Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   ntoskrnl.exe "changed", HJT und eScan Logfiles gemacht (https://www.trojaner-board.de/42887-ntoskrnl-exe-changed-hjt-escan-logfiles-gemacht.html)

Nova328 31.08.2007 21:18
ntoskrnl.exe "changed", HJT und eScan Logfiles gemacht
 
Hallo,
da mein AVG AV mir dauernd anzeigt, dass die ntoskrnl.exe meines WinXP 64Bit geaendert wurde, habe ich dieses Forum hier gefunden. Ich habe auch ein wenig recherchiert und dann ein HiJackThis und ein eScan logfile erstellt.
Vielleicht kann mir ja jemand von euch damit weiterhelfen. Waere Euch echt sehr dankbar dafuer.
Hier kommen die Infos der Logs:
eScan:
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Microsoft Windows [Version 5.2.3790]
Fri Aug 31 19:35:42 2007 => Version 9.4.1 (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mexe.com)
Fri Aug 31 21:47:08 2007 => Virus Database Date: 8/31/2007
Fri Aug 31 21:55:32 2007 => Virus Database Date: 8/31/2007
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007580.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007581.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007582.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007585.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:13 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007625.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:13 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007630.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
Fri Aug 31 20:05:30 2007 => File D:\Downloads\Realvnc 4.1.6 Enterprise Edition (Server, Viewer And Tool)\vnc-E4_1_6-x86_win32.exe//file1 tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.414". No Action Taken.
Fri Aug 31 20:05:30 2007 => File D:\Downloads\Realvnc 4.1.6 Enterprise Edition (Server, Viewer And Tool)\vnc-tool-1_4_2-x86_win32.exe//file4//file1 tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.414". No Action Taken.
Fri Aug 31 20:36:02 2007 => File D:\Photos\GPirc2.0.zip/mirc32.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.561". No Action Taken.
Fri Aug 31 20:45:31 2007 => File D:\Program Files (x86)\Gamers.IRC\mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.614". No Action Taken.
Fri Aug 31 20:45:34 2007 => File D:\Program Files (x86)\Gpirc\mirc32.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.561". No Action Taken.
Fri Aug 31 20:51:04 2007 => File D:\Program Files (x86)\mirc\mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.612". No Action Taken.
Fri Aug 31 20:54:49 2007 => Scanning File D:\Program Files (x86)\Poseidon For UML CE 3.2\docs\PoseidonUsersGuide\delphitaggedvalues.html
Fri Aug 31 20:54:57 2007 => Scanning File D:\Program Files (x86)\Poseidon For UML CE 3.2\docs\PoseidonUsersGuide\images\tab_tagged.png
Fri Aug 31 20:55:00 2007 => Scanning File D:\Program Files (x86)\Poseidon For UML CE 3.2\docs\PoseidonUsersGuide\sqltaggedvalues.html
Fri Aug 31 20:56:30 2007 => File D:\Program Files (x86)\RealVNC\VNC4\vncconfig.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 20:56:30 2007 => File D:\Program Files (x86)\RealVNC\VNC4\vncviewer.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 20:56:31 2007 => File D:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 20:56:31 2007 => File D:\Program Files (x86)\RealVNC\VNC4\wm_hooks.dll tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 21:16:31 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011422.exe tagged as "not-a-virus:Server-FTP.Win32.Serv-U.gen". No Action Taken.
Fri Aug 31 21:16:31 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011423.exe/CHECKUPDATE.DLL tagged as "not-a-virus:Server-FTP.Win32.Serv-U.5201". No Action Taken.
Fri Aug 31 21:18:18 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011532.exe/mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.612". No Action Taken.
Fri Aug 31 21:18:21 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011542.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.561". No Action Taken.
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Fri Aug 31 19:36:10 2007 => Offending Key found: HKCU\\magnet !!!
Fri Aug 31 19:36:23 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G !!!
Fri Aug 31 19:36:23 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be6e6b45-3e9c-11dc-b2a0-806e6f6e6963} !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HJT:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:31 PM, on 8/31/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
d:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\Program Files (x86)\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files (x86)\ASUS\AI Nap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "d:\Program Files (x86)\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "d:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "d:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "d:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files (x86)\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files (x86)\Java\jre1.6.0_02\bin\npjpi160_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185796217703
O17 - HKLM\System\CCS\Services\Tcpip\..\{C47FDFFF-4D8C-450D-8B16-355ED9A24664}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - d:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - d:\Program Files (x86)\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 6634 bytes
Ausserdem sagt eScan folgendes:
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.

Gruesse
Nova328

undoreal 01.09.2007 09:33
Hallo Nova.


Schädlinge im Ordner der Systemwiederherstellung:

* Deaktiviere die Systemwiederherstellung -> So wird es gemacht.
* Danach das System neu starten, und mit deinem AV-Scanner nach dem Neustart
alles überprüfen.
(Systemwiederherstellung kann nun wieder aktiviert werden.)

Melde dich danach mit beiden frischen logs wieder..

lg

Undoreal

Nova328 01.09.2007 15:12
Alles klar, ich werde das später oder morgen machen. Habe eute wenig Zeit, werde dann bescheid geben.
Danke shconmal für die Hilfe.
Gruß

Nova328 02.09.2007 18:48
Ich habe jetzt folgendes gemacht:
1.Systemwiederherstellung aus
2.In den abgesicherten Modus hochgefahren (User war Administrator)
3.AVG AV (Free Edition) alle Dateien scannen lassen.

Dann habe ich die Logfiles erstellt und hier sind sie:
Hatte eScan Ver 9.4.1 (bei einem Updateversuch, kam immer die Nachricht "Download Not Succesful" obwohl es so aussah, als wolle er downlaoden.)
Ach, habe vergessen die Systemwiederherstellung nach dem AV-Scan wieder anzumachen, jedoch sollte dies ja kein Problem darstellen.

eScan log:
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Microsoft Windows [Version 5.2.3790]
Fri Aug 31 19:35:42 2007 => Version 9.4.1 (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mexe.com)
Fri Aug 31 21:47:08 2007 => Virus Database Date: 8/31/2007
Fri Aug 31 21:55:32 2007 => Virus Database Date: 8/31/2007
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007580.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007581.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007582.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:11 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007585.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:13 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007625.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
Fri Aug 31 21:45:13 2007 => File H:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP86\A0007630.exe infected by "Exe.Corrupted" Virus! Action Taken: No Action Taken.
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
Fri Aug 31 20:05:30 2007 => File D:\Downloads\Realvnc 4.1.6 Enterprise Edition (Server, Viewer And Tool)\vnc-E4_1_6-x86_win32.exe//file1 tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.414". No Action Taken.
Fri Aug 31 20:05:30 2007 => File D:\Downloads\Realvnc 4.1.6 Enterprise Edition (Server, Viewer And Tool)\vnc-tool-1_4_2-x86_win32.exe//file4//file1 tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.414". No Action Taken.
Fri Aug 31 20:36:02 2007 => File D:\Photos\GPirc2.0.zip/mirc32.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.561". No Action Taken.
Fri Aug 31 20:45:31 2007 => File D:\Program Files (x86)\Gamers.IRC\mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.614". No Action Taken.
Fri Aug 31 20:45:34 2007 => File D:\Program Files (x86)\Gpirc\mirc32.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.561". No Action Taken.
Fri Aug 31 20:51:04 2007 => File D:\Program Files (x86)\mirc\mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.612". No Action Taken.
Fri Aug 31 20:54:49 2007 => Scanning File D:\Program Files (x86)\Poseidon For UML CE 3.2\docs\PoseidonUsersGuide\delphitaggedvalues.html
Fri Aug 31 20:54:57 2007 => Scanning File D:\Program Files (x86)\Poseidon For UML CE 3.2\docs\PoseidonUsersGuide\images\tab_tagged.png
Fri Aug 31 20:55:00 2007 => Scanning File D:\Program Files (x86)\Poseidon For UML CE 3.2\docs\PoseidonUsersGuide\sqltaggedvalues.html
Fri Aug 31 20:56:30 2007 => File D:\Program Files (x86)\RealVNC\VNC4\vncconfig.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 20:56:30 2007 => File D:\Program Files (x86)\RealVNC\VNC4\vncviewer.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 20:56:31 2007 => File D:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 20:56:31 2007 => File D:\Program Files (x86)\RealVNC\VNC4\wm_hooks.dll tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
Fri Aug 31 21:16:31 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011422.exe tagged as "not-a-virus:Server-FTP.Win32.Serv-U.gen". No Action Taken.
Fri Aug 31 21:16:31 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011423.exe/CHECKUPDATE.DLL tagged as "not-a-virus:Server-FTP.Win32.Serv-U.5201". No Action Taken.
Fri Aug 31 21:18:18 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011532.exe/mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.612". No Action Taken.
Fri Aug 31 21:18:21 2007 => File D:\System Volume Information\_restore{196E2B76-B670-4DEB-9CCB-209523529387}\RP93\A0011542.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.561". No Action Taken.
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Fri Aug 31 19:36:10 2007 => Offending Key found: HKCU\\magnet !!!
Fri Aug 31 19:36:23 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G !!!
Fri Aug 31 19:36:23 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{be6e6b45-3e9c-11dc-b2a0-806e6f6e6963} !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HJT-Log:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:04 PM, on 9/2/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Safe mode with network support

Running processes:
C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
d:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files (x86)\Trend Micro\HijackThis\This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\Program Files (x86)\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files (x86)\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files (x86)\ASUS\AI Nap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "d:\Program Files (x86)\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "d:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "d:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "d:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files (x86)\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files (x86)\Java\jre1.6.0_02\bin\npjpi160_02.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185796217703
O17 - HKLM\System\CCS\Services\Tcpip\..\{C47FDFFF-4D8C-450D-8B16-355ED9A24664}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - d:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - d:\Program Files (x86)\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 6651 bytes
Gruss
Nova328

undoreal 03.09.2007 10:01
Hallo Nova. Hast du die alte log Datei vor dem letzten eScan umbenannt?

Das log welches du gepostet hast ist identisch mit dem vom letzten Mal. Und die Einträge der Systemwiederherstellung sind auch noch vorhanden.

Zitat:
Fri Aug 31 21:47:08 2007 => Virus Database Date: 8/31/2007
Zitat:
Fri Aug 31 21:47:08 2007 => Virus Database Date: 8/31/2007
mfg

Undoreal

Nova328 03.09.2007 11:26
Hallo Undoreal,
eigentlich habe ich die Logs fortlaufen nummeriert. Jedoch sind die escan Dateien beide identisch. Muss wohl irgendwo was falsch gemacht haben.
:confused: :headbang:
Ich werde gleich nochmal nen neuen eScan log erstellen und diesen dann später posten. Das kann ja ein weilchen dauern.

Gruß

Nova328 03.09.2007 14:40
So, habe es nun geschafft einen neuen Scan mit frischem Log zu machen. Die find.bat hat anscheinend das falsche Logfile gefunden und mir immer die erste bearbeitet.
Nun aber das richtige Ergebnis des heutigen Scans:
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Microsoft Windows [Version 5.2.3790]
Mon Sep 03 13:22:42 2007 => Version 9.4.1

(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mexe.com)
Mon Sep 03 15:32:47 2007 => Virus Database Date:

9/3/2007
Mon Sep 03 15:33:52 2007 => Virus Database Date:

9/3/2007
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
Mon Sep 03 13:53:28 2007 => File D:\Downloads\Realvnc

4.1.6 Enterprise Edition (Server, Viewer And

Tool)\vnc-E4_1_6-x86_win32.exe//file1 tagged as

"not-a-virus:RemoteAdmin.Win32.WinVNC.414". No Action

Taken.
Mon Sep 03 13:53:28 2007 => File D:\Downloads\Realvnc

4.1.6 Enterprise Edition (Server, Viewer And

Tool)\vnc-tool-1_4_2-x86_win32.exe//file4//file1 tagged

as "not-a-virus:RemoteAdmin.Win32.WinVNC.414". No Action

Taken.
Mon Sep 03 14:24:12 2007 => File

D:\Photos\GPirc2.0.zip/mirc32.exe tagged as

"not-a-virus:Client-IRC.Win32.mIRC.561". No Action

Taken.
Mon Sep 03 14:33:42 2007 => File D:\Program Files

(x86)\Gamers.IRC\mirc.exe tagged as

"not-a-virus:Client-IRC.Win32.mIRC.614". No Action

Taken.
Mon Sep 03 14:33:45 2007 => File D:\Program Files

(x86)\Gpirc\mirc32.exe tagged as

"not-a-virus:Client-IRC.Win32.mIRC.561". No Action

Taken.
Mon Sep 03 14:39:18 2007 => File D:\Program Files

(x86)\mirc\mirc.exe tagged as

"not-a-virus:Client-IRC.Win32.mIRC.612". No Action

Taken.
Mon Sep 03 14:43:23 2007 => Scanning File D:\Program

Files (x86)\Poseidon For UML CE

3.2\docs\PoseidonUsersGuide\delphitaggedvalues.html
Mon Sep 03 14:43:32 2007 => Scanning File D:\Program

Files (x86)\Poseidon For UML CE

3.2\docs\PoseidonUsersGuide\images\tab_tagged.png
Mon Sep 03 14:43:35 2007 => Scanning File D:\Program

Files (x86)\Poseidon For UML CE

3.2\docs\PoseidonUsersGuide\sqltaggedvalues.html
Mon Sep 03 14:45:11 2007 => File D:\Program Files

(x86)\RealVNC\VNC4\vncconfig.exe tagged as

"not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action

Taken.
Mon Sep 03 14:45:11 2007 => File D:\Program Files

(x86)\RealVNC\VNC4\vncviewer.exe tagged as

"not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action

Taken.
Mon Sep 03 14:45:11 2007 => File D:\Program Files

(x86)\RealVNC\VNC4\winvnc4.exe tagged as

"not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action

Taken.
Mon Sep 03 14:45:11 2007 => File D:\Program Files

(x86)\RealVNC\VNC4\wm_hooks.dll tagged as

"not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action

Taken.
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Mon Sep 03 13:23:01 2007 => Offending Key found:

HKCU\\magnet !!!
Mon Sep 03 13:23:12 2007 => Offending Key found:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVers

ion\Explorer\MountPoints2\{be6e6b45-3e9c-11dc-b2a0-806e6

f6e6963} !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Ich poste dies nur vorsichtshalber, da es irgendwie nicht im Log auftaucht. Escan meldet mir immer noch:
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.

Die zweite Meldung wurde am Anfang jedoch doppelt gemacht - nun nur noch einmal.

Nochmal viele Gruesse ;)

undoreal 03.09.2007 15:28
Das ishet ja schon besser aus ;9

Zitat:
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
die kannst du getrost ignorieren.

Dein System ist sauber würde ich sagen..

mfg

Undoreal


Alle Zeitangaben in WEZ +1. Es ist jetzt 21:39 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131