eScan Funde! Bitte um Hilfe!

Hondalabomba · 10.01.2006, 12:18

Hallo zusammen!

Würde mich freuen, wenn ihr mir bei der Auswertung der Virus Log Information behilflich sein könntet.

Anscheinend wurde da doch einiges gefunden.

Vielen Dank im Vorraus!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jan 10 01:01:49 2006 => System found infected with cws.loadadv.400 Browser Hijacker (ms1.exe)! Action taken: No Action Taken.
Tue Jan 10 01:01:49 2006 => System found infected with cws.loadadv.401 Browser Hijacker (tool3.exe)! Action taken: No Action Taken.
Tue Jan 10 01:01:50 2006 => System found infected with elite toolbar Spyware/Adware (toolbar.exe)! Action taken: No Action Taken.
Tue Jan 10 01:01:50 2006 => System found infected with paymite Trojan-Spy (paytime.exe)! Action taken: No Action Taken.
Tue Jan 10 01:51:48 2006 => Scanning Folder: D:\Programme\AVPersonalPremium\INFECTED\*.*
Tue Jan 10 01:51:51 2006 => Scanning Folder: D:\Programme\AVPersonalPremium\MAIL\INFECTED\*.*
Tue Jan 10 02:05:01 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-3.1\Inbox infected by "Trojan-Spy.HTML.Bayfraud.in" Virus! Action Taken: No Action Taken.
Tue Jan 10 02:36:08 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
Tue Jan 10 02:36:23 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Trash infected by "Email-Worm.Win32.Bagle.bq" Virus! Action Taken: No Action Taken.
Tue Jan 10 02:40:52 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
Tue Jan 10 02:41:23 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 02:44:46 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 02:47:55 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 03:45:04 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
Tue Jan 10 03:48:09 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
Tue Jan 10 03:48:35 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 03:50:34 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 03:53:12 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:13:36 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:16:38 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:17:02 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:19:05 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:21:41 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:25:06 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-3.1\Inbox infected by "Trojan-Spy.HTML.Bayfraud.in" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:52:54 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-3.1\Trash infected by "Trojan-Spy.HTML.Bayfraud.in" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:52:54 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:52:59 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Trash infected by "Email-Worm.Win32.Bagle.bq" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:56:27 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
Tue Jan 10 04:56:55 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 05:00:05 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 05:03:03 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken.
Tue Jan 10 07:57:55 2006 => Total Disinfected Objects: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024635.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024637.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024638.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024639.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
Tue Jan 10 03:25:59 2006 => File E:\03-Setups\weitere\tightvnc-1.2.9-setup.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.h. No Action Taken.
Tue Jan 10 05:08:56 2006 => File E:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0025664.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken.
Tue Jan 10 07:57:43 2006 => File G:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0026076.exe tagged as "not-a-virus:Porn-Dialer.Win32.Intexdial". Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "offending"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jan 10 01:01:49 2006 => Offending file found: C:\WINDOWS\ms1.exe
Tue Jan 10 01:01:49 2006 => Offending file found: C:\WINDOWS\tool3.exe
Tue Jan 10 01:01:50 2006 => Offending file found: C:\WINDOWS\toolbar.exe
Tue Jan 10 01:01:50 2006 => Offending file found: C:\WINDOWS\system32\paytime.exe
Tue Jan 10 01:01:53 2006 => Offending Folder found: C:\Dokumente und Einstellungen\All Users\Dokumente\linotype library goldedition 1.7 cd2 (true type fonts)\goldedition 1.7 pc tt\goldedition 1.7 pc tt family\f\forbes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jan 10 07:57:55 2006 => Total Errors: 25
Tue Jan 10 07:57:55 2006 => Time Elapsed: 06:47:15
Tue Jan 10 07:57:55 2006 => Total Objects Scanned: 237966
Tue Jan 10 01:00:31 2006 => Virus Database Date: 1/10/2006
Tue Jan 10 07:57:55 2006 => Virus Database Date: 1/10/2006
Tue Jan 10 10:21:55 2006 => Virus Database Date: 1/10/2006
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

Hondalabomba · 10.01.2006, 20:54

Hätte ich gleich dazuschreiben sollen. Ich hatte einen Schädling, der die Anwendung ibm00001.exe aus der Registry aufrief. Genau wie in diesem Thread beschrieben: http://www.trojaner-board.de/showthread.php?t=25171

Hab ihn mitlerweile gefixt und hoffe, dass jetzt alles in Ordnung ist.

Aber die eScan Funde machen mir noch Sorgen. Wäre schön wenn jemand was dazu sagen könnte.

Hier noch ein aktuelles HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 17:09:13, on 10.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRAMME\AVPERSONALPREMIUM\AVGUARD.EXE
D:\PROGRAMME\AVPERSONALPREMIUM\AVESVC.EXE
d:\Programme\FRITZ!DSL\IGDCTRL.EXE
d:\Programme\AVPersonalPremium\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
D:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAMME\AVPERSONALPREMIUM\AVMAILC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
D:\Programme\D-Tools\daemon.exe
D:\Programme\AVPersonalPremium\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cmd.exe
D:\xampp\mysql\bin\winmysqladmin.exe
D:\xampp\apache\bin\Apache.exe
D:\xampp\apache\bin\Apache.exe
E:\02 - Sicherheit\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Acrobat 6.0 Professional\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programme\Acrobat 6.0 Professional\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Acrobat 6.0 Professional\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1031
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVGCtrl] D:\Programme\AVPersonalPremium\AVGNT.EXE /min
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Verknüpfung mit apache_start.bat.lnk = D:\xampp\apache_start.bat
O4 - Startup: WinMySQLadmin.lnk = D:\xampp\mysql\bin\winmysqladmin.exe
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O10 - Broken Internet access because of LSP provider 'avsda.dll' missing
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB471ABE-5D18-4883-8EC1-7350DE1A69D0}: NameServer = 192.168.1.253
O23 - Service: AntiVir Mail Security Service (AntiVirMailService) - AntiVir PersonalProducts GmbH. - D:\PROGRAMME\AVPERSONALPREMIUM\AVMAILC.EXE
O23 - Service: AntiVir Service (AntiVirService) - AntiVir PersonalProducts GmbH - D:\PROGRAMME\AVPERSONALPREMIUM\AVGUARD.EXE
O23 - Service: AVE Service (AVEService) - AntiVir PersonalProducts GmbH - D:\PROGRAMME\AVPERSONALPREMIUM\AVESVC.EXE
O23 - Service: AVM IGD CTRL Service - AVM Berlin - d:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - d:\Programme\AVPersonalPremium\AVWUPSRV.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - D:/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe

eScan Funde! Bitte um Hilfe!

Plagegeister aller Art und deren Bekämpfung: eScan Funde! Bitte um Hilfe!

eScan Funde! Bitte um Hilfe!

eScan Funde! Bitte um Hilfe!

Ähnliche Themen: eScan Funde! Bitte um Hilfe!