Hijackthis auswertung!! Hilfe bei Auswertung

ersguterjunge (7.378)

35x Beste Antwort

50x "Danke"

« am: 11.08.07, 14:21:14 »

Hallo,
Ich hab mal eine Frage ist hier irgend was außergewöhnliches ?? Ich hab nix gefunden.Aber Wäre froh wenn Sir Reklov oder die andren nochmal drüber schauen.

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\FPSoftware\FPFiles\FPQuickBar.exe
C:\WINDOWS\Alt+Q Hotkey.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\FPSoftware\FPFiles\BioManager\BioLogin\Autologin.exe
C:\Programme\FPSoftware\FPFiles\BioManager\FPLock\FPLock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\FrostWire\FrostWire.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Deniz\Desktop\HiJackThis202.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freenet.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\toolbaru.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\PROGRA~1\FPSOFT~1\FPFiles\BIOMAN~1\BioLogin\AL2DLL.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FPQuickBar] C:\Programme\FPSoftware\FPFiles\FPQuickBar.exe start up
O4 - HKCU\..\Run: [Alt+Q Hotkey Tool] C:\WINDOWS\Alt+Q Hotkey.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: AutoLogin - {D04AA3F7-DEE7-479B-A153-24E6C36300C0} - C:\PROGRA~1\FPSOFT~1\FPFiles\BIOMAN~1\BioLogin\AL2DLL.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: eBay - {C1514B92-E6E2-4be8-B93C-8A44D1F3011F} - C:\Programme\Supreme Auction\ebay.url (HKCU)
O9 - Extra button: Supreme Auction - {DFE4453A-65DF-47d5-BF37-3D0FD37FBDBB} - C:\Programme\Supreme Auction\SupremeAuction.exe (HKCU)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

gruß deniz

Moderator informieren

Antworten zu Hijackthis auswertung!! Hilfe bei Auswertung:

ersguterjunge (7.378)

35x Beste Antwort

50x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #1 am: 11.08.07, 14:42:54 »

Hat dir diese Antwort geholfen?

:'( keiner da?

Moderator informieren

mongole (1.371)

29x Beste Antwort

55x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #2 am: 11.08.07, 15:23:32 »

Hat dir diese Antwort geholfen?

Du kanns das auch selber auswerten lassen bei http://hijackthis.de

Und die Auswertung sagt, dass du al2dll.dll - Malware aufm Rechner hast.

Code: [Auswählen]

O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\PROGRA~1\FPSOFT~1\FPFiles\BIOMAN~1\BioLogin\AL2DLL.dll

Das sind aber noch ein paar andere Sachen, die evtl. wegkönnen, gucks dir einfach mal an

z.B.

Code: [Auswählen]

O9 - Extra button: AutoLogin - {D04AA3F7-DEE7-479B-A153-24E6C36300C0} - C:\PROGRA~1\FPSOFT~1\FPFiles\BIOMAN~1\BioLogin\AL2DLL.dll

gehört auch noch dazu, lies dir die Beschreibung zu allen Einträgen durch

Ich schätze mal, alles was unter C:\Programme\FPSoftware bei dir liegt, ist schädlich, fix die Einträge und lösch den Ordner weg.

Oder benutzt du den VisorTech Fingerprint Reader?

« Letzte Änderung: 11.08.07, 15:31:20 von mongole »

Moderator informieren

ersguterjunge (7.378)

35x Beste Antwort

50x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #3 am: 11.08.07, 15:36:06 »

Hat dir diese Antwort geholfen?

Hey hab schon die automatische auswertung gemacht und dieses al2spy ist nix das ist von meinem prgramm fingerprint reader! fps ist okay .

Moderator informieren

mongole (1.371)

29x Beste Antwort

55x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #4 am: 11.08.07, 15:41:16 »

Hat dir diese Antwort geholfen?

Ansonsten siehts ganz OK aus. Ein paar unnötige Einträge sind noch da, die kannste noch fixen.

Moderator informieren

ersguterjunge (7.378)

35x Beste Antwort

50x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #5 am: 11.08.07, 21:37:33 »

Hat dir diese Antwort geholfen?

Okay danke.
Hoffe trotzdem das Sir Reklov sich das ma anschaut .

gruß deniz

Moderator informieren

Sir Reklov
Gast

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #6 am: 12.08.07, 10:20:27 »

Hallo,

probiere mal das und poste das Log !
http://people.freenet.de/rene-gad/AVZAnleitung/AVZ4.html

Normalerweise schaue ich mir keine Logs zum Spaß an.Im Gegensatz zur automatischen Auswertung brauche ich dafür ein wenig Zeit und Hirnschmalz..
Ohne eine vernünftige Fehlerbeschreibung schon gar nicht.Dafür ist so ein Log zu lang...

Wenn du aber als Versuchskaninchen mal den Testhasen machst,siehe oben,dann schau ich auch mal...

Deiner Kiste passiert nix..
Ist eine andere, möglicherweise bessere Form, von Hijackthis.Zumindest ist dieses AVZ nicht so leicht sich davor zu verstecken.
Sir Reklov

Moderator informieren

ersguterjunge (7.378)

35x Beste Antwort

50x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #7 am: 12.08.07, 11:46:38 »

Hat dir diese Antwort geholfen?

Hallo,
hab mal nen logfile gemacht,und den log von hijackthis hab ich hier gepostet,weil ich ich vermute das sich gestern jemand bei mir eingehäckt hat!!Auf einmal haben sich ein paar prgramme geschlossen und der pc hing total dann hab ich das lan kaben gezogen und alles war wieder okay ??? .

Log:

1. Searching for rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section: .text
Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC28->7C882FEC
Hook kernel32.dll:GetProcAddress (408) blocked
Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->7C882F9C
Hook kernel32.dll:LoadLibraryA (578) blocked
>>> Functions LoadLibraryA - preventing the AVZ process from being intercepted by address replacement !!)
Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->7C882FB0
Hook kernel32.dll:LoadLibraryExA (579) blocked
>>> Functions LoadLibraryExA - preventing the AVZ process from being intercepted by address replacement !!)
Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->7C882FD8
Hook kernel32.dll:LoadLibraryExW (580) blocked
Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ACD3->7C882FC4
Hook kernel32.dll:LoadLibraryW (581) blocked
Analysis: ntdll.dll, export table found in section: .text
Analysis: user32.dll, export table found in section: .text
Analysis: advapi32.dll, export table found in section: .text
Analysis: ws2_32.dll, export table found in section: .text
Analysis: wininet.dll, export table found in section: .text
Analysis: rasapi32.dll, export table found in section: .text
Analysis: urlmon.dll, export table found in section: .text
Analysis: netapi32.dll, export table found in section: .text
1.4 Searching for masking processes and drivers
The extended monitoring driver (AVZPM) is not installed, examination is not performed
2. Scanning memory
Number of processes found: 30
Analyzer - the process under analysis is 604 C:\WINDOWS\System32\smss.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer - the process under analysis is 684 C:\WINDOWS\system32\csrss.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer - the process under analysis is 708 C:\WINDOWS\system32\winlogon.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\winlogon.exe contains network functionality (netapi32.dll,ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 752 C:\WINDOWS\system32\services.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\services.exe contains network functionality (netapi32.dll,ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 764 C:\WINDOWS\system32\lsass.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\lsass.exe contains network functionality (ws2_32.dll,ws2help.dll,netapi32.dll)
Analyzer - the process under analysis is 924 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\svchost.exe contains network functionality (ws2_32.dll,ws2help.dll,netapi32.dll)
Analyzer - the process under analysis is 980 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Listens TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing?
Process c:\windows\system32\svchost.exe contains network functionality (ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 1124 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing?
Process c:\windows\system32\svchost.exe contains network functionality (netapi32.dll,ws2_32.dll,ws2help.dll,wininet.dll,rasapi32.dll,tapi32.dll,es.dll,urlmon.dll)
Analyzer - the process under analysis is 1192 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\svchost.exe contains network functionality (ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 1368 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\svchost.exe contains network functionality (ws2_32.dll,ws2help.dll,wininet.dll,urlmon.dll)
Analyzer - the process under analysis is 1524 C:\WINDOWS\system32\spoolsv.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing?
Process c:\windows\system32\spoolsv.exe contains network functionality (ws2_32.dll,ws2help.dll,netapi32.dll)
Process c:\windows\explorer.exe contains network functionality (netapi32.dll,wininet.dll,urlmon.dll,ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 1804 C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Process c:\programme\lavasoft\ad-aware 2007\aawservice.exe contains network functionality (wininet.dll,ws2_32.dll,ws2help.dll)
c:\programme\gemeinsame dateien\apple\mobile device support\bin\applemobiledeviceservice.exe >>> suspicion for Trojan-Downloader.Win32.Agent.alu ( 0057B1AC 08CD5FC5 001E52D2 001E5272 106496)
Process c:\programme\gemeinsame dateien\apple\mobile device support\bin\applemobiledeviceservice.exe contains network functionality (ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 1992 C:\WINDOWS\system32\nvsvc32.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\nvsvc32.exe contains network functionality (netapi32.dll,ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 308 C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Process c:\programme\java\jre1.6.0_02\bin\jusched.exe contains network functionality (wininet.dll)
Analyzer - the process under analysis is 324 C:\WINDOWS\system32\ctfmon.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
>>> The real size is supposed to be 2494464
Analyzer - the process under analysis is 332 C:\Programme\FPSoftware\FPFiles\FPQuickBar.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:EXE runtime packer ?
[ES]:Registered in autoruns !!
Process c:\programme\fpsoftware\fpfiles\fpquickbar.exe contains network functionality (netapi32.dll,urlmon.dll)
Analyzer - the process under analysis is 416 C:\WINDOWS\Alt+Q Hotkey.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Registered in autoruns !!
>>> The real size is supposed to be 2158592
Analyzer - the process under analysis is 556 C:\Programme\FPSoftware\FPFiles\BioManager\BioLogin\Autologin.exe
[ES]:Application has no visible windows
[ES]:EXE runtime packer ?
Analyzer - the process under analysis is 564 C:\Programme\FPSoftware\FPFiles\BioManager\FPLock\FPLock.exe
[ES]:Application has no visible windows
[ES]:EXE runtime packer ?
Process c:\programme\fpsoftware\fpfiles\biomanager\fplock\fplock.exe contains network functionality (netapi32.dll)
Analyzer - the process under analysis is 1712 C:\WINDOWS\System32\alg.exe
[ES]:Contains network functionality
[ES]:Listens TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\alg.exe contains network functionality (ws2_32.dll,ws2help.dll)
Analyzer - the process under analysis is 1020 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\windows\system32\svchost.exe contains network functionality (ws2_32.dll,ws2help.dll)
Process c:\programme\mozilla firefox\firefox.exe contains network functionality (ws2_32.dll,ws2help.dll,netapi32.dll,urlmon.dll)
Analyzer - the process under analysis is 1056 C:\WINDOWS\system32\wuauclt.exe
[ES]:Application has no visible windows
[ES]:Located in system folder
Process c:\programme\icqlite\icqlite.exe contains network functionality (ws2_32.dll,ws2help.dll,wininet.dll,netapi32.dll,rasapi32.dll,tapi32.dll,urlmon.dll)
Analyzer - the process under analysis is 2408 C:\Programme\Windows Media Player\wmplayer.exe
[ES]:Contains network functionality
[ES]:Loads RASAPI DLL - may use dialing?
Process c:\programme\windows media player\wmplayer.exe contains network functionality (wininet.dll,urlmon.dll,rasapi32.dll,ws2_32.dll,ws2help.dll,netapi32.dll,tapi32.dll)
Analyzer - the process under analysis is 3788 C:\Programme\CCleaner\ccleaner.exe
[ES]:Contains network functionality
[ES]:Loads RASAPI DLL - may use dialing?
Process c:\programme\ccleaner\ccleaner.exe contains network functionality (wininet.dll,urlmon.dll,rasapi32.dll,ws2_32.dll,ws2help.dll,netapi32.dll,tapi32.dll)
Number of modules loaded: 308
Memory checking - complete
3. Scanning disks
C:\WINDOWS\TEMP\avz_3012_1.tmp Spanning not supported by this Archive type
C:\Dokumente und Einstellungen\Deniz\Desktop\Kiss-Bot.rar/{RAR}/Kiss-Bot\Knuddels Kiss-Bot.exe >>> suspicion for IM-Worm.Win32.VB.ao ( 0043F699 00131D11 001264F8 002B7C69 20480)
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe >>> suspicion for Trojan-Downloader.Win32.Agent.alu ( 0057B1AC 08CD5FC5 001E52D2 001E5272 106496)
C:\WINDOWS\system32\chcp.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\chcp.com" quarantined succesfully
C:\WINDOWS\system32\diskcomp.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\diskcomp.com" quarantined succesfully
C:\WINDOWS\system32\diskcopy.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\diskcopy.com" quarantined succesfully
C:\WINDOWS\system32\edit.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\edit.com" quarantined succesfully
C:\WINDOWS\system32\format.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\format.com" quarantined succesfully
C:\WINDOWS\system32\graftabl.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\graftabl.com" quarantined succesfully
C:\WINDOWS\system32\mode.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\mode.com" quarantined succesfully
C:\WINDOWS\system32\more.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\more.com" quarantined succesfully
C:\WINDOWS\system32\tree.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\tree.com" quarantined succesfully
C:\WINDOWS\system32\win.com - PE file with modified extension, allowing its launch (often typical for viruses)(danger level 35%)
File "C:\WINDOWS\system32\win.com" quarantined succesfully
C:\WINDOWS\Temp\Rar$EX01.907\Kiss-Bot\Knuddels Kiss-Bot.exe >>> suspicion for IM-Worm.Win32.VB.ao ( 0043F699 00131D11 001264F8 002B7C69 20480)
Direct reading C:\WINDOWS\Temp\~DF6D11.tmp
Direct reading C:\WINDOWS\Temp\~DF6D24.tmp
Direct reading C:\WINDOWS\Temp\~DF6D37.tmp
Direct reading C:\WINDOWS\Temp\~DF6D4A.tmp
Direct reading C:\WINDOWS\Temp\~DF6F0.tmp
Direct reading C:\WINDOWS\Temp\~DF707.tmp
Direct reading C:\WINDOWS\Temp\~DF71E.tmp
Direct reading C:\WINDOWS\Temp\~DF737.tmp
Direct reading C:\WINDOWS\Temp\~DF81AD.tmp
Direct reading C:\WINDOWS\Temp\~DF81C0.tmp
Direct reading C:\WINDOWS\Temp\~DF81D3.tmp
Direct reading C:\WINDOWS\Temp\~DF81E6.tmp
Direct reading C:\WINDOWS\Temp\~DFC9C0.tmp
Direct reading C:\WINDOWS\Temp\~DFCE88.tmp

Moderator informieren

ersguterjunge (7.378)

35x Beste Antwort

50x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #8 am: 12.08.07, 11:46:53 »

Hat dir diese Antwort geholfen?

der rest:

4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\WINDOWS\system32\winspool.drv --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\winspool.drv>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\winspool.drv" quarantined succesfully
C:\WINDOWS\system32\RICHED32.DLL --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\RICHED32.DLL>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\RICHED32.DLL" quarantined succesfully
C:\WINDOWS\system32\RICHED20.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\RICHED20.dll>>> Behavioral analysis:
1. Reacts to events: keyboard
2. Polls the keys state
C:\WINDOWS\system32\RICHED20.dll>>> Neural net: file with probability of 50,00% like a typical keyboard/mouse events interceptor
File "C:\WINDOWS\system32\RICHED20.dll" quarantined succesfully
C:\WINDOWS\system32\mstask.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\mstask.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
C:\WINDOWS\system32\NTDSAPI.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\NTDSAPI.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\NTDSAPI.dll" quarantined succesfully
C:\WINDOWS\system32\WLDAP32.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\WLDAP32.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\WLDAP32.dll" quarantined succesfully
C:\WINDOWS\system32\ntshrui.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\ntshrui.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\ntshrui.dll" quarantined succesfully
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll" quarantined succesfully
C:\WINDOWS\system32\shgina.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\shgina.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\shgina.dll" quarantined succesfully
C:\WINDOWS\system32\MSGINA.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\MSGINA.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\MSGINA.dll" quarantined succesfully
C:\WINDOWS\system32\WINSTA.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\WINSTA.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\WINSTA.dll" quarantined succesfully
C:\WINDOWS\system32\ODBC32.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\ODBC32.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\ODBC32.dll" quarantined succesfully
C:\WINDOWS\system32\odbcint.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\odbcint.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\odbcint.dll" quarantined succesfully
C:\WINDOWS\system32\Audiodev.dll --> Suspicion for a Keylogger or Trojan DLL
C:\WINDOWS\system32\Audiodev.dll>>> Behavioral analysis:
Behaviour typical for keyloggers not detected
File "C:\WINDOWS\system32\Audiodev.dll" quarantined succesfully
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
checking disabled by user
7. Heuristic system check

gruß deniz

Moderator informieren

kasper6fan
Gast

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #9 am: 12.08.07, 18:16:06 »

auswerten ohne das komplette Logfile (Kopf) find ich absolut albern.

Moderator informieren

ersguterjunge (7.378)

35x Beste Antwort

50x "Danke"

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #10 am: 12.08.07, 19:11:57 »

Hat dir diese Antwort geholfen?

Wie ohne den kompkletten log file is doch alle komplett!

Moderator informieren

Sir Reklov
Gast

Re: Hijackthis auswertung!! Hilfe bei Auswertung

« Antwort #11 am: 12.08.07, 22:47:29 »

Hallo,
ich würde von einem sauberen System ausgehen..
Das hier liegt in den temporären Dateien und kann bei Gelegenheit mal mit "CCleaner" geputzt werden...