN
TCP Hostname:2372 Hostname:0 ABHÖREN
TCP Hostname:2373 Hostname:0 ABHÖREN
TCP Hostname:2379 Hostname:0 ABHÖREN
TCP Hostname:2380 Hostname:0 ABHÖREN
TCP Hostname:18350 Hostname:0 ABHÖREN
TCP Hostname:31004 Hostname:0 ABHÖREN
TCP Hostname:1026 Hostname:2332 WARTEND
TCP Hostname:1026 Hostname:2335 WARTEND
TCP Hostname:1026 Hostname:2342 WARTEND
TCP Hostname:1026 Hostname:2349 WARTEND
TCP Hostname:1026 Hostname:2354 WARTEND
TCP Hostname:1026 Hostname:2356 WARTEND
TCP Hostname:1026 Hostname:2362 WARTEND
TCP Hostname:1026 Hostname:2364 WARTEND
TCP Hostname:1026 Hostname:2367 WARTEND
TCP Hostname:1026 Hostname:2370 WARTEND
TCP Hostname:1026 Hostname:2375 WARTEND
TCP Hostname:1026 Hostname:2382 WARTEND
TCP Hostname:1034 Hostname:18350 HERGESTELLT
TCP Hostname:2330 Hostname:microsoft-ds WARTEND
TCP Hostname:18350 Hostname:1034 HERGESTELLT
TCP Hostname:netbios-ssn Hostname:0 ABHÖREN
TCP Hostname:1051 64.12.26.140:5190 HERGESTELLT
UDP Hostname:microsoft-ds *:*
UDP Hostname:1554 *:*
UDP Hostname:27007 *:*
UDP Hostname:2127 *:*
UDP Hostname:netbios-ns *:*
UDP Hostname:netbios-dgm *:*
UDP Hostname:isakmp *:*
UDP Hostname:4500 *:*
UDP Hostname:17985 *:*
UDP Hostname:27030 *:*

---------------------------


das komische an der sache ist, je länger der rechner on ist, desto länger wird die portliste der lokalen adresse. bei 4 stunden online zeit bin ich irgendwann bei port 5000.

zu meinem System:
Win2k SP4 mit den neusten sicherheitspatches
Antivir
Zonealarm

Ich hoffe mir kann jemand erklären was da vor sich geht.

gruss


Luki

@Luki
Verkürze bitte deinen Posting zu einem vernünftigen Maß ;) und poste lieber HJT-Log (www.hijackthis.de).

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Programme\Razer\razertra.exe
C:\WINNT\SOUNDMAN.EXE
C:\Programme\Razer\razerhid.exe
C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
C:\Programme\ICQ\icq.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\WINNT\system32\cmd.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis_199\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [razertra] C:\Programme\Razer\razertra.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.EXE
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O20 - Winlogon Notify: StillImage - C:\WINNT\system32\kt04l7dq1.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe


sry wegen dem ersten post .. wollte nur die liste verdeutlichen.

@Luki
Davon abgesehen, dass du den Kopf der Log-Datei abgeschnitten hast, sieht sie sauber aus.
Mach bitte noch Folgendes:
1.Systemwiederherstellung abschalten
2.Temporary Internet Files -Ordner leeren:
Start/Einstellungen/Systemsteuerung/Internetoptionen/Dateien löschen/Alle Offlineinhalte löschen...
3. Papierkorb leeren.
4. Infected-Ordner des Antivirus-Programms, ggf. von Spybot Search & Destroy, Ad-Aware usw. leeren. Der Name des Ordners sowie Pfad sind Programm- und Benutzerabhängig. Bitte RTFM zum AV-Programm.
Bei einigen Programmen (z. B. AVPE) ist diese Option nicht im Programm integriert. Darüber hinaus soll dies manuell erfolgen.
5. eScan genau nach Anleitung (bitte ausdrucken und aufmerksam lesen) im abgesicherten Modus laufen lassen. Log hier Posten

hi, die logfile hat es in sich :/

File System Found infected by "text/html Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINNT\iconu.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\aFaamon.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\chnfmsp.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\crcfg32.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\crutil.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\csb.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\CSWMDM.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\darawex.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\ddnmpntw.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\demssocn.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dGdrm.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dgeml.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\didskmgr.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\disshlex.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dkskadp.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dnconfig.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dnj6011se.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dnno0153e.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dnsenh.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dnvoice.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dWd9.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\dwdlgs.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\euent.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\fHxroute.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\fMxcom.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\fTxshell.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\fYxocm.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\gplsl3371.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\HCW848UN.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINNT\system32\hiwi2c32.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\hrrm0591e.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\HUZipt12.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\iamui.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\iexrip.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\il50_qc.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\inwphbk.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\iomon.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\izakeng.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\jFvaprxy.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\kodgae.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\LZADPERF.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mbvfw32.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mccpxl32.dLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mmdxmlc.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\MOMTAPI.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mpwdat10.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mrjdbc10.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mrxbde40.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mtobjs.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mvratelc.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mvxml3.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mwacm.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\mxexcl40.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\myjtes40.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\ngtplwiz.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\nIrrhook.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\nlwrssl.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\nmwrshe.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\NODEAPI.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\nrrsfi.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\nsdsxds.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\ntrshu.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\nttshell.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\NYLANMAN.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\oheacc.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\oibcconf.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\oyslb400.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\q4680ejueho80.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\qKsf.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\recrt4.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\ruaenh.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\sdell32.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\skrvdeps.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\sondcmsg.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\sqripto.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\SRMPAPI.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\stode.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\syi.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\SYMSRV.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\UTER32.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\wefeman.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\wewfax.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\whadmoe.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\WODAP32.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\wR2topl.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\wsadmoe.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\wthtcpip.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\wvhext.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.
File C:\WINNT\system32\wZ2topl.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken.

@Luki
Datei im abgesicherten Modus löschen.
Bitte Spybot S&D herunterladen, scannen, probleme beheben. Falls nicht hilft - nach der Anleitung zum Entfernen von Look2Me vorgehen.
Danach bitte eScan-Log löschen, eScan wiederholen.