GVU Trojaner

ovi3456 · 21.12.2012, 21:20

Hallo t'John!

vielen vielen Dank für deine Hilfe! Ich kann jetzt meinen Rechner wieder normal bedienen. Die letzten zwei Wochen war ich viel unterwegs und wenig zuhause, sodass ich erst jetzt dazugekommen bin alles ganz abzuarbeiten.
Hier sind die Logs:

OTL Log:

Code:

ATTFilter

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\cfFncEnabler.exe deleted successfully.
C:\Users\Heinz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk moved successfully.
C:\ProgramData\0tbpw.pad moved successfully.
========== FILES ==========
File\Folder C:\ProgramData\*.exe not found.
File\Folder C:\ProgramData\*.dll not found.
File\Folder C:\ProgramData\*.tmp not found.
File\Folder C:\ProgramData\TEMP not found.
File\Folder C:\Users\Heinz\*.tmp not found.
C:\Users\Heinz\AppData\Local\Temp\AdobeUpdater12345.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\c7jiwemvtne2.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\DelayInst.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\DivXSetup.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\FlashPlayerUpdate.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\FlashPlayerUpdate01.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\FlashPlayerUpdate02.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\FlashPlayerUpdate03.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\installservice.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\instmsi.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\instmsiw.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u13-windows-i586-p-iftw_13974002.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u20-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\lj1018-HB-pd-win32-enp.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\lj1018-HB-pd-win32-gep.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\lj1018-HB-pnp-win32-gep.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\msg5255.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\SkypeSetup.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\vpnclient_setup.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\wlsetup-cvr.exe moved successfully.
C:\Users\Heinz\AppData\Local\Temp\ytb.exe moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\tmp folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\muffin folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\host folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\1a209876-5f035f3c-n folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6d0ad391-1575a887-n folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache\6.0 folder moved successfully.
C:\Users\Heinz\AppData\LocalLow\Sun\Java\Deployment\cache folder moved successfully.
File/Folder C:\Users\Heinz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk not found.
< ipconfig /flushdns /c >
Windows-IP-Konfiguration
Der DNS-Aufl”sungscache wurde geleert.
C:\Users\Heinz\Desktop\cmd.bat deleted successfully.
C:\Users\Heinz\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Flash cache emptied: 41 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Heinz
->Temp folder emptied: 7029564947 bytes
->FireFox cache emptied: 422829945 bytes
->Flash cache emptied: 5878 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 628534478 bytes
RecycleBin emptied: 12194943 bytes
 
Total Files Cleaned = 7.718,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 12112012_213917

Files\Folders moved on Reboot...
C:\Users\Heinz\AppData\Local\Temp\wpbt0.dll moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Malwarebytes Log:

Code:

ATTFilter

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Datenbank Version: v2012.12.11.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Heinz :: HEINZ-PC [Administrator]

11.12.2012 21:58:41
mbam-log-2012-12-21 (20-43-16).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|E:\|)
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 419925
Laufzeit: 4 Stunde(n), 22 Minute(n), 46 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 4
C:\Users\Heinz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J4N7Z8RJ\myfile[1].dll (Trojan.Ransom) -> Keine Aktion durchgeführt.
C:\_OTL\MovedFiles\12112012_213917\C_Users\Heinz\AppData\Local\Temp\c7jiwemvtne2.exe (Trojan.Agent.RNDGen) -> Keine Aktion durchgeführt.
C:\_OTL\MovedFiles\12112012_213917\C_Users\Heinz\AppData\Local\Temp\wpbt0.dll (Trojan.Ransom) -> Keine Aktion durchgeführt.
C:\Users\Heinz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen) -> Keine Aktion durchgeführt.

(Ende)

In dem Log, das Malwarebytes direkt nach dem Suchlauf angezeigt hatte stand, dass die vier infizierten Dateien in Quarantäne oder gelöscht wurden. Unter dem Reiter "Quarantäne" zeigt Malwarebytes jetzt nur den Trojan.Ransom.SUGen an.

Adwcleander Log:

Code:

ATTFilter

# AdwCleaner v2.101 - Datei am 21/12/2012 um 20:55:30 erstellt
# Aktualisiert am 16/12/2012 von Xplode
# Betriebssystem : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Benutzer : Heinz - HEINZ-PC
# Bootmodus : Normal
# Ausgeführt unter : C:\Users\Heinz\Desktop\adwcleaner.exe
# Option [Löschen]


**** [Dienste] ****


***** [Dateien / Ordner] *****

Ordner Gelöscht : C:\Users\Heinz\AppData\LocalLow\boost_interprocess

***** [Registrierungsdatenbank] *****

Schlüssel Gelöscht : HKLM\Software\Freeze.com
Schlüssel Gelöscht : HKLM\SOFTWARE\Software

***** [Internet Browser] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Die Registrierungsdatenbank ist sauber.

-\\ Mozilla Firefox v17.0 (de)

Profilname : default 
Datei : C:\Users\Heinz\AppData\Roaming\Mozilla\Firefox\Profiles\7sadp2dn.default\prefs.js

C:\Users\Heinz\AppData\Roaming\Mozilla\Firefox\Profiles\7sadp2dn.default\user.js ... Gelöscht !

Gelöscht : user_pref("surfcanyon.fractions", "0.0_0.0\r\n");
Gelöscht : user_pref("surfcanyon.last_checked_ts", "1266957106765");

*************************

AdwCleaner[S1].txt - [1120 octets] - [21/12/2012 20:55:30]

########## EOF - C:\AdwCleaner[S1].txt - [1180 octets] ##########

GVU Trojaner

Plagegeister aller Art und deren Bekämpfung: GVU Trojaner

GVU Trojaner