Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   [help]TR/rookit - neustinstallation ? hijack-log. inside (https://www.trojaner-board.de/22052-help-tr-rookit-neustinstallation-hijack-log-inside.html)

zoe.orange 21.09.2005 19:52
[help]TR/rookit - neustinstallation ? hijack-log. inside
 
viren-scan. meldet im mom. nichts mehr.

könnt ihr ma über log.-file schauen wie es ausschaut ?

vielen Dank! zoe


Logfile of HijackThis v1.99.1
Scan saved at 16:42:24, on 21.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\keyhook.exe
C:\Programme\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Atguard\iamapp.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\ICQ\Icq.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Atguard\iamserv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Dokumente und Einstellungen\Besitzer\Desktop\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchwebzone.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchwebzone.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchwebzone.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchwebzone.com/sp2.php
O1 - Hosts: 131.91.161.14 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 131.91.161.14 www3.aibgbonline.co.uk
O1 - Hosts: 131.91.161.14 www.bank.alliance-leicester.co.uk
O1 - Hosts: 131.91.161.14 login.iblogin.com
O1 - Hosts: 131.91.161.14 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 131.91.161.14 inet.barclays.co.uk
O1 - Hosts: 131.91.161.14 iibank.barclays.co.uk
O1 - Hosts: 131.91.161.14 iibank.cahoot.com
O1 - Hosts: 131.91.161.14 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 131.91.161.14 ww.hsbc.co.uk
O1 - Hosts: 131.91.161.14 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 131.91.161.14 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 131.91.161.14 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 131.91.161.14 ww3.online.lloydstsb.co.uk
O1 - Hosts: 131.91.161.14 ww3.online.lloydstsb.co.uk
O1 - Hosts: 131.91.161.14 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 131.91.161.14 ob2.nationet.com
O1 - Hosts: 131.91.161.14 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 131.91.161.14 ww1.nwolb.com
O1 - Hosts: 131.91.161.14 ww1.onlinebanking.iombank.com
O1 - Hosts: 131.91.161.14 ww1.www.rbsdigital.com
O1 - Hosts: 131.91.161.14 welcome.smile.co.uk
O1 - Hosts: 131.91.161.14 login.365online.com
O1 - Hosts: 131.91.161.14 wvw.citizensbankonline.com
O1 - Hosts: 131.91.161.14 esecure.regionsnet.com
O1 - Hosts: 131.91.161.14 rollb.associatedbank.com
O1 - Hosts: 131.91.161.14 upb.unionplanters.com
O1 - Hosts: 131.91.161.14 www.onlinebanking.huntington.com
O1 - Hosts: 131.91.161.14 inet.southtrustonlinebanking.com
O1 - Hosts: 131.91.161.14 logon.personal.wamu.com
O1 - Hosts: 131.91.161.14 login.compassweb.com
O1 - Hosts: 131.91.161.14 logon.firstmeritib.com
O1 - Hosts: 131.91.161.14 login.ccfcuonline.org
O1 - Hosts: 131.91.161.14 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 131.91.161.14 ww2.onlinebanking.lasallebank.com
O1 - Hosts: 131.91.161.14 wvw.totallyfreebanking.com
O1 - Hosts: 131.91.161.14 www.online.wellsfargo.com
O1 - Hosts: 131.91.161.14 www.onlinebanking.bankofoklahoma.com
O1 - Hosts: 131.91.161.14 accounts4.keybank.com
O1 - Hosts: 131.91.161.14 logon.bankone.com
O1 - Hosts: 131.91.161.14 www.secure.tdbanknorth.com
O1 - Hosts: 131.91.161.14 www.secure.mvnt4.com
O1 - Hosts: 131.91.161.14 ww.mynfbonline.com
O1 - Hosts: 131.91.161.14 login.forumcuonline.com
O1 - Hosts: 131.91.161.14 www.eds.usersonlnet.com
O1 - Hosts: 131.91.161.14 www.onlineid.bankofamerica.com
O1 - Hosts: 131.91.161.14 wvw.e-gold.com
O1 - Hosts: 131.91.161.14 pcbs.peoples.com
O1 - Hosts: 131.91.161.14 www.global1.onlinebank.com
O1 - Hosts: 131.91.161.14 ww2.mybranch.lafcu.com
O1 - Hosts: 131.91.161.14 login.webbanking.comerica.com
O1 - Hosts: 131.91.161.14 web.banking.firsttennessee.com
O1 - Hosts: 131.91.161.14 logon.members1st.org
O1 - Hosts: 131.91.161.14 www.cib.ibanking-services.com
O1 - Hosts: 131.91.161.14 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 131.91.161.14 wvw.paypal.com
O1 - Hosts: 131.91.161.14 www.signin.ebay.com
O1 - Hosts: 131.91.161.14 wvw.etrade.com
O1 - Hosts: 131.91.161.14 ww4.fleethomelink.fleet.com
O1 - Hosts: 131.91.161.14 ww3.connect.skyfi.com
O1 - Hosts: 131.91.161.14 www6.usbank.com
O1 - Hosts: 131.91.161.14 www.bvi.bancodevalencia.es
O1 - Hosts: 131.91.161.14 extrant.banesto.es
O1 - Hosts: 131.91.161.14 banesnt.banesto.es
O1 - Hosts: 131.91.161.14 activia.caixagalicia.es
O1 - Hosts: 131.91.161.14 www.bancae.caixapenedes.com
O1 - Hosts: 131.91.161.14 login.caixasabadell.net
O1 - Hosts: 131.91.161.14 oii.cajamadrid.es
O1 - Hosts: 131.91.161.14 login.cajamar.es
O1 - Hosts: 131.91.161.14 login.ccm.es
O1 - Hosts: 131.91.161.14 ww.unicaja.es
O1 - Hosts: 131.91.161.14 www5.bancopopular.es
O1 - Hosts: 131.91.161.14 ww3.bbvanet.com
O1 - Hosts: 131.91.161.14 ww.bayernlb.de
O1 - Hosts: 131.91.161.14 ww2.berliner-volksbank.de
O1 - Hosts: 131.91.161.14 ww7.homebanking-berlin.de
O1 - Hosts: 131.91.161.14 portal09.commerzbanking.de
O1 - Hosts: 131.91.161.14 www.meine.deutsche-bank.de
O1 - Hosts: 131.91.161.14 ww2.dresdner-privat.de
O1 - Hosts: 131.91.161.14 ww.e-banking.helaba.de
O1 - Hosts: 131.91.161.14 ww.hsh-nordbank.de
O1 - Hosts: 131.91.161.14 www.my.hypovereinsbank.de
O1 - Hosts: 131.91.161.14 ww3.homebanking-berlin.de
O1 - Hosts: 131.91.161.14 ww3.homebanking-berlin.de
O1 - Hosts: 131.91.161.14 www.banking.lbbw.de
O1 - Hosts: 131.91.161.14 lrp.sparkasse-banking.de
O1 - Hosts: 131.91.161.14 ww3.homebanking-niedersachsen.de
O1 - Hosts: 131.91.161.14 www.onlinebanking.norisbank.de
O1 - Hosts: 131.91.161.14 www.banking.postbank.de
O1 - Hosts: 131.91.161.14 wvw.internetbanking.gad.de
O1 - Hosts: 131.91.161.14 ww1.portal.izb.de
O1 - Hosts: 131.91.161.14 wvw.kunden-service.lbs.de
O1 - Hosts: 131.91.161.14 ibanking.seb.de
O1 - Hosts: 131.91.161.14 bw7.sparkasse-banking.de
O1 - Hosts: 131.91.161.14 ww2.homebanking-sparkasse.de
O1 - Hosts: 131.91.161.14 ww2.vr-networld-ebanking.de
O1 - Hosts: 131.91.161.14 ww.bics.fr
O1 - Hosts: 131.91.161.14 www.co.caixabank.fr
O1 - Hosts: 131.91.161.14 ww.creditmutuel.fr
O1 - Hosts: 131.91.161.14 internetbank.intesabci.it
O1 - Hosts: 131.91.161.14 ww.extensive.bancalombarda.it
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Programme\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [haamriagx] C:\WINDOWS\System32\lluewl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\GlobespanVirata\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MS-DOS Security Service] isxyqqcyg.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\\etb\pokapoka67.exe
O4 - HKLM\..\Run: [System service68] C:\WINDOWS\\etb\pokapoka68.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [System service69] C:\WINDOWS\etb\pokapoka69.exe
O4 - HKLM\..\RunServices: [MS-DOS Security Service] isxyqqcyg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MS-DOS Security Service] isxyqqcyg.exe
O4 - HKCU\..\RunServices: [MS-DOS Security Service] isxyqqcyg.exe
O4 - Startup: heag (2).lnk = ?
O4 - Global Startup: ICQ.lnk = C:\Programme\ICQ\Icq.exe
O8 - Extra context menu item: Mit GetRight laden - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Mit GetRight-Browser öffnen - C:\Programme\GetRight\GRdownload.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07e4165825ded539aa20/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119833974171
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4D38134-0E39-4770-9CEE-2F316D6D1885}: NameServer = 213.157.0.193 213.157.0.194
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Programme\Atguard\iamserv.exe
O23 - Service: microsoft update (msnupdate) - Unknown owner - C:\WINDOWS\windupdate.exe

_______________________
Anm.
Aktive Links editiert!
Beachte zukünftig die Hinweise dieser Anleitung: HiJackThis.

LG Cidre
S-Mod TB

Cidre 21.09.2005 20:20
Hallo,

auch wenn AntiVir nichts mehr findet, dann heißt das noch lange nicht, daß auch dein System sauber wäre.

Dein gepostetes HJT Log-File ist aussagekräftig genug und deshalb kann ich dir nur ein Neuaufsetzen deines Systems empfehlen, siehe meine Signatur.

zoe.orange 21.09.2005 20:28
heisst: auf jedenfall nötig mit dem neu aufsetzen ?

Cidre 21.09.2005 20:44
Gut erkannt. ;)

zoe.orange 21.09.2005 20:54
zum glück nicht mein system *g*
aba was genau konntest du jetzt sehen im logfile ?


vielen dank für die antwort.

Cidre 21.09.2005 21:19
Um nur mal einige aufzuzählen...
Zitat:
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
http://www.sophos.com/virusinfo/analyses/w32hwbota.html
Zitat:
O23 - Service: microsoft update (msnupdate) - Unknown owner - C:\WINDOWS\windupdate.exe
O4 - HKLM\..\Run: [MS-DOS Security Service] isxyqqcyg.exe
Deutet ebenfalls auf einen Bot hin.

zoe.orange 21.09.2005 22:21
jo vielen dank für die infos.


Alle Zeitangaben in WEZ +1. Es ist jetzt 16:29 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130