Hijacker oder sonst ein trojaner |
||
---|---|---|
#0
| ||
24.02.2005, 21:43
...neu hier
Beiträge: 4 |
||
|
||
25.02.2005, 10:54
Member
Beiträge: 95 |
#2
Bitte komplettes Hijackthis log posten
|
|
|
||
25.02.2005, 12:21
...neu hier
Themenstarter Beiträge: 4 |
#3
Logfile of HijackThis v1.99.1
Scan saved at 12:19:08, on 25.02.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programme\OpenVPN\bin\openvpnserv.exe C:\Programme\OpenVPN\bin\openvpn.exe C:\WINDOWS\System32\svchost.exe C:\Programme\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\Explorer.EXE C:\Programme\Microsoft IntelliType Pro\type32.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe C:\Programme\Microsoft IntelliPoint\point32.exe C:\Programme\ICQLite\ICQLite.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\atiptaxx.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Programme\Logitech\Video\LogiTray.exe C:\Programme\Messenger Plus! 3\MsgPlus.exe C:\WINDOWS\system32\ctfmon.exe D:\mIRC\mirc.exe C:\Programme\Skype\Phone\Skype.exe C:\PROGRA~1\SecCopy\SecCopy.exe C:\Programme\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe C:\Programme\MSN Messenger\MsnMsgr.Exe C:\TinyIdentD\TinyIdentD\TinyIdentD.exe C:\Programme\FlashFXP\FlashFXP.exe C:\WINDOWS\system32\WISPTIS.EXE C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe C:\Programme\cablecom hispeed security package\backweb\9038346\Program\fspex.exe C:\PROGRA~1\Pinnacle\SHARED~1\Filter\server.exe C:\Programme\Pinnacle\PCTV Stereo\Remote\remoterm.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\WinRAR\WinRAR.exe C:\DOKUME~1\Manuel\LOKALE~1\Temp\Rar$EX00.440\HijackThis.exe c:\progra~1\intern~1\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE C:\Programme\WinRAR\WinRAR.exe C:\DOKUME~1\Manuel\LOKALE~1\Temp\Rar$EX00.937\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ucwuuuiabqnnvtjeon.com/gBBRZkZOlw/aNe73pLRk8FDSwrdZaZNxmkKX3QV13IBILypxz3/YBWo6GGboiJEp.html O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7B45CE94-A5B3-A3FC-4244-BE58F2B1883C} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programme\FlashFXP\IEFlash.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [PCTVRemote] C:\Programme\Pinnacle\PCTV Stereo\Remote\Remoterm.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [mode camp] C:\DOKUME~1\Manuel\ANWEND~1\AXISCO~1\Army That.exe O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOKUME~1\Manuel\LOKALE~1\Temp\Rar$EX00.440\HijackThis.exe /startupscan O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Startup: Registration-PCTV.lnk = C:\Programme\Pinnacle\PCTV Stereo\ERegister\RegTool.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Pinnacle Scheduler.lnk = C:\Programme\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe O8 - Extra context menu item: Easy-WebPrint Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: Buyertools Reminder - {27914077-B4D6-4A0E-9763-76B6E9DD9A81} - C:\Programme\Buyertools\Buyertools Reminder\ReminderIE.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: eBay Homepage - {D4951B60-8FF9-4813-B716-FF3E75386E74} - http://www.preispiraten.de/cgi-bin/e/tracker_short.pl?http://www.ebay.de (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2DAD98A7-C6B8-45AF-8047-D6C9B3A08198}: NameServer = 192.168.0.1 O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Programme\OpenVPN\bin\openvpnserv.exe O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service (file missing) |
|
|
||
25.02.2005, 13:14
Member
Beiträge: 95 |
#4
Hi!
Folgende Vorgehensweise: PC im abgesicherten Modus hochfahren, die Systemwiederherstellung deaktivieren und mit eScan, einem normalen Anti Viren Scanner (z.B. Bitdefender Free Edition) und Spybot Search & Destroy scannen. Nun nochmal mit Hijackthis scannen und folgende Einträge entfernen/fixen: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ucwuuuiabqnnvtjeon.com/gBBRZkZOlw/aNe73pLRk8FDSwrdZaZNxmkKX3QV13IBILy pxz3/YBWo6GGboiJEp.html O2 - BHO: (no name) - {7B45CE94-A5B3-A3FC-4244-BE58F2B1883C} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing) Nach einem Neustart kannst Du die Systemwiederherstellung aktivieren. Mfg |
|
|
||
ich habe ein grösseres probem. ich habe irgend ein trojaner oder sowas auf meinem pc.
ich habe mit Hijackthis gescant, finde einen komischen eintrag:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.afjiqvwmdibytkxqatmlbaynv.uk/gBBRZkZOlw/aNe73pLRk8FDSwrdZaZNxmkKX3QV13IBvMZdIPUcrsno6GGboiJEp.htm
wenn ich ihn entferne, beim nächsten browserstart ist der eintrag wieder drin
ein weiteres problem, ich weiss nicht, ob es damit zusammenhängt. beim scanen mit addaware finde ich auch ständig den gleichen eintrag immer wieder. es wird als *LOP Malware * bezeichnet
kann mir wer weiterhelfen?
Spybot-Search & Destroy findet nix
CwSredder findet auch nix