browser stellt die startseite immer wieder auf morefinders.com |
||
---|---|---|
#0
| ||
07.06.2004, 17:30
...neu hier
Beiträge: 2 |
||
|
||
07.06.2004, 17:37
Member
Beiträge: 1122 |
#2
Fix:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html N1 - Netscape 4: user_pref("browser.startup.homepage","http://www.wethere.com"); (C:\Programme\Netscape\Users\default\prefs.js) O4 - HKLM\..\Run: [scvhost] C:\WINDOWS\SYSTEM\scvhost.exe O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/de/check/qdiagh.cab?316 O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.2awm.com/file/igor.chm::/file.exe MFG DAFRA P.s. Lösch danach diese Datei C:\WINDOWS\SYSTEM\scvhost.exe |
|
|
||
07.06.2004, 18:00
...neu hier
Themenstarter Beiträge: 2 |
||
|
||
11.06.2004, 13:21
...neu hier
Beiträge: 2 |
#4
Hallo,
leider habe ich auch das blöde Problem mit der Spyware. Hier meine logtext. Wäre toll wenn ich auch Hilfe bekommen könnte. Logfile of HijackThis v1.97.7 Scan saved at 13:17:35, on 11.06.04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\PROGRAMME\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\HPZTSB03.EXE C:\PROGRAMME\NORTON ANTIVIRUS\POPROXY.EXE C:\PROGRAMME\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\TWAIN_32\1200CU\WATCH.EXE C:\PROGRAMME\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAMME\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAMME\WINRAR\WINRAR.EXE C:\WINDOWS\TEMP\RAR$EX00.995\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von T-Online International AG R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.t-online.de/service/redir/ie_t-online.htm R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [AudioHQ] C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAMME\NORTON ANTIVIRUS\POProxy.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [scvhost] C:\WINDOWS\SYSTEM\scvhost.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200CU\WATCH.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.2awm.com/file/hawa.chm::/file.exe O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://privat.t-online.de/app/static/activex/msxml4.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = dialin.t-online.de |
|
|
||
11.06.2004, 13:53
Member
Beiträge: 441 |
#5
Hallo heligus,
diese Einträge bitte fixen: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von T-Online International AG R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.t-online.de/service/redir/ie_t-online.htm R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [scvhost] C:\WINDOWS\SYSTEM\scvhost.exe O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.2awm.com/file/hawa.chm::/file.exe O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://privat.t-online.de/app/static/activex/msxml4.cab Danach diese Datei manuell entfernen: C:\WINDOWS\SYSTEM\scvhost.exe und diese Datei hier http://www.kaspersky.com/de/remoteviruschk.html checken: C:\WINDOWS\SYSTEM\runonce.exe __________ Das Wertvollste im Leben ist die Zeit. Leben heißt, mit der Zeit richtig umzugehen. Neuaufsetzen des Systems/Absicherung! HJT Anleitung Dieser Beitrag wurde am 11.06.2004 um 13:55 Uhr von Cidre editiert.
|
|
|
||
11.06.2004, 14:29
Member
Beiträge: 1095 |
#6
Danach zur Sicherheit das durchführen
http://board.protecus.de/t9373.htm Gruß paff __________ http://www.downclockers.com/ourforum/index.php?board=71.0 Reverse Engineering Malware |
|
|
||
11.06.2004, 14:31
Member
Beiträge: 1095 |
#7
Zitat Cidre posteteDIe runonce kann man im HiJackThis fixen. Mann darf Sie aber nicht löschen. Ìst ein Überbleibsel von Microsoft MDAC Gruß paff __________ http://www.downclockers.com/ourforum/index.php?board=71.0 Reverse Engineering Malware |
|
|
||
11.06.2004, 23:52
...neu hier
Beiträge: 2 |
#8
Vielen Dank für die Hilfe.
Ich habe die Registry manuell durchforstet und die ActiveX deaktiviert. Thanks |
|
|
||
ich denke ich habe mir irgendnen hijacker eingefangen. nachdem ich diverse tipps und tricks, auf die ich hier im forum getroffen bin, versucht habe anzuwenden (ohne durschlagenden erfolg...), möchte ich doch um eure hilfe bitten, beim durschschauen des hijackthis-log...
ich danke schon mal für die hilfe!!
Logfile of HijackThis v1.97.7
Scan saved at 17:30:51, on 07.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAMME\ANTIVIRUS\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\DIRECTCD\DIRECTCD.EXE
C:\PROGRAMME\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMME\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAMME\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAMME\ANTIVIRUS\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\PC SICHERHEIT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://morefinders.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://morefinders.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://morefinders.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morefinders.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morefinders.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://morefinders.com/search.html
N1 - Netscape 4: user_pref("browser.startup.homepage","http://www.wethere.com"); (C:\Programme\Netscape\Users\default\prefs.js)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Programme\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Programme\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\PROGRAMME\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAMME\ANTIVIRUS\avgcc32.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Magitime] C:\Programme\Magitime\magitime.exe
O4 - HKLM\..\Run: [scvhost] C:\WINDOWS\SYSTEM\scvhost.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\ANTIVI~1\Avgserv9.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bat: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38028.4809259259
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/de/check/qdiagh.cab?316
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://c:\nosuch.mht!http://www.2awm.com/file/igor.chm::/file.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.120.252,192.168.120.253