bisher unbekannter Trojaner Troj_Delf.bci
 

Hallo, ich hab hier auf einem Rechner den Troj_Delf.bci. Mein TrendMicro Virenscanner hat den Trojaner auch erkannt und in Quaratäne verschoben. Nur finde ich im Internet und bei den div. Antivrenherstellern keine Info über die .bci Variante. Bei TrendMicro hats ca 30 Varianten mit unterschiedlichen Endungen aber bci ist nicht dabei. Hat jemand das Teil schon durchleuchtet? Die gängigen Tools Adaware, Spybot usw. hab ich durchlaufen lassen, in der Registry hab ich auch kein Hinweis in den üblichen Autostartordnern gefunden. Anbei mal das Hijack log, vielleicht sieht ja doch jemand was, jedoch würde es mich sehr interessieren, wie ich mir das Teil eingefangen habe. Ne verdächtige E-Mail hatte ich nicht, Firewall habe ich auch im Einsatz.

Logfile of HijackThis v1.99.1
Scan saved at 08:14:24, on 28.04.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\sys\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\sys\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\sys\Trend Micro\OfficeScan Client\tmlisten.exe
C:\sys\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\TEMP\GJD420.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\sys\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Microsoft Office\Office\FINDFAST.EXE
S:\desk\Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\sys\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft-Indexerstellung.lnk = C:\Programme\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://192.1.4.61/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://192.1.4.61/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://192.1.4.61/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://192.1.4.61/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://192.1.4.61/officescan/console/ClientInstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB321038-ADE9-4665-96C4-3E8A8F78717C}: NameServer = 192.1.1.102,192.1.1.100
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: OfficeScanNT Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\sys\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

_-----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 08:23:37, on 28.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\sys\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\sys\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\sys\Trend Micro\OfficeScan Client\tmlisten.exe
C:\sys\TightVNC\WinVNC.exe
C:\WINDOWS\TEMP\BL21CE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\sys\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\desk\Hardcopy\hardcopy.exe
C:\desk\Tobit InfoCenter\DVREMIND.EXE
C:\Programme\PDFree\MoTMgr.EXE
S:\desk\Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:5555
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\desk\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\sys\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\sys\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MoTechno - protection manager.lnk = C:\Programme\PDFree\MoTMgr.EXE
O4 - Global Startup: Hardcopy.LNK = C:\desk\Hardcopy\hardcopy.exe
O4 - Global Startup: InfoCenter Notifier.LNK = C:\desk\Tobit InfoCenter\DVREMIND.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\desk\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\desk\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://192.1.4.61/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://192.1.4.61/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://192.1.4.61/officescan/console/ClientInstall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://192.1.4.61/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://192.1.4.61/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management-Konsole) - http://192.1.4.61/officescan/console/html/AtxConsole.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EB8C408-0925-43AB-81E2-5F41D625B495}: NameServer = 192.1.1.102
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: NTPTime - Unknown owner - C:\Programme\ntptime.exe
O23 - Service: OfficeScanNT Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\sys\TightVNC\WinVNC.exe" -service (file missing)

------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 07:04:54, on 28.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\sys\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\sys\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\sys\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\sys\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
C:\sys\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\sys\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
C:\desk\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\TEMP\WPA5CB.EXE
C:\sys\RealVNC\VNC4\WinVNC4.exe
C:\sys\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\sys\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
S:\desk\Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\desk\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\sys\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: InfoCenter Notifier.LNK = C:\desk\Tobit InfoCenter\DVREMIND.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://192.1.4.55:8080/officescan/console/html/AtxEnc.cab
O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management-Konsole) - http://192.1.4.55:8080/officescan/console/html/AtxConsole.cab
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - http://192.1.4.61:8080/officescan/console/html/AtxPie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB321038-ADE9-4665-96C4-3E8A8F78717C}: NameServer = 192.1.1.102,192.1.1.100
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host-Modul (awhost32) - Symantec Corporation - C:\sys\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Client Agent for ARCserve - Unknown owner - C:\NTAGENT\NTAGENT.EXE (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: OfficeScanNT Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\sys\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\desk\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\sys\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

:schrei: Also die Datei unter win\temp\....exe wird wohl so ein Parasit sein....

Hi,
drei Logfiles = drei Rechner?
Warum ist beim ersten das System nicht aktuell?
Allerdings muß ich dir auch mitteilen, daß wir uns von "Firmen-Support" distanzieren.
So viel noch: Die temp Dateien finden sich mit unterschiedlicher exe auf jedem Deiner Rechner.
cacatoa

mmmmmmmmmmmm

bin selber fündig geworden:

I have just looked through the code for this and this process is lauched by Trend Anti-virus software as a watch dog process that appears to support the Office Scan Client.

Hope that helps. :aplaus: