Bitte log auswerten Einstellungen

[metzger]

Logfile of HijackThis v1.98.0
Scan saved at 00:07:15, on 20.07.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\JanMetzger\Anwendungsdaten\dcut.exe
C:\WINDOWS\System32\dnczkdhn.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\Programme\Softwin\BitDefender Professional Edition\vsserv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\eMule\emule.exe
C:\PROGRA~1\ICQ\Icq.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\JanMetzger\Desktop\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.102/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsearch.org/searchpage/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (o

[Gast_*Christian*_*]

Abgesicherter Modus und folgendes fixen:


R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.31.79.102/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsearch.org/searchpage/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsearch.org/searchpage/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (o

Kenne ich nicht:
C:\WINDOWS\System32\dnczkdhn.exe
dcut.exe


www.windowsupate.com besuchen!

Der Beitrag wurde von *Christian* bearbeitet: 20.07.2004, 00:20

[Remover]

Koennte es sein, das dein Logfile abgeschnitten ist?
Nur R Eintraege ist recht ungewoehnlich.....

[Gast_*Christian*_*]

Visit:
http://www.trojaner-board.de/showthread.php?t=6410

[metzger]

Ja log war abgeschnitten hier ist nochmal der komplette mit der Bitte um erneute auswertung.

Danke
metzger

Logfile of HijackThis v1.98.0
Scan saved at 23:20:40, on 20.07.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
C:\Programme\Softwin\BitDefender Professional Edition\vsserv.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\JanMetzger\Anwendungsdaten\dcut.exe
C:\WINDOWS\System32\dnczkdhn.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\JanMetzger\Desktop\hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02E1DD99-0853-401A-93AF-D344BE1BEA61} - C:\WINDOWS\System32\nfpi.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Title Dvd Cast - {1FBB0CB8-9550-646B-BBE5-0732AF2C08E8} - C:\PROGRA~1\OpenFord\atom blah.dll
O2 - BHO: (no name) - {3FD9452A-C937-0CCB-D327-61557FAE2D6D} - C:\WINDOWS\System32\wiyc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: File base hole - {65BF56A2-EB82-13A3-A733-EA25069D561C} - C:\PROGRA~1\OpenFord\atom blah.dll
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdnagent.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Programme\Softwin\BitDefender Professional Edition\bdswitch.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rcwl] C:\Dokumente und Einstellungen\JanMetzger\Anwendungsdaten\dcut.exe
O4 - HKCU\..\Run: [Qopbg] C:\WINDOWS\System32\dnczkdhn.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter Utility.lnk = C:\Programme\SMC\SMC2835W 2.4GHz 54 Mbps Wireless CardBus Adapter\drivers\WINXP\SMC11GMonitor.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: Debt Consolidate - {9234f700-cba3-4071-b251-47cb894244cd} - http://www.terra.es/personal7/korona04/debt.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Debt Consolidate - {9234f700-cba3-4071-b251-47cb894244cd} - http://www.terra.es/personal7/korona04/debt.html (file missing) (HKCU)
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.180/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - http://www.xpehbam.biz/sek.exe
O18 - Filter: text/html - {C8D600F6-8231-4E8D-BFE1-8D062637D075} - C:\WINDOWS\System32\nfpi.dll
O18 - Filter: text/plain - {C8D600F6-8231-4E8D-BFE1-8D062637D075} - C:\WINDOWS\System32\nfpi.dll

[Gast_*Christian*_*]

Abgesicherter Modus und dies fixen:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\nfpi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02E1DD99-0853-401A-93AF-D344BE1BEA61} - C:\WINDOWS\System32\nfpi.dll
O2 - BHO: (no name) - {3FD9452A-C937-0CCB-D327-61557FAE2D6D} - C:\WINDOWS\System32\wiyc.dll
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - (no file) (HKCU)
O9 - Extra button: Debt Consolidate - {9234f700-cba3-4071-b251-47cb894244cd} - http://www.terra.es/personal7/korona04/debt.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Debt Consolidate - {9234f700-cba3-4071-b251-47cb894244cd} - http://www.terra.es/personal7/korona04/debt.html (file missing) (HKCU)
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.180/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {AD688740-5246-40C3-1111-53959999940D} - http://www.xpehbam.biz/sek.exe
O18 - Filter: text/html - {C8D600F6-8231-4E8D-BFE1-8D062637D075} - C:\WINDOWS\System32\nfpi.dll
O18 - Filter: text/plain - {C8D600F6-8231-4E8D-BFE1-8D062637D075} - C:\WINDOWS\System32\nfpi.dll

Danach www.windowsupate.com besuchen! Browserwechsel wäre ebenfalls sinnvoll: www.firefox-browser.de




Edit: Dies bitte ebenfalls im abgesicherten Modus fixen:
O4 - HKCU\..\Run: [Rcwl] C:\Dokumente und Einstellungen\JanMetzger\Anwendungsdaten\dcut.exe
O4 - HKCU\..\Run: [Qopbg] C:\WINDOWS\System32\dnczkdhn.exe

Danach diese Dateien löschen:
C:\Dokumente und Einstellungen\JanMetzger\Anwendungsdaten\dcut.exe
C:\WINDOWS\System32\dnczkdhn.exe

Du hast aktuelle Updates von Bitdefender?

Der Beitrag wurde von *Christian* bearbeitet: 20.07.2004, 23:10