Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Bitte meine Logs überprüfen... (https://www.trojaner-board.de/23621-bitte-logs-ueberpruefen.html)

steffen1977 14.11.2005 10:04
Bitte meine Logs überprüfen...
 
Hallo zusammen,

auch ich möchte um eine Überprüfung meiner Logs bitten und benötige Hinweise zur weiteren Verfahrensweise. Zuerst HijackThis und im Anschluß daran eScan_neu.txt! Da es sich um einen Firmenrechner handelt habe ich entsprechende Links mit "xxxxxxx" versehen.

Bitte helft mir diese Plagegeister los zu werden... ;-))

Gruß

Steffen

-----------

Logfile of HijackThis v1.99.1
Scan saved at 09:36:48, on 14.11.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
c:\sapdb\programs\web\pgm\wahttp.exe
C:\WINDOWS\system32\TpKmpSVC.exe
c:\sapdb\programs\pgm\serv.exe
c:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programme\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programme\TechSmith\SnagIt 7\SnagIt32.exe
C:\Programme\TechSmith\SnagIt 7\TSCHelp.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = xxx.xxx.1.16:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost; xxxxx.sap.xxxxxx.de; h**p://xxxx.sap.xxxxxx.de:50000/irj/portal;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Programme\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Programme\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMLREF] C:\Programme\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Programme\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: Alles mit Net Transport herunterladen - C:\Programme\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Display Toolbar and Menubar - C:\Programme\IEDOMInspector\cmd_display.html
O8 - Extra context menu item: Herunterladen mit Net Transport - C:\Programme\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\Programme\IEHttpAnalyzer\IEHTTPAnalyzer.dll
O9 - Extra 'Tools' menuitem: IE HTTP Analyzer - {C7B3DF1E-6EFC-41E8-9DA7-EBC1F973832D} - C:\Programme\IEHttpAnalyzer\IEHTTPAnalyzer.dll
O9 - Extra button: IE DOM Inspector - {F49F0575-88CE-4C6B-8C93-BCF153653A37} - C:\Programme\IEDOMInspector\IEDOMInspector.dll
O9 - Extra 'Tools' menuitem: IE DOM Inspector - {F49F0575-88CE-4C6B-8C93-BCF153653A37} - C:\Programme\IEDOMInspector\IEDOMInspector.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: h**p://xxx.xxxxxx.de
O15 - Trusted Zone: h**p://www.xxxxxx.de
O15 - Trusted IP range: h**p://xxx.xx.xx.xx
O16 - DPF: {A61D9982-AA6A-11D4-8CA8-0000E89F4525} (ExpApplSelect Class) - http://h**p://xxx.xxxxxx.de:50000/ir...ctiveX/exp.cab
O16 - DPF: {EE5E646C-4D96-4DAD-A362-C210B507A0B2} (SAP KM DocService Control) - http://h**p://xxxxx.xxxxxx.de/irj/se...DocService.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxx.de
O17 - HKLM\Software\..\Telephony: DomainName = xxxxxx.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C7E66FE-ECB8-4F00-BA6E-1F763A42C69D}: NameServer = 134.91.4.150,134.91.1.150
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxx.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = xxxxxx.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxxxxx.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = xxxxxx.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = xxxxxx.de
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Programme\Symantec\pcAnywhere\awhost32.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programme\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SAPDB: .M750028 (SAP DBTech-.M750028) - MySQL MaxDB - c:\sapdb\j2e\db\pgm\kernel.exe
O23 - Service: SAPDB: .M750028 (quick) (SAP DBTech-.M750028 (quick)) - MySQL MaxDB - c:\sapdb\j2e\db\pgm\quickknl.exe
O23 - Service: SAPDB: .M750028 (slow) (SAP DBTech-.M750028 (slow)) - MySQL MaxDB - c:\sapdb\j2e\db\pgm\slowknl.exe
O23 - Service: SAPDB: .M750028 (omststknl.exe) (SAP DBTech-.M750028 (test)) - Unknown owner - c:\sapdb\j2e\db\pgm\omststknl.exe (file missing)
O23 - Service: SAPDB: J2E (SAP DBTech-J2E) - MySQL MaxDB - c:\sapdb\j2e\db\pgm\kernel.exe
O23 - Service: SAPDB: J2E (quick) (SAP DBTech-J2E (quick)) - MySQL MaxDB - c:\sapdb\j2e\db\pgm\quickknl.exe
O23 - Service: SAPDB: J2E (slow) (SAP DBTech-J2E (slow)) - MySQL MaxDB - c:\sapdb\j2e\db\pgm\slowknl.exe
O23 - Service: SAPDB: J2E (omststknl.exe) (SAP DBTech-J2E (test)) - Unknown owner - c:\sapdb\j2e\db\pgm\omststknl.exe (file missing)
O23 - Service: SAP DB WWW (SAPDBWWW) - Unknown owner - c:\sapdb\programs\web\pgm\wahttp.exe
O23 - Service: SAPDBXIE - Unknown owner - c:\sapdb\programs\web\pgm\sapdbxie.exe
O23 - Service: SAPJ2E_00 - SAP AG - C:\usr\sap\J2E\JC00\exe\sapstartsrv.exe
O23 - Service: SAPJ2E_01 - SAP AG - C:\usr\sap\J2E\SCS01\exe\sapstartsrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: XServer - MySQL MaxDB - c:\sapdb\programs\pgm\serv.exe

--------------------

Logfile eScan_neu.txt:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Nov 13 23:02:34 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken.
Sun Nov 13 23:02:34 2005 => System found infected with searchexe Spyware/Adware ({807553e5-5146-11d5-a672-00b0d022e945})! Action taken: No Action Taken.
Sun Nov 13 23:02:34 2005 => System found infected with bearshare Spyware/Adware ({9f95f736-0f62-4214-a4b4-caa6738d4c07})! Action taken: No Action Taken.
Sun Nov 13 23:02:34 2005 => System found infected with whenu.savenow Spyware/Adware ({c285d18d-43a2-4aef-83fb-bf280e660a97})! Action taken: No Action Taken.
Sun Nov 13 23:02:43 2005 => System found infected with lop.com Spyware/Adware (install.htm)! Action taken: No Action Taken.
Sun Nov 13 23:02:43 2005 => System found infected with lop.com Spyware/Adware (install.htm)! Action taken: No Action Taken.
Sun Nov 13 23:02:51 2005 => System found infected with whistlesoftware Spyware/Adware (version.ini)! Action taken: No Action Taken.
Mon Nov 14 02:08:52 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Nov 13 23:20:48 2005 => File C:\Dokumente und Einstellungen\sp\Lokale Einstellungen\Temp\saveinstwm.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde für "offending"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sun Nov 13 23:02:35 2005 => Offending Key found: HKLM\Software\magnet\handlers\bearshare !!!
Sun Nov 13 23:02:35 2005 => Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!!
Sun Nov 13 23:02:35 2005 => Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!!
Sun Nov 13 23:02:43 2005 => Offending file found: C:\Dokumente und Einstellungen\sp\Eigene Dateien\projekte\mitarbeiterportal\javagui\manual\applet\install.htm
Sun Nov 13 23:02:43 2005 => Offending file found: C:\Dokumente und Einstellungen\sp\Eigene Dateien\projekte\mitarbeiterportal\javagui\manual\install\install.htm
Sun Nov 13 23:02:51 2005 => Offending file found: C:\Dokumente und Einstellungen\sp\Eigene Dateien\workspace\.metadata\version.ini
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mon Nov 14 02:08:52 2005 => Total Virus(es) Found: 11
Mon Nov 14 02:08:52 2005 => Total Errors: 18
Mon Nov 14 02:08:52 2005 => Time Elapsed: 03:04:22
Mon Nov 14 02:08:52 2005 => Total Objects Scanned: 128379
Sun Nov 13 23:01:06 2005 => Virus Database Date: 2005/11/13
Mon Nov 14 02:08:52 2005 => Virus Database Date: 2005/11/13
Mon Nov 14 08:27:51 2005 => Virus Database Date: 2005/11/13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

Haui45 15.11.2005 20:38
Hallo!
Zitat:
Zitat von steffen1977
Da es sich um einen Firmenrechner handelt habe ich entsprechende Links mit "xxxxxxx" versehen.
Das dürfte der Grund dafür sein, dass noch niemand geantwortet hat. Für die Wartung eines Firmenrechners ist der Admin vor Ort verantwortlich. Wir halten uns da aus verständlichen Gründen heraus.

Gruß Haui


Alle Zeitangaben in WEZ +1. Es ist jetzt 15:03 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19