| |
| |||||||
Log-Analyse und Auswertung: In Firefox öffnet sich neues Fenster ( mit Wikipedia )Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
03.02.2013, 20:10
| #1 |
| |  In Firefox öffnet sich neues Fenster ( mit Wikipedia ) Hi und guten Abend ! Nach den vorliegenden Anweisungen habe ich "gmer" laufen lassen und poste den Log-file. Das Problem ist, dass ( vermutlich nach einer Aktualisierung von Adobe Flash Player ) sich ein neues Browserfenster öffnet ( firefox ) und immer eine Wikipedia-Seite angezeigt wird. Vermutlich wird es nicht genügen den Flash Player zu deinstallieren, daher meine Bitte um Hilfe. Ich habe hier Windows 7 - 32 bit. Vielen Dnak natürlich im Voraus !! Hier der Log-File: GMER Logfile: Code:
ATTFilter GMER 2.0.18454 - hxxp://www.gmer.net
Rootkit scan 2013-02-03 19:54:43
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000075 TOSHIBA_ rev.AX00 931,51GB
Running: neu_gmer.com.exe; Driver: C:\Users\ALF\AppData\Local\Temp\uwldrpow.sys
---- System - GMER 2.0 ----
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x92C3306E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcCreatePort [0x92C33936]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x913A30DA]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x92C32AC4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x913A3CA6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x92C4E1C6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x92C335CE]
SSDT 923691B6 ZwCreateSection
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus32_43926.sys ZwCreateThreadEx [0x912646C0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x92C3372C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x913A3EB8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x913A7714]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x913A7756]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x913A78FA]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x92C5098A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x92C50E3C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0x92C52D18]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x913A3DCA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x913A3282]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x913A3482]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x913A35C2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x913A785E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x913A77A8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x913A77EA]
SSDT 923691C0 ZwRequestWaitReplyPort
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x913A7824]
SSDT 923691BB ZwSetContextThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x913A3F6A]
SSDT 923691C5 ZwSetSecurityObject
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x913A769C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x913A2FE6]
SSDT 923691CA ZwSystemDebugControl
SSDT 92369157 ZwTerminateProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x913A2F46]
---- Kernel code sections - GMER 2.0 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 84274A49 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 842AE4D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 842B5534 8 Bytes [6E, 30, C3, 92, 36, 39, C3, ...] {OUTS DX, BYTE [ESI]; XOR BL, AL; XCHG EDX, EAX; CMP EBX, EAX; XCHG EDX, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 842B5588 4 Bytes [DA, 30, 3A, 91]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 842B55C8 4 Bytes [C4, 2A, C3, 92] {LES EBP, [EDX]; RET ; XCHG EDX, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 842B55E4 4 Bytes [A6, 3C, 3A, 91] {CMPSB ; CMP AL, 0x3a; XCHG ECX, EAX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 842B55F4 4 Bytes [C6, E1, C4, 92]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x93835000, 0x3617E0, 0xE8000020]
PAGE peauth.sys A8F5E02C 102 Bytes JMP 8577158A
---- User code sections - GMER 2.0 ----
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[976] ntdll.dll!KiUserApcDispatcher 76EC6F38 5 Bytes JMP 00414FF0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[976] WS2_32.dll!getaddrinfo 76474296 5 Bytes JMP 71A50022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[976] WS2_32.dll!gethostbyname 76487673 5 Bytes JMP 71AE0022
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1948] USER32.dll!GetUpdateRect + CF 7670A644 5 Bytes JMP 20CB9266 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2172] ntdll.dll!KiUserApcDispatcher 76EC6F38 5 Bytes JMP 0043A7C0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2172] WS2_32.dll!getaddrinfo 76474296 5 Bytes JMP 71A50022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2172] WS2_32.dll!gethostbyname 76487673 5 Bytes JMP 71AE0022
---- Kernel IAT/EAT - GMER 2.0 ----
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [92C38592] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [92C37DA0] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [92C364F6] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [92C37F4A] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [92C37F4A] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [92C38592] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [92C37DA0] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [92C364F6] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [92C37F4A] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [92C364F6] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [92C38592] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [92C37DA0] \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
---- User IAT/EAT - GMER 2.0 ----
IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1948] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!RegisterWaitForSingleObject] [6F731F20] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1948] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [6F7320F0] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [712D24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [712B562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [712B56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [712D2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [712C85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [712C4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [712C5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [712C51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [712C6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [712C8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [712C8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [712C90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [712CE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2092] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [712C4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3620] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74F0FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de compatibilidad de aplicaciones cliente/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3620] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74F0FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de compatibilidad de aplicaciones cliente/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3620] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74F0FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de compatibilidad de aplicaciones cliente/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3620] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74F0FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de compatibilidad de aplicaciones cliente/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3620] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74F0FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de compatibilidad de aplicaciones cliente/Microsoft Corporation)
---- Registry - GMER 2.0 ----
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\000272199da2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\000272199da2@347e39598841 0xE2 0x25 0xAA 0x9D ...
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\000272199da2@02bdada3574b 0xD2 0x44 0x63 0x3A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272199da2
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272199da2@347e39598841 0x32 0x7E 0x20 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272199da2@e8e5d6a2163e 0x98 0x54 0x37 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272199da2@6ca780e4fd55 0x14 0x5D 0xA3 0x4C ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\222222222222
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272199da2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272199da2@347e39598841 0x32 0x7E 0x20 0x4E ...
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272199da2@e8e5d6a2163e 0x98 0x54 0x37 0x7D ...
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\000272199da2@6ca780e4fd55 0x14 0x5D 0xA3 0x4C ...
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\222222222222 (not active ControlSet)
---- EOF - GMER 2.0 ----
|
| Themen zu In Firefox öffnet sich neues Fenster ( mit Wikipedia ) |
| adobe, adobe flash player, appdata, code, crypt, down, explorer.exe, firefox, flash player, gmer, harddisk, ntdll.dll, port, problem, registry, rundll, rundll32.exe, scan, service.exe, software, system, system32, temp, toshiba, windows, öffnet |
Baum-Darstellung