| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
14.01.2010, 23:49
| #16 |
 |  Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Done. 11 infizierte dateien wurden gefunden :S Code:
ATTFilter Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3564
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
14.01.2010 23:26:11
mbam-log-2010-01-14 (23-26-11).txt
Scan-Methode: Vollständiger Scan (C:\|Z:\|)
Durchsuchte Objekte: 322221
Laufzeit: 52 minute(s), 12 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 6
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 6
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\System Volume Information\_restore{6342AD21-52BF-4BEF-8907-F48E5D79E927}\RP244\A0230123.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6342AD21-52BF-4BEF-8907-F48E5D79E927}\RP246\A0231406.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6342AD21-52BF-4BEF-8907-F48E5D79E927}\RP246\A0231577.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6342AD21-52BF-4BEF-8907-F48E5D79E927}\RP246\A0233548.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6342AD21-52BF-4BEF-8907-F48E5D79E927}\RP246\A0233751.sys (Malware.Trace) -> Quarantined and deleted successfully.
Z:\Neuer Ordner (2)\EP_PCSX209.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
|
|
16.01.2010, 16:22
| #18 |
| | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Vorgestern wurde wohl auf mein ebay account zugegriffen, kann es sein dass ich mir nen stealer oder keylogger eingefangen habe?
__________________Und bei GMER nur die festplatte mit windows scannen oder alle? Weil es über 12h dauert beide zu scannen |
|
17.01.2010, 16:49
| #19 |
| | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Ok habt jetzt mit GMER nur C gescannt. Code:
ATTFilter GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 15:40:57
Windows 5.1.2600 Service Pack 3
Running: j2ytnsid.exe; Driver: C:\DOKUME~1\ADMINI~1.MEI\LOKALE~1\Temp\kwldypog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA892C6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA892C574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA892CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA892C14C]
SSDT spsy.sys ZwEnumerateKey [0xB9ECDDA4]
SSDT spsy.sys ZwEnumerateValueKey [0xB9ECE132]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA892C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA892C08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA892C0F0]
SSDT spsy.sys ZwQueryKey [0xB9ECE20A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA892C76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA892C72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA892C8AE]
INT 0x62 ? 8A688BF8
INT 0x63 ? 8A41FF00
INT 0x63 ? 8A41FF00
INT 0x82 ? 8A688BF8
INT 0x83 ? 8A68BBF8
INT 0x83 ? 8A41FF00
INT 0x83 ? 8A68BBF8
INT 0x94 ? 8A41FF00
INT 0x94 ? 8A41FF00
INT 0x94 ? 8A41FF00
INT 0x94 ? 8A41FF00
INT 0xA4 ? 8A41FF00
INT 0xB1 ? 8A68BBF8
INT 0xB1 ? 8A68BBF8
INT 0xB4 ? 8A688BF8
INT 0xB4 ? 8A688BF8
INT 0xB4 ? 8A41FF00
INT 0xB4 ? 8A688BF8
Code 89AD4B0C ZwRequestPort
Code 89AD4BAC ZwRequestWaitReplyPort
Code 89AD4B0B NtRequestPort
Code 89AD4BAB NtRequestWaitReplyPort
---- Kernel code sections - GMER 1.0.15 ----
PAGE ntkrnlpa.exe!NtRequestPort 805A2A2E 5 Bytes JMP 89AD4B10
PAGE ntkrnlpa.exe!NtRequestWaitReplyPort 805A2D5A 5 Bytes JMP 89AD4BB0
? spsy.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload B96B68EC 5 Bytes JMP 8A41F4E0
.text aijfs6hl.SYS B9608386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aijfs6hl.SYS B96083AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aijfs6hl.SYS B96083C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text aijfs6hl.SYS B96083C9 1 Byte [2E]
.text aijfs6hl.SYS B96083C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text alkotda9.SYS B95CF386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text alkotda9.SYS B95CF3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text alkotda9.SYS B95CF3C4 3 Bytes [00, 80, 02]
.text alkotda9.SYS B95CF3C9 1 Byte [30]
.text alkotda9.SYS B95CF3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text win32k.sys!EngAcquireSemaphore + 20E2 BF8082E1 5 Bytes JMP 89AD44D0
.text win32k.sys!EngFreeUserMem + 5BD2 BF80EE68 5 Bytes JMP 89AD4430
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E77A 5 Bytes JMP 89AD49D0
.text win32k.sys!EngSetLastError + 768F BF8286CB 5 Bytes JMP 89AD4610
.text win32k.sys!EngCreateBitmap + DDB2 BF845CCB 5 Bytes JMP 89AD46B0
.text win32k.sys!EngMultiByteToWideChar + 2F32 BF852C47 5 Bytes JMP 89AD4890
.text win32k.sys!XLATEOBJ_iXlate + 3A50 BF86368D 5 Bytes JMP 89AD4570
.text win32k.sys!FONTOBJ_pxoGetXform + CC3E BF8C31D6 5 Bytes JMP 89AD4750
.text win32k.sys!PATHOBJ_vGetBounds + 74EE BF8F00FB 5 Bytes JMP 89AD4930
.text win32k.sys!EngCreateClip + 19C1 BF91313E 5 Bytes JMP 89AD4A70
.text win32k.sys!EngCreateClip + 2597 BF913D14 5 Bytes JMP 89AD47F0
---- User code sections - GMER 1.0.15 ----
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!LoadResource 7C80A055 7 Bytes JMP 28001E30 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!FindResourceExW 7C80AD28 7 Bytes JMP 28001C70 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!FindResourceW 7C80BC6E 7 Bytes JMP 28001BF0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!SizeofResource 7C80BD09 7 Bytes JMP 28001EF0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!FindResourceA 7C80BF29 7 Bytes JMP 28001D00 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!LockResource 7C80CD37 5 Bytes JMP 28001F60 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!CreateEventA 7C830885 5 Bytes JMP 28001850 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] kernel32.dll!FindResourceExA 7C835F78 7 Bytes JMP 28001D90 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] ADVAPI32.dll!CryptDeriveKey 77DB9FFD 7 Bytes JMP 28001000 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] ADVAPI32.dll!CryptDecrypt 77DBA129 7 Bytes JMP 28001060 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!GetWindowLongW 7E3688A6 7 Bytes JMP 28006AF0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 280046B0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!SetWindowPlacement 7E36DE46 5 Bytes JMP 28005E90 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!CreateDialogParamW 7E36EA3B 5 Bytes JMP 28006110 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!LoadImageW 7E377B97 5 Bytes JMP 28006760 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 28003CE0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!SetWindowRgn 7E37E528 7 Bytes JMP 28005FD0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!LoadIconW 7E37E8BC 5 Bytes JMP 28006950 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 28006300 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] USER32.dll!TrackPopupMenuEx 7E3BCF62 5 Bytes JMP 28004F90 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] SHELL32.dll!Shell_NotifyIconW 7E6D391C 5 Bytes JMP 28003430 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] ole32.dll!CoCreateInstance 774CF1C4 5 Bytes JMP 28002610 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] ole32.dll!CoInitializeEx 774D148B 5 Bytes JMP 28002270 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] ole32.dll!CoRegisterClassObject 774E79E8 5 Bytes JMP 28002370 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] WININET.dll!InternetReadFile 408C654B 5 Bytes JMP 2800A0E0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] WININET.dll!InternetCloseHandle 408C9088 5 Bytes JMP 2800A290 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] WININET.dll!HttpOpenRequestA 408CD508 5 Bytes JMP 28009F50 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programme\Windows Live\Messenger\msnmsgr.exe[2300] WININET.dll!HttpSendRequestA 408DEE89 5 Bytes JMP 2800A1C0 C:\Programme\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spsy.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spsy.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spsy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spsy.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spsy.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spsy.sys
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!KfAcquireSpinLock] CCCCCCC3
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!READ_PORT_UCHAR] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!KeGetCurrentIrql] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!KfRaiseIrql] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!KfLowerIrql] 8BEC8B55
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!HalGetInterruptVector] 00C73445
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!HalTranslateBusAddress] 00000000
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!KeStallExecutionProcessor] 830C458B
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!KfReleaseSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 053C0D74
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!READ_PORT_USHORT] 57B80974
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8B000000
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[HAL.dll!WRITE_PORT_UCHAR] 56C35DE5
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[WMILIB.SYS!WmiSystemControl] 8D51FC4D
IAT \SystemRoot\System32\Drivers\aijfs6hl.SYS[WMILIB.SYS!WmiCompleteRequest] 8D52FD55
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\alkotda9.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\Explorer.EXE[640] @ C:\WINDOWS.1\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CF077BD] C:\WINDOWS.1\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWS.1\system32\services.exe[796] @ C:\WINDOWS.1\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS.1\system32\services.exe[796] @ C:\WINDOWS.1\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A6F71F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\sptd \Device\948330802 spsy.sys
Device \Driver\usbuhci \Device\USBPDO-0 8A41A1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6F91F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6F91F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6F91F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6F91F8
Device \Driver\usbuhci \Device\USBPDO-1 8A41A1F8
Device \Driver\usbuhci \Device\USBPDO-2 8A41A1F8
Device \Driver\usbehci \Device\USBPDO-3 8A3F8500
Device \Driver\usbuhci \Device\USBPDO-4 8A41A1F8
Device \Driver\PCI_PNP7052 \Device\00000048 spsy.sys
Device \Driver\sptd \Device\948487052 spsy.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\usbuhci \Device\USBPDO-5 8A41A1F8
Device \Driver\PCI_PNP7052 \Device\00000049 spsy.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{F2286023-EF5F-42A9-865F-7CAD03FDC1AC} 89DCF500
Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\RawVolume1 8A6F91F8
Device \Driver\dmio \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1 8A6F91F8
Device \Driver\usbuhci \Device\USBPDO-6 8A41A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6891F8
Device \Driver\usbehci \Device\USBPDO-7 8A3F8500
Device \Driver\Cdrom \Device\CdRom0 8A41E500
Device \Driver\Cdrom \Device\CdRom1 8A41E500
Device \Driver\atapi \Device\Ide\IdePort0 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-12 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom2 8A41E500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89DCF500
Device \Driver\NetBT \Device\NetbiosSmb 89DCF500
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\usbuhci \Device\USBFDO-0 8A41A1F8
Device \Driver\usbuhci \Device\USBFDO-1 8A41A1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89DC51F8
Device \Driver\usbuhci \Device\USBFDO-2 8A41A1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89DC51F8
Device \Driver\usbehci \Device\USBFDO-3 8A3F8500
Device \Driver\usbuhci \Device\USBFDO-4 8A41A1F8
Device \Driver\Ftdisk \Device\FtControl 8A6891F8
Device \Driver\usbuhci \Device\USBFDO-5 8A41A1F8
Device \Driver\usbuhci \Device\USBFDO-6 8A41A1F8
Device \Driver\usbehci \Device\USBFDO-7 8A3F8500
Device \Driver\aijfs6hl \Device\Scsi\aijfs6hl1Port6Path0Target0Lun0 8A3EA500
Device \Driver\Jraid \Device\Scsi\Jraid1Port4Path0Target0Lun0 8A6F81F8
Device \Driver\Jraid \Device\Scsi\Jraid1 8A6F81F8
Device \Driver\alkotda9 \Device\Scsi\alkotda91Port5Path0Target0Lun0 8A3B0500
Device \Driver\alkotda9 \Device\Scsi\alkotda91 8A3B0500
Device \Driver\aijfs6hl \Device\Scsi\aijfs6hl1 8A3EA500
Device \FileSystem\Cdfs \Cdfs 89D9F500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x9D 0x6A 0x86 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Programme\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0E 0x8D 0x6D 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBB 0x34 0xBA 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF1 0xBA 0xCB 0xFA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9A 0x32 0xF9 0x4D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8C 0x6A 0x48 0xAF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x9D 0x6A 0x86 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Programme\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0E 0x8D 0x6D 0x1B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBB 0x34 0xBA 0xD3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF1 0xBA 0xCB 0xFA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9A 0x32 0xF9 0x4D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8C 0x6A 0x48 0xAF ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOCC7.00.00.01PROSTATION AD34C40FB76849B8B69018E05BCCEDA67BBD444F79D99F5F554DB63D8286A3216CB5B6BF50591BE1442E5ED69E0E1C0D179A52A2C9451A468182D83967C71DC2811EB57E275E49AD40F1DE998AA9BB9E3175796D6A1FFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DFEBC9E127BECC74CA9C6AECB7A5D1407AC0F1DEA24BDCF3A266C08003E37143EF0A3CF4E1933C623ECDE93A3B8E13F37A12468C356976E519450F30BE4CF633F711CD93160BC9C4A052FF78D6DE0B1C8024DF1F44CC3C2C01C070EA496ABBE1A6F82E23952EBF9E23BD3D23ECEC8112166DFD7425BDD1C32DB5422873F2634C12EAF82BC9180C94A98D528C35655C5A63CB62D9070448136C38570155F5E088F447F47325378AB40F6C074500C896C2344ADF96D8897AB3F9CE62ECE0A37AD3E9BCF3239DF98F16B8725A5BA8E2AD54513A8B786B93F09267D4C025EE8D853707405B690966A2654CC991BFA903F079F120B56ADA9653BA5D50C8890B7ACD4A9DF07BF9DE63783E82035AD31589536A97C40385B93F696DCE602D1524763C5524642296AD612787B2C14A71DC040D1BBE435352AC726254F460BE1BA7BEEEC36602645A2004CA83FF1D7C3A63793FA16AEDB1858A86AA4E35E0B3000CB87C486BFA4D7970F016BCFC2A
---- EOF - GMER 1.0.15 ----
|
|
17.01.2010, 21:04
| #20 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Angesichts der Backdoor-Funde solltest Du überlegen, on eine Neuinstallation nicht wesentlich sinnvoller wäre.... Z:\Neuer Ordner (2)\EP_PCSX209.exe (Trojan.Backdoor) Was ist das für eine Datei?
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
18.01.2010, 01:06
| #21 | |
| | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen?Zitat:
Keine Ahnung, ich kann die Datei auch so nicht finden wenn ich in den Ordner schaue. |
|
18.01.2010, 08:23
| #22 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Wie gesagt, wegen der Backdoor-Funde solltest Du über eine Neuinstallation nachdenken... Wurde Dein Ebay-Passwort schon geändert von einer sauberen Maschine?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
18.01.2010, 19:43
| #24 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Es waren Dateien drauf, die von MBAM als Backdoors eingestuft wurden. Ob man dank der aktiven Hintertür gezielt wesentlich besser versteckte Backdoors installiert hat ist zwar unwahrscheinlich aber möglich - deswegen sagte ich, dass Du die Kiste besser neu installieren solltest. Erfolgte auf Dein Ebaykonto oder auf ein anderes Konto zwischenzeitlich eigentlich wieder Fremdzugriff?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
19.01.2010, 00:31
| #25 |
| | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Achso Klingt vernünftig, ich überleg es mir.Ne nicht mehr. Falls ich etwas merke, werde ich das System sofort neu aufsetzen. Danke für die Hilfe, weiß jetzt nun wie gegen Viren vorzugehen ist  |
|
19.01.2010, 10:24
| #26 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? *nachhakenmuss* Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
|
19.01.2010, 17:12
| #27 |
| | Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? Ne nicht mehr. Falls ich etwas merke, werde ich das System sofort neu aufsetzen. |
|
| Themen zu Windows XP bootet nurnoch im Debugmodus. Auslöser: sshnas.dll Win32:Trojan-gen? |
| antivirus, avast!, bho, bildschirm, bonjour, booten, browser, einstellungen, eraser, firefox.exe, fontcache, frage, hijack, hijackthis, hkus\s-1-5-18, hängen, internet, internet browser, internet explorer, jusched.exe, liveupdate.exe, logfile, opera.exe, pdf-datei, pop-up, problem, realtek, registry, remote control, rundll, scan, sicherheit, software, system, taskmanager, win32:trojan-gen, windows, windows live messenger, windows xp |
