| Vorsicht | 08.05.2010 13:18 |
Trojan.Dropper gefunden - angebl beseitigt GMER meldet Rootkit
Hallo liebe Community,
folgendes Problem. Rechner Win7HP32. Gestern Routinescan von Norton Internet Security 2009:
findet 2X Trojan.Dropper im Thunderbird-Mailprogramm a)in der inbox b) im junk Order, wurde beides angeblich entfernt.
Einmal pro Woche wird kompletter Systemcheck von Norton NIS2009 gemacht. Angeblich seien diese Dateien, die lt Norton speicher-11.exe heißen, seit Mitte April auf dem Rechner (sagt Norton), trotzdem hat Norton NIS 2009 die erst gestern erkannt.
Beunruhigt, habe ich 1. Malewarebytes laufen lassen. Habe 2. CCleaner laufen lassen. Habe 3. GMER laufen lassen.
Hijackthis log füge ich auch an.
Der GMER log: rootkit?
Was ist zu tun? Ich bitte um Hilfe.
Vielen Dank und
LG
Malewarebytes log: Code:
Malwarebytes' Anti-Malware 1.46
w*w.malwarebytes.org
Database version: 4076
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
08.05.2010 13:09:51
mbam-log-2010-05-08 (13-09-51).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 185047
Time elapsed: 35 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hijackthis log: Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:16:43, on 08.05.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\notepad.exe
D:\Software\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\IPSBHO.DLL
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-2865652161-1144600585-1328617019-1003\..\Run: [EPSON Stylus SX400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\Windows\TEMP\E_SF142.tmp" /EF "HKCU" (User '***')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O13 - Gopher Prefix:
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\System32\nvSCPAPISvr.exe
--
End of file - 4308 bytes
GMER Rootkit log - Zeitstempel ist älter als die beiden logs malewarebytes und hijackthis weil ich die nochmal scannen ließ. Code:
GMER 1.0.15.14966 - h**p://w*w.gmer.net
Rootkit scan 2010-05-08 12:13:24
Windows 6.1.7600
---- System - GMER 1.0.15 ----
SSDT 85BB7250 ZwAlertResumeThread
SSDT 85BDE150 ZwAlertThread
SSDT 855AE488 ZwAllocateVirtualMemory
SSDT 8577D350 ZwAlpcConnectPort
SSDT 85BBBD28 ZwAssignProcessToJobObject
SSDT 855B4770 ZwCreateMutant
SSDT 8688FFC0 ZwCreateSymbolicLinkObject
SSDT 855B0778 ZwCreateThread
SSDT 8688E290 ZwCreateThreadEx
SSDT 85BBA1E0 ZwDebugActiveProcess
SSDT 855B21B0 ZwDuplicateObject
SSDT 855AECB8 ZwFreeVirtualMemory
SSDT 85BC37A8 ZwImpersonateAnonymousToken
SSDT 85BC3CF8 ZwImpersonateThread
SSDT 857A4238 ZwLoadDriver
SSDT 855AEB98 ZwMapViewOfSection
SSDT 85BC3A40 ZwOpenEvent
SSDT 855AD710 ZwOpenProcess
SSDT 85B96468 ZwOpenProcessToken
SSDT 85BB9170 ZwOpenSection
SSDT 855AD640 ZwOpenThread
SSDT 8688E6F0 ZwProtectVirtualMemory
SSDT 85BB6068 ZwResumeThread
SSDT 85BC9150 ZwSetContextThread
SSDT 855B04D8 ZwSetInformationProcess
SSDT 85BB9450 ZwSetSystemInformation
SSDT 85BB9728 ZwSuspendProcess
SSDT 85BC9230 ZwSuspendThread
SSDT 85B96B68 ZwTerminateProcess
SSDT 85BDE3B0 ZwTerminateThread
SSDT 85BC90B8 ZwUnmapViewOfSection
SSDT 855AE278 ZwWriteVirtualMemory
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E32AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E32104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E323F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1A634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1A898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E321DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E32958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E326F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E32F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E331A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A4B599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A6FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82A77734 8 Bytes [50, 72, BB, 85, 50, E1, BD, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82A7774C 4 Bytes [88, E4, 5A, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82A77758 4 Bytes [50, D3, 77, 85] {PUSH EAX; SAL DWORD [EDI-0x7b], CL}
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82A777AC 4 Bytes [28, BD, BB, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82A77828 4 Bytes [70, 47, 5B, 85]
.text ...
.text peauth.sys 994D0C9D 28 Bytes [04, 35, 00, 1E, 37, 6C, 36, ...]
.text peauth.sys 994D0CC1 28 Bytes [04, 35, 00, 1E, 37, 6C, 36, ...]
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
|
