Trojaner !? (vielleicht) Bitte HiJack.Log prüfen ! |
||
---|---|---|
#0
| ||
24.04.2007, 05:15
...neu hier
Beiträge: 4 |
||
|
||
27.04.2007, 18:07
Member
Beiträge: 3716 |
#2
hi, öffne den arbeitsplatz,extras,ordneroptionen,ansicht dort einstellen:
dateinamenerweiterungen bei bekannten dateitypen ausblenden off inhalt von systemordnern einblenden on geschützte systemdateien ausblenden off und versteckte dateien alle einblenden on. nun benenne die hijackthis.exe in hjt.com um, da sich malware vor der hijackthis.exe verstecken kann, achte darauf, das die endung .exe weck ist. erstelle und poste ein neues log! lad dir combofix: http://virus-protect.org/artikel/tools/combofix.html poste log. lad filelist, auf dem desktop entpacken, filelist.bat öffnen und von jedem verzeichniss die jeweils letzten 30 tage posten! http://members.linzag.net/680262/filelist.zip |
|
|
||
29.04.2007, 10:12
...neu hier
Themenstarter Beiträge: 4 |
#3
Danke für die Antwort
Hier der Log vom umbenannten Hijack: Logfile of HijackThis v1.99.1 Scan saved at 09:59:38, on 29.04.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\sstray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\programme\powerstrip\pstrip.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Programme\MSN Messenger\usnsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Dokumente und Einstellungen\Administrator\Desktop\www.ingame.de_lwt\LWT.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis\hjt.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [PowerStrip] c:\programme\powerstrip\pstrip.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://www.giga.de/giga-stream-test/Rawflow.cab O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129572830078 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Hier Combofox-Log: "Administrator" - 07-04-29 10:01:14 Service Pack 2 ComboFix 07-04-25.4V - Running from: "C:\Dokumente und Einstellungen\Administrator\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\Packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\WanPacket.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\drivers\npf.sys ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm -------\NPF -------\LEGACY_NM -------\LEGACY_NPF ((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 )))))))))))))))))))))))))))))))))) 2007-04-28 12:18 53,248 --a------ C:\WINDOWS\system32\apache.dll 2007-04-24 15:08 <DIR> d-------- C:\DOKUME~1\ADMINI~1\.housecall6.6 2007-04-24 01:33 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll 2007-04-24 01:31 <DIR> d-------- C:\Programme\WinPcap 2007-04-23 21:10 <DIR> d-------- C:\Programme\Security Task Manager 2007-04-23 21:10 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\SecTaskMan 2007-04-18 23:00 <DIR> d-------- C:\Programme\Bluetack 2007-04-14 16:29 1,874,176 --a------ C:\WINDOWS\system32\ntosboot.exe 2007-04-14 15:14 8,464 --a------ C:\WINDOWS\system32\sporder.dll 2007-04-14 15:10 441 --a------ C:\bootbak.bat 2007-04-13 20:58 <DIR> d-------- C:\WINDOWS\system32\de-de 2007-04-13 20:55 <DIR> d-------- C:\WINDOWS\network diagnostic 2007-04-12 23:07 <DIR> d-------- C:\Programme\The Cleaner 2007-04-12 12:52 <DIR> d-------- C:\DOKUME~1\ADMINI~1\Contacts 2007-04-12 12:51 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE 2007-04-06 00:37 <DIR> d-------- C:\DOKUME~1\ADMINI~1\OngameNetwork 2007-04-05 21:45 <DIR> d-------- C:\DOKUME~1\ADMINI~1\ANWEND~1\Command & Conquer 3 Tiberium Wars 2007-04-05 21:44 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll 2007-04-05 21:03 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll 2007-04-04 08:59 <DIR> d-------- C:\Temp (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-29 09:56 -------- d-------- C:\Programme\peerguardian2 2007-04-26 21:11 96256 --a------ C:\WINDOWS\system32\drivers\sptd5245.sys 2007-04-24 21:31 -------- d-------- C:\Programme\hlsw 2007-04-24 01:39 70580 --a------ C:\WINDOWS\system32\perfc007.dat 2007-04-24 01:39 405118 --a------ C:\WINDOWS\system32\perfh007.dat 2007-04-18 11:15 2322432 --a------ C:\WINDOWS\system32\kernel1.exe 2007-04-16 11:01 0 --a------ C:\CONFIG.SYS 2007-04-16 11:01 0 --a------ C:\AUTOEXEC.BAT 2007-04-14 00:55 -------- d-------- C:\DOKUME~1\ADMINI~1\ANWEND~1\temp 2007-04-13 21:36 -------- d-------- C:\Programme\pokerstars.net 2007-04-13 21:05 -------- d-------- C:\Programme\windows media connect 2 2007-04-12 12:51 -------- d-------- C:\Programme\msn messenger 2007-03-18 14:11 -------- d--h----- C:\Programme\installshield installation information 2007-03-17 15:44 293376 --a------ C:\WINDOWS\system32\winsrv.dll 2007-03-13 14:12 -------- d-------- C:\DOKUME~1\ADMINI~1\ANWEND~1\teamspeak2 2007-03-11 00:05 -------- d-------- C:\Programme\emule 2007-03-08 17:36 579072 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-07 17:59 -------- d-------- C:\Programme\icqlite 2007-03-06 00:37 -------- d-------- C:\Programme\gcfscape 2007-03-06 00:15 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll 2007-03-06 00:15 -------- dr-h----- C:\DOKUME~1\ADMINI~1\ANWEND~1\securom 2007-02-05 22:18 185856 --a------ C:\WINDOWS\system32\upnphost.dll 2007-01-31 16:28 286720 --a------ C:\WINDOWS\iun506.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Programme\Java\jre1.5.0_09\bin\ssv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "nForce Tray Options"="sstray.exe /r" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "TCASUTIEXE"="TCAUDIAG.exe -on" "PowerStrip"="c:\\programme\\powerstrip\\pstrip.exe" "Logitech Utility"="Logi_MwX.Exe" "KAVPersonal50"="\"C:\\Programme\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "msnmsgr"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background" "MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "ICQ Lite"="C:\\Programme\\ICQLite\\ICQLite.exe -trayboot" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk] "path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Adobe Reader - Schnellstart.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader - Schnellstart.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader - Schnellstart" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^PlexTools Professional LE.lnk] "path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\PlexTools Professional LE.lnk" "backup"="C:\\WINDOWS\\pss\\PlexTools Professional LE.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Plextor\\PTPLE\\PTPLE.exe " "item"="PlexTools Professional LE" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^PlexTools Professional XL.lnk] "path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\PlexTools Professional XL.lnk" "backup"="C:\\WINDOWS\\pss\\PlexTools Professional XL.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Plextor\\PTPXL\\PTPXL.exe " "item"="PlexTools Professional XL" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStart-Manager] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AutoStart-Manager" "hkey"="HKCU" "command"="REM C:\\Programme\\Tools&More\\Autostart-Manager\\AutoStart-Manager.exe /AUTOSTART" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NMBgMonitor" "hkey"="HKCU" "command"="\"C:\\Programme\\Gemeinsame Dateien\\Ahead\\lib\\NMBgMonitor.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="daemon" "hkey"="HKLM" "command"="\"C:\\Programme\\DAEMON Tools\\daemon.exe\" -lang 1033" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="daemon" "hkey"="HKLM" "command"="\"C:\\Programme\\D-Tools\\daemon.exe\" -lang 1033" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emule] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="emule" "hkey"="HKCU" "command"="C:\\Programme\\eMule\\emule.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ICQLite" "hkey"="HKLM" "command"="C:\\Programme\\ICQLite\\ICQLite.exe -minimize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="isuspm" "hkey"="HKLM" "command"="C:\\PROGRA~1\\GEMEIN~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="issch" "hkey"="HKLM" "command"="\"C:\\Programme\\Gemeinsame Dateien\\InstallShield\\UpdateService\\issch.exe\" -start" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\Programme\\Gemeinsame Dateien\\Ahead\\Lib\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="launcher" "hkey"="HKCU" "command"="\"C:\\Programme\\Octoshape Streaming Services\\Administrator\\launcher.exe\" -inv:bootrun" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="pstrip" "hkey"="HKLM" "command"="c:\\programme\\powerstrip\\pstrip.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="vsnpstd" "hkey"="HKLM" "command"="C:\\WINDOWS\\vsnpstd.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TeaTimer" "hkey"="HKCU" "command"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="steam" "hkey"="HKCU" "command"="\"d:\\programme\\steam\\steam.exe\" -silent" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Programme\\Java\\jre1.5.0_09\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcactive] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="tca" "hkey"="HKLM" "command"="C:\\Programme\\The Cleaner\\tca.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tcmonitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="tcm" "hkey"="HKLM" "command"="C:\\Programme\\The Cleaner\\tcm.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AdobeUpdateManager" "hkey"="HKCU" "command"="\"C:\\Programme\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K] Shell\AutoRun\command K:\FarCryAutoCD.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4f00a50b-34d7-11da-8755-806d6172696f}] Shell\AutoRun\command H:\autoplay.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5979161a-c300-11da-8052-000c6ed4fd0d}] Shell\AutoRun\command I:\Setup.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2755124-389c-11da-bfad-0011b107a268}] Shell\AutoRun\command J:\autorun.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b2755125-389c-11da-bfad-0011b107a268}] Shell\AutoRun\command K:\autorun.exe *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PGFILTER ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-29 10:05:05 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-29 10:05:07 C:\ComboFix-quarantined-files.txt ... 07-04-29 10:05 und List.bat- log: Verzeichnis von C:\ 29.04.2007 10:07 43 filelist.txt 29.04.2007 10:05 14.831 ComboFix.txt 29.04.2007 10:05 1.502 ComboFix-quarantined-files.txt 28.04.2007 07:00 1.073.270.784 hiberfil.sys 28.04.2007 07:00 3.221.225.472 pagefile.sys 16.04.2007 15:46 361 boot.ini 16.04.2007 11:01 0 AUTOEXEC.BAT 16.04.2007 11:01 0 CONFIG.SYS 14.04.2007 15:10 441 bootbak.bat 13.04.2007 20:51 211 boot.lgb 13.04.2007 20:51 211 boot.bak 12.04.2007 23:21 2.262 WPA.DBL Verzeichnis von C:\WINDOWS 28.04.2007 18:51 1.209 win.ini 28.04.2007 07:00 1.794.982 WindowsUpdate.log 28.04.2007 07:00 159 wiadebug.log 28.04.2007 07:00 0 0.log 28.04.2007 07:00 50 wiaservc.log 28.04.2007 07:00 2.048 bootstat.dat 26.04.2007 21:11 32.642 SchedLgU.Txt 21.04.2007 08:58 116 NeroDigital.ini 21.04.2007 03:52 86.528 catchme.exe 16.04.2007 15:46 611 system.ini 14.04.2007 10:56 68 Awpr.ini 13.04.2007 21:05 316.640 WMSysPr9.prx 05.04.2007 21:44 98.304 system32CmdLineExt.dll Verzeichnis von C:\WINDOWS\system32 28.04.2007 16:52 53.248 apache.dll 28.04.2007 07:00 2.262 wpa.dbl 28.04.2007 07:00 29.204 nvapps.xml 25.04.2007 10:22 18.254 ssnvfx.ini 24.04.2007 01:39 392.296 perfh009.dat 24.04.2007 01:39 58.596 perfc009.dat 24.04.2007 01:39 70.580 perfc007.dat 24.04.2007 01:39 405.118 perfh007.dat 24.04.2007 01:39 938.224 PerfStringBackup.INI 18.04.2007 11:15 2.322.432 kernel1.exe 14.04.2007 15:16 8.464 sporder.dll 13.04.2007 21:05 16.832 amcompat.tlb 13.04.2007 21:05 23.392 nscompat.tlb 04.04.2007 13:14 110.192 FNTCACHE.DAT 03.04.2007 22:48 13.511.640 MRT.exe 02.04.2007 14:21 428.032 swreg.exe Verzeichnis von C:\WINDOWS\Prefetch 29.04.2007 10:07 11.524 FIND.EXE-0EC32F1E.pf 29.04.2007 10:07 16.068 CMD.EXE-087B4001.pf 29.04.2007 10:07 25.894 VERCLSID.EXE-3667BD89.pf 29.04.2007 10:07 41.652 WINRAR.EXE-3588DFE8.pf 29.04.2007 10:05 20.756 NOTEPAD.EXE-336351A9.pf 29.04.2007 10:05 5.700 TREE.COM-0A9AA73A.pf 29.04.2007 10:05 10.878 SORT.EXE-194AE83C.pf 29.04.2007 10:05 92.106 1304.CFEXE-1C510F55.pf 29.04.2007 10:04 5.676 CHCP.COM-18156052.pf 29.04.2007 10:04 14.018 REGT.CFEXE-15DB5DAE.pf 29.04.2007 10:04 3.740 REGBINDUMP.CFEXE-28A4A438.pf 29.04.2007 10:03 11.520 ATTRIB.EXE-39EAFB02.pf 29.04.2007 10:03 8.622 NIRCMD.CFEXE-19FF4781.pf 29.04.2007 10:03 7.506 SWSC.CFEXE-3B4FE4FE.pf 29.04.2007 10:03 3.782 VFIND.CFEXE-2033727F.pf 29.04.2007 10:03 10.558 SWREG.CFEXE-2BF4FFCD.pf 29.04.2007 10:03 15.558 FINDSTR.EXE-0CA6274B.pf 29.04.2007 10:02 6.000 DUMPHIVE.CFEXE-2ED3B134.pf 29.04.2007 10:01 6.974 SWXCACLS.CFEXE-365F7973.pf 29.04.2007 10:01 4.490 HANDLE.CFEXE-13427ED2.pf 29.04.2007 10:00 22.080 SETPATH.CFEXE-034E3D26.pf 29.04.2007 10:00 9.016 SWREG.EXE-3560BE42.pf 29.04.2007 10:00 48.908 COMBOFIX.EXE-3456D1BD.pf 29.04.2007 09:58 18.358 HJT.COM-35D3AF38.pf 29.04.2007 09:55 13.798 RUNDLL32.EXE-451FC2C0.pf 29.04.2007 09:54 97.640 FIREFOX.EXE-1D57670A.pf 29.04.2007 09:26 13.492 LOGON.SCR-151EFAEA.pf 29.04.2007 09:15 75.996 ICQLITE.EXE-2AEFACA7.pf 29.04.2007 07:01 26.682 WUAUCLT.EXE-399A8E72.pf 29.04.2007 04:54 405.752 Layout.ini 29.04.2007 04:51 33.486 WMIPRVSE.EXE-28F301A9.pf 28.04.2007 22:44 89.798 AZUREUS.EXE-018E10AA.pf 28.04.2007 22:44 54.958 PG2.EXE-100DE05D.pf 28.04.2007 22:44 12.736 PGFIX.EXE-3A175CA1.pf 28.04.2007 22:43 16.858 RUNDLL32.EXE-2A94BB85.pf 28.04.2007 22:43 17.648 RUNDLL32.EXE-2E5AF1D7.pf 28.04.2007 20:32 13.002 FROZEN THRONE.EXE-056E7004.pf 28.04.2007 20:32 56.728 WAR3.EXE-093443FC.pf 28.04.2007 20:32 34.576 LWT.EXE-0ED12157.pf 28.04.2007 20:30 15.732 WARCRAFTAUTOREFRESH.EXE-07B8D8F1.pf 28.04.2007 20:28 97.860 TASKMGR.EXE-20256C55.pf 28.04.2007 19:54 38.746 WSCRIPT.EXE-32960AB9.pf 28.04.2007 19:27 29.352 XLVIEW.EXE-314982F0.pf 28.04.2007 18:52 16.592 CALC.EXE-02CD573A.pf 28.04.2007 18:51 26.176 CHARMAP.EXE-294D64C0.pf 28.04.2007 18:51 21.782 RUNDLL32.EXE-12E27DD0.pf 28.04.2007 18:08 64.456 EXPLORER.EXE-082F38A9.pf 28.04.2007 16:52 16.120 TRAINER.EXE-06DC473A.pf 28.04.2007 16:52 58.668 AWE.EXE-29BD9C37.pf 28.04.2007 11:07 13.050 RUNDLL32.EXE-268BFF96.pf 28.04.2007 08:54 44.184 DFRGNTFS.EXE-269967DF.pf 28.04.2007 07:14 20.990 SVCHOST.EXE-3530F672.pf 28.04.2007 07:04 35.450 MMC.EXE-1EF9AA05.pf 28.04.2007 07:02 40.212 USNSVC.EXE-1D8C2356.pf 28.04.2007 07:02 1.064.942 NTOSBOOT-B00DFAAD.pf 26.04.2007 21:11 17.944 LOGONUI.EXE-0AF22957.pf 26.04.2007 20:31 15.954 WARCRAFTAUTOREFRESH.EXE-29BAE7FD.pf 26.04.2007 20:27 26.344 MSNMSGR.EXE-091111D0.pf 26.04.2007 20:26 75.226 WINAMP.EXE-08C38ED9.pf 26.04.2007 20:25 73.330 CCleaner.EXE-065E2F3F.pf 26.04.2007 19:06 17.696 DEFRAG.EXE-273F131E.pf 26.04.2007 14:26 103.564 FIREFOX.EXE-17EE503B.pf 26.04.2007 14:21 29.612 CCSETUP139.EXE-0D369D0F.pf Verzeichnis von C:\WINDOWS\tasks 28.04.2007 07:00 6 SA.DAT die Verzwichnisse die ich nicht gepostet habe waren älter als 30 tage. DAnke nochmal !!! |
|
|
||
29.04.2007, 10:24
Member
Beiträge: 3716 |
#4
hi, update dein antivirenprogramm, mache nen fullscan deines systems im abgesicherten modus.
|
|
|
||
29.04.2007, 12:39
...neu hier
Themenstarter Beiträge: 4 |
#5
hmmm... abgesicherter Modus will nicht starten...
weder über F8, noch wenn ich in die Boot.ini /safeboot:minimal ranhänge. |
|
|
||
29.04.2007, 13:36
Member
Beiträge: 3716 |
#6
über msconfig und systemstart? wenn nciht, scanne erst mal normal
|
|
|
||
29.04.2007, 13:55
...neu hier
Themenstarter Beiträge: 4 |
#7
ja wenn ich gaz normal in den abgesicherten modus will. also rechner neustarten und f8 drücken, abgesicherten modus auswählen bleibt er im beim blinkenden strich hängen und wenn ich über msconfig abgesicherten modus auswähle bleibt der bildschirm schwarz.
Kaspersky findet keinen virus bei mir. |
|
|
||
wär nett wenn sich jemand meinen Hijack-Log anschauen könnte und mir dann sagt das (hoffentlich) alles in Ordnung sit und ich nur paranoid bin.
Danke !!!
Logfile of HijackThis v1.99.1
Scan saved at 05:07:07, on 24.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\programme\powerstrip\pstrip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\Programme\Winamp\winamp.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PowerStrip] c:\programme\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://www.giga.de/giga-stream-test/Rawflow.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129572830078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)