| |
| |||||||
Log-Analyse und Auswertung: Log zur AnalysWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
17.04.2005, 19:42
| #5 |
| |  Log zur Analys Hallo, jetzt ist eScan durchgelaufen. Folgendes Ergebnis: Sun Apr 17 15:26:24 2005 => Process c:\windows\system32\etkyqjd.exe Found running in Memory... Sun Apr 17 15:26:24 2005 => *** Killing Infected Process c:\windows\system32\etkyqjd.exe... Sun Apr 17 15:26:27 2005 => *** Killing Successful. Sun Apr 17 15:26:27 2005 => Result: ERROR!!! File c:\windows\system32\etkyqjd.exe: Scanning Failure!!! Sun Apr 17 15:26:27 2005 => c:\windows\system32\etkyqjd.exe possibly infected and removed by background antivirus package! Sun Apr 17 15:26:27 2005 => File c:\windows\system32\etkyqjd.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: File Deleted. Sun Apr 17 15:26:42 2005 => ERROR!!! Unable to Delete file c:\windows\system32\hgydon.exe...Reason is Der Prozess kann nicht auf die Datei zugreifen, da sie von einem anderen Prozess verwendet wird. (0x20). File will be deleted on reboot. Sun Apr 17 15:26:42 2005 => File c:\windows\system32\hgydon.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: File to be deleted on reboot. Sun Apr 17 15:26:42 2005 => *** SOFTWARE\Microsoft\Windows\CurrentVersion\Run has RunningProcess defined as c:\windows\system32\hgydon.exe (which is infected)! Sun Apr 17 15:26:42 2005 => *** Reg Value SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzwkgg deleted because it is infected by a Virus Sun Apr 17 15:27:02 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: Entries Removed. Sun Apr 17 15:27:02 2005 => File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: Entries Removed. Sun Apr 17 15:27:02 2005 => System found infected with VX2 Spyware/Adware ({92daf5c1-2135-4e0c-b7a0-259abfcd3904})! Action taken: Entries Removed. Sun Apr 17 15:27:02 2005 => File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: Entries Removed. Sun Apr 17 15:27:02 2005 => System found infected with VX2 Spyware/Adware ({bb0d5adc-028d-4185-9288-722ddce2c757})! Action taken: Entries Removed. Sun Apr 17 15:27:02 2005 => File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: Entries Removed. Sun Apr 17 15:27:02 2005 => Deleting Registry Key: HKLM\Software\ist Sun Apr 17 15:27:02 2005 => Offending value found in HKLM\Software\ist !!! Sun Apr 17 15:27:02 2005 => System found infected with ist Spyware/Adware! Action taken: Entries Removed. Sun Apr 17 15:27:02 2005 => File System Found infected by "ist Spyware/Adware" Virus. Action Taken: Entries Removed. Sun Apr 17 15:28:56 2005 => Clearing Internet Cache as Spyware/Adware found in system... Sun Apr 17 15:28:57 2005 => Clearing Temporary sub-folders as Spyware/Adware found in system... Sun Apr 17 15:29:08 2005 => File C:\WINDOWS\WLDR.DLL.VIR infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: File Deleted. Sun Apr 17 15:39:23 2005 => File C:\Dokumente und Einstellungen\Jörg Stoellger\Anwendungsdaten\Opera\Opera7\profile\cache4\opr07IBJ.js infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: File Deleted. Sun Apr 17 16:12:34 2005 => File C:\Dokumente und Einstellungen\Jörg Stoellger\Desktop\hijackthis\backups\backup-20050416-221543-491.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: File Deleted. Sun Apr 17 17:39:53 2005 => File C:\Programme\AVPersonal\INFECTED\update12.VIR infected by "Trojan.JS.StartPage.a" Virus. Action Taken: File Deleted. Sun Apr 17 18:43:48 2005 => File C:\RECYCLER\S-1-5-21-1244572991-645757453-568730901-500\Dc13.VIR infected by "P2P-Worm.Win32.Tibick.d" Virus. Action Taken: File Deleted. Sun Apr 17 19:06:38 2005 => File I:\Angela Ordner\Eigene Dateien\Lustiges&Schönes\Penis.exe infected by "not-virus:Joke.Win32.Delf.m" Virus. Action Taken: File Renamed. Sun Apr 17 19:11:52 2005 => File I:\Angela Ordner\Programme\AVPersonal\INFECTED\0B4FA8AE.056 infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: File Deleted. Sun Apr 17 19:11:52 2005 => Scanning File I:\Angela Ordner\Programme\AVPersonal\INFECTED\0FA3EEAC.39A Sun Apr 17 19:11:52 2005 => File I:\Angela Ordner\Programme\AVPersonal\INFECTED\0FA3EEAC.39A infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: File Deleted. Sun Apr 17 19:11:52 2005 => Scanning File I:\Angela Ordner\Programme\AVPersonal\INFECTED\286D24D4.043 Sun Apr 17 19:11:52 2005 => File I:\Angela Ordner\Programme\AVPersonal\INFECTED\286D24D4.043 infected by "not-a-virus:AdWare.180Solutions" Virus. Action Taken: File Deleted. Habe dann noch einmal HijackThis durchlaufen lassen. Folgendes Ergebnis: Logfile of HijackThis v1.99.1 Scan saved at 20:36:03, on 17.04.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\oracle\ora90\bin\omtsreco.exe C:\oracle\ora90\bin\agntsrvc.exe C:\oracle\ora90\BIN\TNSLSNR.exe c:\oracle\ora90\bin\ORACLE.EXE C:\WINDOWS\system32\cmd.exe C:\oracle\ora90\bin\dbsnmp.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\sokscmnt.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\DSentry.exe C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Programme\AVPersonal\AVSched32.EXE C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\sokscmpn.exe C:\Programme\AVPersonal\AVGNT.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\Spamihilator\spamihilator.exe C:\Programme\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\WINDOWS\System32\hpoipm07.exe C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe C:\WINDOWS\System32\svchost.exe C:\Dokumente und Einstellungen\Jörg Stoellger\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/de/deu/gen/default.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033 -noicon O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CHIPDRIVEPinManager] C:\WINDOWS\System32\sokscmpn.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe" O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://www.arcor.de/vod/dmd/WMDownload.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora90\bin\omtsreco.exe O23 - Service: OracleOraHome90Agent - Oracle Corporation - C:\oracle\ora90\bin\agntsrvc.exe O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE O23 - Service: OracleOraHome90HTTPServer - Unknown owner - C:\oracle\ora90\Apache\Apache\apache.exe" --ntservice (file missing) O23 - Service: OracleOraHome90PagingServer - Unknown owner - C:\oracle\ora90/bin/pagntsrv.exe O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora90\BIN\ENCSVC.EXE O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora90\BIN\AGNTSVC.EXE O23 - Service: OracleOraHome90TNSListener - Unknown owner - C:\oracle\ora90\BIN\TNSLSNR.exe O23 - Service: OracleServiceORACLE - Oracle Corporation - c:\oracle\ora90\bin\ORACLE.EXE O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\ora90\bin\ORACLE.EXE O23 - Service: CHIPDRIVE Smartcard Office Kernel (SCM_Smart_Card_Office_Kernel) - SCM Microsystems - C:\WINDOWS\System32\sokscmnt.exe Nachdem ich das System neu gestartet habe, konnte ich weder im Taskmanager noch in den Dateien etwas auffälliges erkennen.  Was meint ihr dazu. Für mich ist das System wieder sauber. Hat echt gut mit eScan geklappt. Kann ich nur weiter empfehlen. Für ein kleines Feedback wäre ich dankbar. Grüsse j- |
| Themen zu Log zur Analys |
| adobe, antivir, antivir update, bho, desktop, download, einstellungen, excel, explorer, file missing, hijack, hijackthis, internet, internet explorer, log, log-file, neu, officejet, programme, prozesse, registry, software, starten, symantec, system, vielen dank, windows, windows xp |
Baum-Darstellung