Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Log zur Analys

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

 
Alt 17.04.2005, 19:42   #5
j-snake
 
Log zur Analys - Standard

Log zur Analys



Hallo,

jetzt ist eScan durchgelaufen. Folgendes Ergebnis:

Sun Apr 17 15:26:24 2005 => Process c:\windows\system32\etkyqjd.exe Found running in Memory...
Sun Apr 17 15:26:24 2005 => *** Killing Infected Process c:\windows\system32\etkyqjd.exe...
Sun Apr 17 15:26:27 2005 => *** Killing Successful.
Sun Apr 17 15:26:27 2005 => Result: ERROR!!! File c:\windows\system32\etkyqjd.exe: Scanning Failure!!!
Sun Apr 17 15:26:27 2005 => c:\windows\system32\etkyqjd.exe possibly infected and removed by background antivirus package!
Sun Apr 17 15:26:27 2005 => File c:\windows\system32\etkyqjd.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: File Deleted.
Sun Apr 17 15:26:42 2005 => ERROR!!! Unable to Delete file c:\windows\system32\hgydon.exe...Reason is Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. (0x20). File will be deleted on reboot.
Sun Apr 17 15:26:42 2005 => File c:\windows\system32\hgydon.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: File to be deleted on reboot.
Sun Apr 17 15:26:42 2005 => *** SOFTWARE\Microsoft\Windows\CurrentVersion\Run has RunningProcess defined as c:\windows\system32\hgydon.exe (which is infected)!
Sun Apr 17 15:26:42 2005 => *** Reg Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzwkgg deleted because it is infected by a Virus
Sun Apr 17 15:27:02 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: Entries Removed.
Sun Apr 17 15:27:02 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: Entries Removed.
Sun Apr 17 15:27:02 2005 => System found infected with VX2 Spyware/Adware ({92daf5c1-2135-4e0c-b7a0-259abfcd3904})! Action taken: Entries Removed.
Sun Apr 17 15:27:02 2005 => File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: Entries Removed.
Sun Apr 17 15:27:02 2005 => System found infected with VX2 Spyware/Adware ({bb0d5adc-028d-4185-9288-722ddce2c757})! Action taken: Entries Removed.
Sun Apr 17 15:27:02 2005 => File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: Entries Removed.
Sun Apr 17 15:27:02 2005 => Deleting Registry Key: HKLM\Software\ist
Sun Apr 17 15:27:02 2005 => Offending value found in HKLM\Software\ist !!!
Sun Apr 17 15:27:02 2005 => System found infected with ist Spyware/Adware! Action taken: Entries Removed.
Sun Apr 17 15:27:02 2005 => File System Found infected by "ist Spyware/Adware" Virus. Action Taken: Entries Removed.
Sun Apr 17 15:28:56 2005 => Clearing Internet Cache as Spyware/Adware found in system...
Sun Apr 17 15:28:57 2005 => Clearing Temporary sub-folders as Spyware/Adware found in system...
Sun Apr 17 15:29:08 2005 => File C:\WINDOWS\WLDR.DLL.VIR infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: File Deleted.
Sun Apr 17 15:39:23 2005 => File C:\Dokumente und Einstellungen\Jörg Stoellger\Anwendungsdaten\Opera\Opera7\profile\cache4\opr07IBJ.js infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: File Deleted.
Sun Apr 17 16:12:34 2005 => File C:\Dokumente und Einstellungen\Jörg Stoellger\Desktop\hijackthis\backups\backup-20050416-221543-491.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: File Deleted.
Sun Apr 17 17:39:53 2005 => File C:\Programme\AVPersonal\INFECTED\update12.VIR infected by "Trojan.JS.StartPage.a" Virus. Action Taken: File Deleted.
Sun Apr 17 18:43:48 2005 => File C:\RECYCLER\S-1-5-21-1244572991-645757453-568730901-500\Dc13.VIR infected by "P2P-Worm.Win32.Tibick.d" Virus. Action Taken: File Deleted.
Sun Apr 17 19:06:38 2005 => File I:\Angela Ordner\Eigene Dateien\Lustiges&Schönes\Penis.exe infected by "not-virus:Joke.Win32.Delf.m" Virus. Action Taken: File Renamed.
Sun Apr 17 19:11:52 2005 => File I:\Angela Ordner\Programme\AVPersonal\INFECTED\0B4FA8AE.056 infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: File Deleted.

Sun Apr 17 19:11:52 2005 => Scanning File I:\Angela Ordner\Programme\AVPersonal\INFECTED\0FA3EEAC.39A
Sun Apr 17 19:11:52 2005 => File I:\Angela Ordner\Programme\AVPersonal\INFECTED\0FA3EEAC.39A infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: File Deleted.

Sun Apr 17 19:11:52 2005 => Scanning File I:\Angela Ordner\Programme\AVPersonal\INFECTED\286D24D4.043
Sun Apr 17 19:11:52 2005 => File I:\Angela Ordner\Programme\AVPersonal\INFECTED\286D24D4.043 infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: File Deleted.

Habe dann noch einmal HijackThis durchlaufen lassen. Folgendes Ergebnis:

Logfile of HijackThis v1.99.1
Scan saved at 20:36:03, on 17.04.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\oracle\ora90\bin\omtsreco.exe
C:\oracle\ora90\bin\agntsrvc.exe
C:\oracle\ora90\BIN\TNSLSNR.exe
c:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora90\bin\dbsnmp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\sokscmnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programme\AVPersonal\AVSched32.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\sokscmpn.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Spamihilator\spamihilator.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\svchost.exe
C:\Dokumente und Einstellungen\Jörg Stoellger\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/de/deu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHIPDRIVEPinManager] C:\WINDOWS\System32\sokscmpn.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://www.arcor.de/vod/dmd/WMDownload.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora90\bin\omtsreco.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation - C:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90HTTPServer - Unknown owner - C:\oracle\ora90\Apache\Apache\apache.exe" --ntservice (file missing)
O23 - Service: OracleOraHome90PagingServer - Unknown owner - C:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner - C:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORACLE - Oracle Corporation - c:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: CHIPDRIVE Smartcard Office Kernel (SCM_Smart_Card_Office_Kernel) - SCM Microsystems - C:\WINDOWS\System32\sokscmnt.exe

Nachdem ich das System neu gestartet habe, konnte ich weder im Taskmanager noch in den Dateien etwas auffälliges erkennen.

Was meint ihr dazu. Für mich ist das System wieder sauber. Hat echt gut mit eScan geklappt. Kann ich nur weiter empfehlen.

Für ein kleines Feedback wäre ich dankbar.

Grüsse

j-


 

Themen zu Log zur Analys
adobe, antivir, antivir update, bho, desktop, download, einstellungen, excel, explorer, file missing, hijack, hijackthis, internet, internet explorer, log, log-file, neu, officejet, programme, prozesse, registry, software, starten, symantec, system, vielen dank, windows, windows xp





Zum Thema Log zur Analys - Hallo, jetzt ist eScan durchgelaufen. Folgendes Ergebnis: Sun Apr 17 15:26:24 2005 => Process c:\windows\system32\etkyqjd.exe Found running in Memory... Sun Apr 17 15:26:24 2005 => *** Killing Infected Process c:\windows\system32\etkyqjd.exe... - Log zur Analys...
Archiv
Du betrachtest: Log zur Analys auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.