Trojaner-Board - TR/Daonol.AA

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - TR/Daonol.AA (https://www.trojaner-board.de/79635-tr-daonol-aa.html)

ich habe eben beim screen "Windows wird geladen" esc gedrückt.. und auf einma kann ich hijack starten.. dafür ist der andere benutzer jetzt auch verseucht

hier meine hjt-log

Zitat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07:16, on 25.11.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programme\Alwil Software\Avast4\setup\avast.setup
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Nachrichten - Service - Shopping bei t-online.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Nachrichten - Service - Shopping bei t-online.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer bereitgestellt von T-Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 142.150.238.13:3124
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] C:\Programme\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [WiseStubReboot] MSIEXEC /quiet SKIP_PPU_DRIVER_INSTALL=1 /I "C:\Programme\Gemeinsame Dateien\Wise Installation Wizard\WISC5C1C0F0D62F4DBF81D4D7EF397C228B_9_09_0814.MSI" TRANSFORMS="C:\Programme\Gemeinsame Dateien\Wise Installation Wizard\WISC5C1C0F0D62F4DBF81D4D7EF397C228B_9_09_0814.MST" WISE_SETUP_EXE_PATH="c:\nvidia\displaydriver\190.62\international\PhysX_9.09.0814_SystemSoftware.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [BrStsWnd.exe] C:\Programme\Brownie\BrStsWnd.exe WindowsStartUpModel (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [BrStsWnd.exe] C:\Programme\Brownie\BrStsWnd.exe WindowsStartUpModel (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: An vorhandenes PDF anfügen - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: winmm.dll
O23 - Service: Adobe Version Cue CS3 {de_DE} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe

--
End of file - 8138 bytes

anti-malware läuft gerade und davor hat sich avast mit Win32:Kates-G gemeldet

worin liegt eigentlich der unterschied:
-ob ich von cd boote...
-oder wenn ich die platte in anderen pc hänge, und die tools vom anderen windows über die platte fliegen lasse ??

und konntest du was in meinen avz-logs erkennen ???

hier die log von avz von deinem zweiten script... hast mich jut erschrocken, mit der reboot zeile.. hatte ich garnicht gelesen und dachte gerade was weiß ich was :D da ich hier 20sachen gleichzeitig mache bzw machte ...:balla:

Zitat:

Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
Script error: Not enough actual parameters, position [7:16]
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=07B180)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 80552180
KiST = 80501030 (284)
Function NtAllocateVirtualMemory (11) intercepted (8059C910->B72B5B30), hook C:\WINDOWS\system32\drivers\wpsdrvnt.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (19) intercepted (805B0714->B4BCD6B8), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (80618BD2->B4BCD574), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (35) intercepted (805C5AD0->B87FA6FC), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) intercepted (80619062->B87FA70B), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) intercepted (80619232->B4BCDA52), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805B21F0->B4BCD14C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (80619412->B7ECDDA4), hook spkb.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (8061967C->B7ECE132), hook spkb.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey (62) intercepted (8061A902->B87FA71A), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (6C) intercepted (805A5F5A->B72B5470), hook C:\WINDOWS\system32\drivers\wpsdrvnt.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (80619F68->B4BCD64E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (805BFB78->B4BCD08C), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (805BFE04->B4BCD0F0), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtProtectVirtualMemory (89) intercepted (805AC4E2->B72B5C50), hook C:\WINDOWS\system32\drivers\wpsdrvnt.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryKey (A0) intercepted (8061A28C->B7ECE20A), hook spkb.sys
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (80616C8C->B4BCD76E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (C1) intercepted (8061A7B2->B87FA724), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (80616FDA->B4BCD72E), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (80617292->B4BCD8AE), hook C:\WINDOWS\System32\Drivers\aswSP.SYS, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtShutdownSystem (F9) intercepted (8060786E->B72B5990), hook C:\WINDOWS\system32\drivers\wpsdrvnt.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805C74C8->B87FA6F7), hook not defined
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (115) intercepted (805A82F6->B72B5D60), hook C:\WINDOWS\system32\drivers\wpsdrvnt.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Functions checked: 284, intercepted: 23, restored: 23
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
CmpCallCallBacks = 0008802E
Disable callback OK
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 89D601F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 89D601F8 -> hook not defined
Checking - complete
Delete file:C:\PROGRA~1\INTERN~1\..\lohe.old 0yAAAAAAAA
>>>To delete the file C:\PROGRA~1\INTERN~1\..\lohe.old 0yAAAAAAAA reboot is required
Removing traces of deleted files...

*micheinmisch*

Kannst Du RSIT oder OTL ausführen? Logfiles bitte hier anhängen.

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Doppelklick auf die OTL.exe
Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
Unter Extra Registry, wähle bitte Use SafeList
Klicke nun auf Run Scan links oben
Wenn der Scan beendet wurde werden 2 Logfiles erstellt
Poste die Logfiles hier in den Thread.

Zitat:

*micheinmisch*

thnx :daumenhoc

meine logs sind im anhang

der 'unzufriedene kunde' hat sich entschieden board-urlaub zu nehmen :)