|
unerwünschte Werbung Hi Leute, ich habe seit einigen Tagen das Problem, dass sich in unregelmäßigen Abständen die Dos-Eingabe(CMD.exe) kurz öffnet und anschließend öffnen sich einige Werbeseiten mit dem IE. Hier mal ein Log, vielleicht kann mir Jemand weiterhelfen. -------------------------------------------------------------------- Logfile of HijackThis v1.99.0 Scan saved at 16:26:23, on 21.11.2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\WINNT\System32\cisvc.exe C:\Programme\FSI\F-Prot\fpavupdm.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\oodag.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\locator.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Programme\RealVNC\WinVNC\WinVNC.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Programme\CyberLink\PowerDVD\PDVDServ.exe C:\Programme\FSI\F-Prot\F-Sched.exe C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe C:\Programme\Java\jre1.5.0_04\bin\jusched.exe C:\WINNT\system32\RUNDLL32.EXE C:\WINNT\system32\LXSUPMON.EXE C:\Programme\QuickTime\qttask.exe C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\Gcc.exe C:\Programme\little_helper2\little_helper2.exe C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\OdHost.exe C:\WINNT\System32\cidaemon.exe C:\Programme\Internet Explorer\IEXPLORE.EXE C:\Programme\Microsoft Office\Office\WINWORD.EXE C:\Programme\Internet Explorer\IEXPLORE.EXE D:\***\Programme\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tsv03-urbach.de/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Programme\FSI\F-Prot\F-Sched.exe STARTUP O4 - HKLM\..\Run: [DataLayer] C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ALDI_NORD_FotoSuite_Download] "C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: IEEE 802.11g Wireless USB Adapter Utility.lnk = C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\Gcc.exe O4 - Global Startup: little_helper2.lnk = C:\Programme\little_helper2\little_helper2.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AF5835F0-6585-4149-A330-04146FB49B4E}: NameServer = 85.237.87.161,217.20.114.127 O17 - HKLM\System\CCS\Services\Tcpip\..\{AFA3BB98-E535-4480-B98D-E29B21924D87}: NameServer = 85.237.87.161,217.20.114.127 O17 - HKLM\System\CCS\Services\Tcpip\..\{B6CBC873-387C-4072-8E01-A0A996D52A6E}: NameServer = 85.237.87.161,217.20.114.127 O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Programme\FSI\F-Prot\fpavupdm.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe O23 - Service: VNC Server - RealVNC Ltd. - C:\Programme\RealVNC\WinVNC\WinVNC.exe ---------------------------------------------------------- |
Hallo, zuerst habe ich mal ein paar Fragen. :) Hast du VNC absichtlich installiert? Kennst du das Programm "little_helper2"? Überprüfe die Datei C:\Programme\little_helper2\little_helper2.exe im Zweifelsfall online auf http://virusscan.jotti.org/de und poste das Ergebnis. Zitat:
Scanne dein System mit Spybot Search&Destroy und Ad-Aware. Poste dann bitte ein Silent Runners-Logfile. |
Hallo Haui45, also: VNC ist mit absicht installiert. Das Programm "little_helper" kenne ich nicht und es kam mir auch schon suspekt vor. Mit dem Online scan fand ich folgendes raus: ------------------------------------------------------ Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Helper.b gefunden ------------------------------------------------------ Spybot fand: Avenue A, Inc. UND Doubleclick ------------------------------------------------------ Und hier das Silent-Runners Logfile: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "RemoteControl" = "C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."] "FRISK FP-Scheduler" = "C:\Programme\FSI\F-Prot\F-Sched.exe STARTUP" ["FRISK Software International"] "DataLayer" = "C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe" ["Nokia Mobile Phones Ltd."] "PCSuiteTrayApplication" = "C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray" ["Nokia"] "Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"] "WorksFUD" = "C:\Programme\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"] "Microsoft Works Portfolio" = "C:\Programme\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"] "Nokia Connection Monitor" = ""C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclConf.exe"" ["Nokia Corporation"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."] "NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS] "LXSUPMON" = "C:\WINNT\system32\LXSUPMON.EXE RUN" ["Lexmark International Inc."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "little_helper.exe" = (empty string) "little_helper2.exe" = (empty string) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 DragDrop Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.02 Property Sheet Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{1474F601-9B4B-4EB0-81FA-20F753C0E1A4}" = "FRISK extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\FSI\F-Prot\shexthk.dll" [empty string] "{E443A8D5-D905-4401-8789-16AE23A8A96D}" = "FRISK extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\FSI\F-Prot\shexthk.dll" [empty string] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1031\UNBIND.DLL" [MS] "{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"] "{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"] "{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"] HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FRISK\(Default) = "{1474F601-9B4B-4EB0-81FA-20F753C0E1A4}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\FSI\F-Prot\shexthk.dll" [empty string] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "(Kein)" [file not found] Startup items in "*****" & "******" startup folders: ------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Acrobat Assistant" -> shortcut to: "C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."] "IEEE 802.11g Wireless USB Adapter Utility" -> shortcut to: "C:\Programme\Wireless\IEEE 802.11g Wireless USB Adapter\Gcc.exe" [empty string] "little_helper2" -> shortcut to: "C:\Programme\little_helper2\little_helper2.exe" [empty string] Enabled Scheduled Tasks: ------------------------ "Datenträgerbereinigung" -> launches: "C:\WINNT\System32\cleanmgr.exe" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ COM+-Ereignissystem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]} F-Prot Antivirus Update Monitor, F-Prot Antivirus Update Monitor, ""C:\Programme\FSI\F-Prot\fpavupdm.exe"" ["FRISK Software"] NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"] O&O Defrag, O&O Defrag, "C:\WINNT\system32\oodag.exe" ["O&O Software GmbH"] VNC Server, winvnc, ""C:\Programme\RealVNC\WinVNC\WinVNC.exe" -service" ["RealVNC Ltd."] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor S450\Driver = "CNMLM2R.DLL" ["CANON INC."] Canon MP Language Monitor MP360\Driver = "CNMLMyd.DLL" ["CANON INC."] PDF Port\Driver = "C:\WINNT\system32\pdfports.dll" ["Adobe Systems Incorporated."] USB Remote print port\Driver = "Printer Server\demo.dll" ["UNknown Corporation"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 60 seconds, including 11 seconds for message boxes) |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 02:01 Uhr. |
Copyright ©2000-2026, Trojaner-Board