|
eScan Funde! Bitte um Hilfe! Hallo zusammen! Würde mich freuen, wenn ihr mir bei der Auswertung der Virus Log Information behilflich sein könntet. Anscheinend wurde da doch einiges gefunden. Vielen Dank im Vorraus! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tue Jan 10 01:01:49 2006 => System found infected with cws.loadadv.400 Browser Hijacker (ms1.exe)! Action taken: No Action Taken. Tue Jan 10 01:01:49 2006 => System found infected with cws.loadadv.401 Browser Hijacker (tool3.exe)! Action taken: No Action Taken. Tue Jan 10 01:01:50 2006 => System found infected with elite toolbar Spyware/Adware (toolbar.exe)! Action taken: No Action Taken. Tue Jan 10 01:01:50 2006 => System found infected with paymite Trojan-Spy (paytime.exe)! Action taken: No Action Taken. Tue Jan 10 01:51:48 2006 => Scanning Folder: D:\Programme\AVPersonalPremium\INFECTED\*.* Tue Jan 10 01:51:51 2006 => Scanning Folder: D:\Programme\AVPersonalPremium\MAIL\INFECTED\*.* Tue Jan 10 02:05:01 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-3.1\Inbox infected by "Trojan-Spy.HTML.Bayfraud.in" Virus! Action Taken: No Action Taken. Tue Jan 10 02:36:08 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken. Tue Jan 10 02:36:23 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Trash infected by "Email-Worm.Win32.Bagle.bq" Virus! Action Taken: No Action Taken. Tue Jan 10 02:40:52 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken. Tue Jan 10 02:41:23 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 02:44:46 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 02:47:55 2006 => File D:\Programme\mozilla-1.7.5.de-AT.win32\Profile\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 03:45:04 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken. Tue Jan 10 03:48:09 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken. Tue Jan 10 03:48:35 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 03:50:34 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 03:53:12 2006 => File E:\Backup\Mozilla\Profile 11.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 04:13:36 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken. Tue Jan 10 04:16:38 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken. Tue Jan 10 04:17:02 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 04:19:05 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 04:21:41 2006 => File E:\Backup\Mozilla\Profile 29.05.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 04:25:06 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-3.1\Inbox infected by "Trojan-Spy.HTML.Bayfraud.in" Virus! Action Taken: No Action Taken. Tue Jan 10 04:52:54 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-3.1\Trash infected by "Trojan-Spy.HTML.Bayfraud.in" Virus! Action Taken: No Action Taken. Tue Jan 10 04:52:54 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Inbox infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken. Tue Jan 10 04:52:59 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-4.1\Trash infected by "Email-Worm.Win32.Bagle.bq" Virus! Action Taken: No Action Taken. Tue Jan 10 04:56:27 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Inbox infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken. Tue Jan 10 04:56:55 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-6.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 05:00:05 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Inbox infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 05:03:03 2006 => File E:\Backup\Mozilla\Profile 29.09.05\Standard-Profil\b5a5xhu0.slt\Mail\192.168.0-9.1\Trash infected by "Email-Worm.Win32.Sober.p" Virus! Action Taken: No Action Taken. Tue Jan 10 07:57:55 2006 => Total Disinfected Objects: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024635.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken. Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024637.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken. Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024638.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken. Tue Jan 10 02:57:20 2006 => File D:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0024639.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken. Tue Jan 10 03:25:59 2006 => File E:\03-Setups\weitere\tightvnc-1.2.9-setup.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.h. No Action Taken. Tue Jan 10 05:08:56 2006 => File E:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0025664.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC.4. No Action Taken. Tue Jan 10 07:57:43 2006 => File G:\System Volume Information\_restore{897F8A43-17CE-4A09-9ACB-4D77B40C74FE}\RP55\A0026076.exe tagged as "not-a-virus:Porn-Dialer.Win32.Intexdial". Action Taken: No Action Taken. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tue Jan 10 01:01:49 2006 => Offending file found: C:\WINDOWS\ms1.exe Tue Jan 10 01:01:49 2006 => Offending file found: C:\WINDOWS\tool3.exe Tue Jan 10 01:01:50 2006 => Offending file found: C:\WINDOWS\toolbar.exe Tue Jan 10 01:01:50 2006 => Offending file found: C:\WINDOWS\system32\paytime.exe Tue Jan 10 01:01:53 2006 => Offending Folder found: C:\Dokumente und Einstellungen\All Users\Dokumente\linotype library goldedition 1.7 cd2 (true type fonts)\goldedition 1.7 pc tt\goldedition 1.7 pc tt family\f\forbes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tue Jan 10 07:57:55 2006 => Total Errors: 25 Tue Jan 10 07:57:55 2006 => Time Elapsed: 06:47:15 Tue Jan 10 07:57:55 2006 => Total Objects Scanned: 237966 Tue Jan 10 01:00:31 2006 => Virus Database Date: 1/10/2006 Tue Jan 10 07:57:55 2006 => Virus Database Date: 1/10/2006 Tue Jan 10 10:21:55 2006 => Virus Database Date: 1/10/2006 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ |
Hätte ich gleich dazuschreiben sollen. Ich hatte einen Schädling, der die Anwendung ibm00001.exe aus der Registry aufrief. Genau wie in diesem Thread beschrieben: http://www.trojaner-board.de/showthread.php?t=25171 Hab ihn mitlerweile gefixt und hoffe, dass jetzt alles in Ordnung ist. Aber die eScan Funde machen mir noch Sorgen. Wäre schön wenn jemand was dazu sagen könnte. Hier noch ein aktuelles HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 17:09:13, on 10.01.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\PROGRAMME\AVPERSONALPREMIUM\AVGUARD.EXE D:\PROGRAMME\AVPERSONALPREMIUM\AVESVC.EXE d:\Programme\FRITZ!DSL\IGDCTRL.EXE d:\Programme\AVPersonalPremium\AVWUPSRV.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\GEARSec.exe D:\xampp\mysql\bin\mysqld-nt.exe C:\WINDOWS\system32\svchost.exe D:\PROGRAMME\AVPERSONALPREMIUM\AVMAILC.EXE C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\Programme\Java\jre1.5.0_06\bin\jusched.exe D:\Programme\D-Tools\daemon.exe D:\Programme\AVPersonalPremium\AVGNT.EXE C:\WINDOWS\system32\ctfmon.exe D:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\cmd.exe D:\xampp\mysql\bin\winmysqladmin.exe D:\xampp\apache\bin\Apache.exe D:\xampp\apache\bin\Apache.exe E:\02 - Sicherheit\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Acrobat 6.0 Professional\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programme\Acrobat 6.0 Professional\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Acrobat 6.0 Professional\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1031 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVGCtrl] D:\Programme\AVPersonalPremium\AVGNT.EXE /min O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Verknüpfung mit apache_start.bat.lnk = D:\xampp\apache_start.bat O4 - Startup: WinMySQLadmin.lnk = D:\xampp\mysql\bin\winmysqladmin.exe O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O10 - Broken Internet access because of LSP provider 'avsda.dll' missing O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{CB471ABE-5D18-4883-8EC1-7350DE1A69D0}: NameServer = 192.168.1.253 O23 - Service: AntiVir Mail Security Service (AntiVirMailService) - AntiVir PersonalProducts GmbH. - D:\PROGRAMME\AVPERSONALPREMIUM\AVMAILC.EXE O23 - Service: AntiVir Service (AntiVirService) - AntiVir PersonalProducts GmbH - D:\PROGRAMME\AVPERSONALPREMIUM\AVGUARD.EXE O23 - Service: AVE Service (AVEService) - AntiVir PersonalProducts GmbH - D:\PROGRAMME\AVPERSONALPREMIUM\AVESVC.EXE O23 - Service: AVM IGD CTRL Service - AVM Berlin - d:\Programme\FRITZ!DSL\IGDCTRL.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - d:\Programme\AVPersonalPremium\AVWUPSRV.EXE O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: MySql - Unknown owner - D:/xampp/mysql/bin/mysqld-nt.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 20:25 Uhr. |
Copyright ©2000-2025, Trojaner-Board