Trojaner im system32

Cyndy · 18.04.2010, 19:43

So da bin ich wieder.

Die Fenster öffnen sich nichtmehr.

Das Logfile von Gmer:

PHP-Code:

  GMER 1.0.15.15281 - hxxp://www.gmer.net

Rootkit scan 2010-04-18 20:41:15

Windows 6.1.7600 

Running: 5fn885gb.exe; Driver: C:\Users\Tommy\AppData\Local\Temp\fwlcipod.sys

 
 
---- System - GMER 1.0.15 ----

 
INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3EAF8

INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3E104

INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3E3F4

INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C26FB4

INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3E1DC

INT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3E958

INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3E6F8

INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3EF2C

INT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                                                         82C3F1A8

 
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                            ZwCreateProcessEx [0x8CAD950A]

Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                            ZwCreateSection [0x8CAD932E]

Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                            ZwLoadDriver [0x8CAD9468]

Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                            NtCreateSection

Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                            ObMakeTemporaryObject

 
---- Kernel code sections - GMER 1.0.15 ----

 
.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                                                                  82857579 1 Byte  [06]

.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                                           8287BF52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

PAGE            ntkrnlpa.exe!ZwLoadDriver                                                                                                                        829B5279 7 Bytes  JMP 8CAD946C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE            ntkrnlpa.exe!ObMakeTemporaryObject                                                                                                               82A1CF59 5 Bytes  JMP 8CAD54AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE            ntkrnlpa.exe!ObInsertObject + 27                                                                                                                 82A36C5F 5 Bytes  JMP 8CAD69E4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE            ntkrnlpa.exe!NtCreateSection                                                                                                                     82A44CE3 7 Bytes  JMP 8CAD9332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE            ntkrnlpa.exe!ZwCreateProcessEx                                                                                                                   82AEEE52 7 Bytes  JMP 8CAD950E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

?               System32\drivers\stsa.sys                                                                                                                        Das System kann den angegebenen Pfad nicht finden. !

.text           peauth.sys                                                                                                                                       9BC6CC9D 28 Bytes  [4F, 21, 20, 5E, B7, 7B, 18, ...]

.text           peauth.sys                                                                                                                                       9BC6CCC1 28 Bytes  [4F, 21, 20, 5E, B7, 7B, 18, ...]

 
---- User code sections - GMER 1.0.15 ----

 
.text           C:\Program Files\Mozilla Firefox\firefox.exe[3900] ntdll.dll!LdrLoadDll                                                                          771AF585 5 Bytes  JMP 000E13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

 
---- User IAT/EAT - GMER 1.0.15 ----

 
IAT             C:\Windows\System32\rundll32.exe[1948] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                                            [751F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Windows\System32\rundll32.exe[1948] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                                             [751F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Windows\System32\rundll32.exe[1948] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]                                           [751F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Windows\System32\rundll32.exe[1948] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]                                          [751F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

IAT             C:\Windows\System32\rundll32.exe[1948] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]                                           [751F5D3D] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

 
---- Devices - GMER 1.0.15 ----

 
AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                           SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

AttachedDevice  \Driver\tdx \Device\Tcp                                                                                                                          aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                                                           fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                                                           rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

 
Device          \Driver\ACPI_HAL \Device\0000004e                                                                                                                halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

 
AttachedDevice  \Driver\tdx \Device\Udp                                                                                                                          aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice  \FileSystem\fastfat \Fat                                                                                                                         fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

 
---- Registry - GMER 1.0.15 ----

 
Reg             HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Tommy\setup\xb4s\photomail_install.exe     1

Reg             HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Tommy\setup\xb4s\3d_magic_install.exe      1

Reg             HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Tommy\setup\xb4s\PowerPointViewer.exe      1

Reg             HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Tommy\setup\xb4s\install_flash_player.exe  1

 
---- EOF - GMER 1.0.15 ----

StLB · 18.04.2010, 20:12

Jepp, Log sieht ok aus.
Noch irgendwelche Symptome zu sehen?

Mache bitte abschließend noch einen Kontrollscan mit SUPERAntiSpyware und poste dann das Log hier.

StLB · 19.04.2010, 12:24

Grr...

Zitat:

D:TommyProgisProgrammeWinRARkeygen.exe (Trojan.Agent) -> No action taken.

Und sowas sticht einem erst am Ende der Bereinigung ins Auge

Der Besitz von legaler Software ist Voraussetzung für einen Support hier im TrojanerBoard.

Cracks, Serials und Keygens sind illegal! Derlei Aktivitäten werden von uns nicht unterstützt.
Für Dich geht es hier weiter: Neuaufsetzen des Systems

Danach nie wieder illegale Software nutzen!

18.04.2010, 20:12	#17
StLB /// Helfer-Team	Trojaner im system32 Jepp, Log sieht ok aus. Noch irgendwelche Symptome zu sehen? Mache bitte abschließend noch einen Kontrollscan mit SUPERAntiSpyware und poste dann das Log hier. __________________ __________________

Trojaner im system32

Plagegeister aller Art und deren Bekämpfung: Trojaner im system32