| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojaner sdra64Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
14.07.2010, 09:56
| #1 |
| |  Trojaner sdra64 Habe mir den Trojaner sdra64 eingefangen und es auch gleich bemerkt. Nach Studium hier habe ich alle Gegenmaßnahmen eingeleitet: avast-antivirus, spybot, malwarebytes, ZBOT-Killer. Danach waren alle unerwünschten Einträge im Windows und der Registry verschwunden. PC fährt problemlos rauf und runter. Durchlauf mit GMER hat folgendes ergeben: GMER Logfile: GMER Logfile: Code:
ATTFilter GMER 1.0.15.14966 - hxxp://www.gmer.net
Rootkit scan 2010-07-13 18:50:42
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT spdb.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spdb.sys ZwEnumerateValueKey [0xB7ECE132]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 89F5A1F8
AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
--- --- --- --- --- --- SCANGMER Logfile: GMER Logfile: Code:
ATTFilter GMER 1.0.15.14966 - hxxp://www.gmer.net
Rootkit scan 2010-07-13 19:13:55
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB02046B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB0204574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB0204A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB020414C]
SSDT spdb.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spdb.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB020464E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB020408C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB02040F0]
SSDT spdb.sys ZwQueryKey [0xB7ECE20A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB020476E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB020472E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB02048AE]
INT 0x62 ? 89FCBBF8
INT 0x63 ? 89F5BBF8
INT 0x73 ? 89FCBBF8
INT 0x73 ? 89FCBBF8
INT 0x73 ? 89FCBBF8
INT 0x94 ? 89DA9F00
INT 0xA4 ? 89F5BBF8
INT 0xB4 ? 89F5BBF8
---- Kernel code sections - GMER 1.0.15 ----
? spdb.sys Das System kann die angegebene Datei nicht finden. !
.text USBPORT.SYS!DllUnload B79D18AC 5 Bytes JMP 89DA94E0
.text ak1snzyo.SYS B6D7A386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ak1snzyo.SYS B6D7A3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ak1snzyo.SYS B6D7A3C4 3 Bytes [00, 80, 02]
.text ak1snzyo.SYS B6D7A3C9 1 Byte [30]
.text ak1snzyo.SYS B6D7A3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spdb.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spdb.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spdb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spdb.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spdb.sys
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\ak1snzyo.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spdb.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[864] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[864] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 89F5A1F8
AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\usbohci \Device\USBPDO-0 89CF41F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89F5C1F8
Device \Driver\dmio \Device\DmControl\DmConfig 89F5C1F8
Device \Driver\dmio \Device\DmControl\DmPnP 89F5C1F8
Device \Driver\dmio \Device\DmControl\DmInfo 89F5C1F8
Device \Driver\usbehci \Device\USBPDO-1 89D8F1F8
Device \Driver\sptd \Device\4166488580 spdb.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume1 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume2 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Cdrom \Device\CdRom0 89D8E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Cdrom \Device\CdRom1 89D8E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Cdrom \Device\CdRom2 89D8E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume6 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\Ftdisk \Device\HarddiskVolume7 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\NetBT \Device\NetBt_Wins_Export 88AF01F8
Device \Driver\Ftdisk \Device\HarddiskVolume8 89FCC1F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 sr.sys (Dateisystemfilter-Treiber der Systemwiederherstellung/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \Driver\NetBT \Device\NetbiosSmb 88AF01F8
Device \Driver\nvata \Device\00000085 89F5B1F8
Device \Driver\PCI_PNP7330 \Device\0000005a spdb.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\usbohci \Device\USBFDO-0 89CF41F8
Device \Driver\usbehci \Device\USBFDO-1 89D8F1F8
Device \Driver\nvata \Device\NvAta0 89F5B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 884121F8
Device \Driver\nvata \Device\NvAta1 89F5B1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 884121F8
Device \Driver\nvata \Device\NvAta2 89F5B1F8
Device \Driver\Ftdisk \Device\FtControl 89FCC1F8
Device \Driver\ak1snzyo \Device\Scsi\ak1snzyo1 89C32500
Device \Driver\ak1snzyo \Device\Scsi\ak1snzyo1Port7Path0Target0Lun0 89C32500
Device \FileSystem\Cdfs \Cdfs 89B12500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1B 0x29 0xF5 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8E 0x65 0x3F 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1A 0xBD 0x73 0x68 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Programme\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1B 0x29 0xF5 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8E 0x65 0x3F 0xE8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1A 0xBD 0x73 0x68 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL F02F316A61A2957063CF18D0FE6BFEBE49F1F2BDF53C35D3595BB29BC6C290EF8731FA4E5D7BD695C4A09EBEE1C00144DD6425BE163309025D056DB6C168CE3582824E29B5780D4647B5DB805447D5A1F814A7B134332CF95DB6A2AA50052161E6BC039440B206B2817342648CF537CB60D226B80B3361136ECD570E4BA8EF523BEA16BC1978795C8831E74A897841095CE76C8916D84FFBAA1EB28BD1990E3A898C25609FCD7D9B783D832789AD7675B80CECED188200332FEE7EE3C4D12C20E096F45676E70E19F1D9720612AA3C02C66E3F4515BFE18F9EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DA2D97226D213B5558EDD5E5BE2F6E667DCF2B2FD1AC1ABFB9C0ED621215C38769B5AF4CC0DE284443C7B270062C05EB7CF22039D068F22C6514D388FE3A405AF72287F6E62362DAE76F7DCC3258C9745E2912F57A743539275650F0F99A08AB7771D845D9973584DD541823EB704F3ED0FF5B7C4C71D26C76FC6B23D0A9994C71EFE4ED99B0959CB7917766F3DDF6BEC4128324768BB565399028C7BB1B8449DCC3A3D64004B55D7F4DBAD9A0CBCC802DBA54882BC277425414C9AECC28B0FFADFDAC243147146A4511AAF462F1BAAF0328F37DFAAC7E3B22801F07D2006BCA5259567015B967
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes
File C:\WINDOWS\system32\wbem\Logs\wbemcore.log (size mismatch) 25729/25820 bytes
---- EOF - GMER 1.0.15 ----
--- --- --- --- --- --- Kann ich nun davon ausgehen, dass mein Rechner sauber ist oder soll ich doch platt machen und neuinstallieren? Danke im voraus für die Hilfe Geändert von harrybell (14.07.2010 um 10:20 Uhr) |
| Themen zu Trojaner sdra64 |
| acronis, ausgehen, avast!, bytes, c:\windows\system32\services.exe, cdrom, code, datei, folge, gegenmaßnahmen, gmer, hal.dll, i8042prt.sys, irql, logfiles, maßnahme, nvidia, programme, rechner, registry, scan, services.exe, software, spybot, system, system32, trojaner, udp, usbport.sys, windows, write |
Baum-Darstellung