Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Trojan-Downloader.Java.OpenConnection.aa bitte Logfile prüfen (https://www.trojaner-board.de/22459-trojan-downloader-java-openconnection-aa-bitte-logfile-pruefen.html)

Batti88 05.10.2005 13:06
Trojan-Downloader.Java.OpenConnection.aa bitte Logfile prüfen
 
Hi Leute, wäre nett wenn ihr mal mein Log prüfen könntet...Kaspersky meinte ich hätte den Trojaner Trojan-Downloader.Java.OpenConnection.aa aufm Rechner gehabt. Jetzt findet er nix mehr wollte euch aber lieber noch mal drüber gucken lassen :party:

Logfile of HijackThis v1.99.1
Scan saved at 13:58:47, on 05.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Programme\IconManager\DcrServ.exe
D:\WINDOWS\system32\oodag.exe
D:\Programme\OO Software\CleverCache\ooccag.exe
D:\Programme\McAfee\McAfee Firewall\CPD.EXE
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Programme\McAfee\McAfee Firewall\CPD.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\nvraidservice.exe
D:\WINDOWS\System32\wbem\unsecapp.exe
D:\Programme\Siemens\Gigaset USB Adapter 54\PRISMSVR.EXE
D:\Programme\Java\jre1.5.0_04\bin\jusched.exe
D:\Programme\ATI Technologies\ATI.ACE\cli.exe
D:\Programme\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
D:\Programme\GhostSurf 2005\DeleteSatellite.exe
D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programme\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
D:\Programme\ATI Technologies\ATI.ACE\CLI.exe
D:\Programme\Siemens\Gigaset USB Adapter 54\GigasetUSBMonitor.exe
D:\Programme\ATI Technologies\ATI.ACE\cli.exe
D:\Programme\ICQLite\ICQLite.exe
D:\Programme\The All-Seeing Eye\eye.exe
D:\Programme\Valve\Steam\Steam.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\DOKUME~1\XXXXX\LOKALE~1\Temp\Rar$EX00.234\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - (no file)
O2 - BHO: (no name) - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\Programme\FlashFXP\IEFlash.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: (no name) - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [ATIPTA] D:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NVRaidService] D:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\Programme\Siemens\Gigaset USB Adapter 54\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [McAfee Guardian] "D:\Programme\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "D:\Programme\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [DCPPaid] D:\WINDOWS\system32\DCPPaid.exe /P
O4 - HKLM\..\Run: [ooccctrl.exe] D:\Programme\OO Software\CleverCache\ooccctrl.exe /tasktray
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "D:\Programme\GhostSurf 2005\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] D:\Programme\ATI Multimedia\main\launchpd.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Programme\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "D:\Programme\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Programme\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = D:\Programme\Siemens\Gigaset USB Adapter 54\GigasetUSBMonitor.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Mit dem LeechGet Wizard laden - file://D:\Programme\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: Mit LeechGet herunterladen - file://D:\Programme\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Mit LeechGet parsen - file://D:\Programme\LeechGet 2005\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programme\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - D:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - D:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - D:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.c*m/molbin/is...92/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95E70D47-0365-4B65-A1B2-63743A14F685}: NameServer = 217.237.150.97 217.237.149.161
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DriveCrypt Service (DriveCryptService) - Unknown owner - D:\Programme\IconManager\DcrServ.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: McAfee Firewall - Unknown owner - D:\Programme\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe
O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - D:\Programme\OO Software\CleverCache\ooccag.exe

felix1 05.10.2005 13:36
Da sind für mein Dafürhalten doch ein paar eigenartige Programme. Deshalb empfehle ich Dir einen escan. Halte Dich genau an die Anleitung und poste das mit der find.bat erzeugte Log:
http://www.trojaner-board.de/showthr...ear#post140399

Batti88 05.10.2005 14:51
Während ich auf euren Post gewartet hab hab ich eScan schon durchlaufen lassen, trotzdem danke für den Tip :crazy:

Hier die Ergebnisse:

ed Oct 05 14:21:50 2005 => **********************************************************
Wed Oct 05 14:21:50 2005 => MicroWorld Anti Virus & Spyware Toolkit Utility.
Wed Oct 05 14:21:50 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Wed Oct 05 14:21:50 2005 => **********************************************************
Wed Oct 05 14:21:50 2005 => Version 7.2.2 (C:\Bases_X\mwavscan.com)
Wed Oct 05 14:21:50 2005 => Log File: C:\Bases_X\MWAV.LOG
Wed Oct 05 14:21:50 2005 => MWAV Registered: FALSE.
Wed Oct 05 14:21:50 2005 => MWAV Mode: Only Scan files.
Wed Oct 05 14:21:50 2005 => Latest Date of files inside MWAV: 05 Oct 2005 11:09:48.
Wed Oct 05 14:21:53 2005 => AV Library Loaded...
Wed Oct 05 14:21:53 2005 => MWAV doing self scanning...
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\kavss.exe
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\Getvlist.exe
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\kavss.dll
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\kavssdi.dll
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\kavssi.dll
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\kavvlg.dll
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\msvlclnt.dll
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\ipc.dll
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\main.avi
Wed Oct 05 14:21:53 2005 => Scanning File C:\Bases_X\virus.avi
Wed Oct 05 14:21:53 2005 => MWAV files are clean.
Wed Oct 05 14:21:58 2005 => Virus Database Date: 2005/10/05
Wed Oct 05 14:21:58 2005 => Virus Database Count: 152539

Wed Oct 05 14:22:24 2005 => **********************************************************
Wed Oct 05 14:22:24 2005 => MicroWorld Anti Virus & Spyware Toolkit Utility.
Wed Oct 05 14:22:24 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Wed Oct 05 14:22:24 2005 =>
Wed Oct 05 14:22:24 2005 => Support: support@mwti.n*t
Wed Oct 05 14:22:24 2005 => Web: http://***.mwti.net
Wed Oct 05 14:22:24 2005 => **********************************************************
Wed Oct 05 14:22:24 2005 => Version 7.2.2 (C:\Bases_X\mwavscan.com)
Wed Oct 05 14:22:24 2005 => Log File: C:\Bases_X\MWAV.LOG
Wed Oct 05 14:22:24 2005 => User Account: Administrator
Wed Oct 05 14:22:24 2005 => Windows Root Folder: D:\WINDOWS
Wed Oct 05 14:22:24 2005 => Windows Sys32 Folder: D:\WINDOWS\system32
Wed Oct 05 14:22:24 2005 => OS: Windows NT
Wed Oct 05 14:22:24 2005 => Latest Date of files inside MWAV: 05 Oct 2005 11:09:48.

Wed Oct 05 14:23:04 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Wed Oct 05 14:23:04 2005 => Loading Spyware Signatures from new External Database (Size: 144406).
Wed Oct 05 14:23:05 2005 => Indexed Spyware Databases Successfully Created...

Wed Oct 05 14:23:12 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken.
Wed Oct 05 14:23:12 2005 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Wed Oct 05 14:23:13 2005 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Wed Oct 05 14:23:14 2005 => Offending Key found: HKLM\Software\freshdevices !!!
Wed Oct 05 14:23:14 2005 => Object "fresh devices Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 14:23:23 2005 => Offending Folder found: D:\Dokumente und Einstellungen\All Users\Startmenü\Programme\freshdevices
Wed Oct 05 14:23:23 2005 => Object "fresh devices Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 14:23:23 2005 => Offending Folder found: D:\Dokumente und Einstellungen\All Users\Startmenü\programme\freshdevices
Wed Oct 05 14:23:23 2005 => Object "fresh devices Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 15:04:33 2005 => File E:\Diverses\Zeuch\Installer\GDiVX1.9.9.5.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
Wed Oct 05 14:41:02 2005 => File D:\Programme\GDiVX Player\SuperBarInstall.exe tagged as "not-a-virus:AdWare.Win32.GigatechSuperBar". Action Taken: No Action Taken.

Wed Oct 05 15:09:38 2005 => Total Objects Scanned: 65129
Wed Oct 05 15:09:38 2005 => Total Virus(es) Found: 8
Wed Oct 05 15:09:38 2005 => Total Disinfected Files: 0


Da die Find.bat schon wieder nicht gefunkt hat bei mir hab ich die LogDatei einfach naCh Infected & Tagged durchsucht...

felix1 05.10.2005 14:58
Lade und update Ad-aware und Spybot und lasse die Programme laufen.
http://www.comsafe.de/download.html
Installiere cleanup, rufe es auf und setze den Haken bei alles löschen und dann Löschen drücken.
http://www.clearprog.de/

Lösche die Datei mwav.log und lasse den escan erneut laufen. Poste dann das Ergebnis.

Batti88 05.10.2005 15:07
alle Programme bereits durchlaufen lassen -> nix

Cache auch schon mehrfach geleert weil sich der Trojaner immer darin befand

Ich lass eScan jetzt nochmal durchlaufen und poste das komplette(?) Log dann hier.

:heilig:

Batti88 06.10.2005 00:43
Hab die find.bat so umgeschrieben dass et nu funkt :knuddel:

Hier das Ergebnis:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Wed Oct 05 16:33:40 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken.
Wed Oct 05 16:33:40 2005 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Wed Oct 05 16:33:40 2005 => System found infected with flashfxp Spyware/Adware ({e5a1691b-d188-4419-ad02-90002030b8ee})! Action taken: No Action Taken.
Wed Oct 05 16:43:18 2005 => File D:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Mozilla\Firefox\Profiles\aya34x67.Standard-Benutzer\Cache\CEB89764d01 infected by "Exploit.Win32.MS05-013.gen" Virus! Action Taken: No Action Taken.
Wed Oct 05 16:53:01 2005 => Scanning File D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\Infected.wav
Wed Oct 05 17:17:24 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Wed Oct 05 16:43:04 2005 => File D:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Mozilla\Firefox\Profiles\aya34x67.Standard-Benutzer\Cache\1934551Ad01 tagged as "not-a-virus:AdWare.Win32.SideSearch.g". Action Taken: No Action Taken.
Wed Oct 05 16:49:04 2005 => File D:\Programme\GDiVX Player\SuperBarInstall.exe tagged as "not-a-virus:AdWare.Win32.GigatechSuperBar". Action Taken: No Action Taken.
Wed Oct 05 17:12:02 2005 => File E:\Diverses\Zeuch\Installer\GDiVX1.9.9.5.exe tagged as "not-a-virus:AdWare.Win32.NewDotNet". Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Statisktiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Wed Oct 05 16:33:41 2005 => Offending Key found: HKLM\Software\freshdevices !!!
Wed Oct 05 16:33:50 2005 => Offending Folder found: D:\Dokumente und Einstellungen\All Users\Startmenü\Programme\freshdevices
Wed Oct 05 16:33:50 2005 => Offending Folder found: D:\Dokumente und Einstellungen\All Users\Startmenü\programme\freshdevices
Wed Oct 05 17:17:24 2005 => Total Virus(es) Found: 10
Wed Oct 05 17:17:24 2005 => Total Errors: 92
Wed Oct 05 17:17:24 2005 => Time Elapsed: 00:44:58
Wed Oct 05 17:17:24 2005 => Total Objects Scanned: 63972
Wed Oct 05 16:29:47 2005 => Virus Database Date: 2005/10/05
Wed Oct 05 17:17:24 2005 => Virus Database Date: 2005/10/05
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~


Alle Zeitangaben in WEZ +1. Es ist jetzt 16:02 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131