|
Plagegeister aller Art und deren Bekämpfung: GVU-Trojaner mit Webcam neu ?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
22.01.2013, 14:15 | #1 |
| GVU-Trojaner mit Webcam neu ? Hallo , Ich habe hier auf einem Laptop den neuen (ich nehme an neu) GVU-Trjaner der sogar auf meine Integrierte Cam im laptop zugreifen kann und ein Bild von mir macht wenn ich mich davor stelle. Habe ohne große bedenken den Kaspersky Windowsunlocker Verwendet, die neueste version die es auf chip gibt . Leider ohne erfolg , bis ich dan auf diese forum gestoßen bin. Ich habe mir hier ein paar threads durchgelesehn und habe dann demetsprechent gehandelt mit OTLPE und nun lade ich die OTL.txt mal doch und hoffe auf hilfe . Code:
ATTFilter OTL logfile created on: 1/22/2013 1:44:04 PM - Run OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE 64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System Internet Explorer (Version = 9.0.8112.16421) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free 3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = E: | %SystemRoot% = E:\windows | %ProgramFiles% = E:\Program Files (x86) Drive C: | 100.00 Mb Total Space | 74.24 Mb Free Space | 74.25% Space Free | Partition Type: NTFS Drive D: | 7.49 Gb Total Space | 6.52 Gb Free Space | 86.99% Space Free | Partition Type: FAT32 Drive E: | 905.18 Gb Total Space | 824.91 Gb Free Space | 91.13% Space Free | Partition Type: NTFS Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: REATOGO | User Name: SYSTEM Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 7 Days Using ControlSet: ControlSet001 ========== Win32 Services (SafeList) ========== SRV:64bit: - [2012/02/02 08:29:52 | 000,628,448 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Intel\iCLS Client\HeciServer.exe -- (Intel(R) Capability Licensing Service Interface) Intel(R) SRV:64bit: - [2011/12/07 20:44:04 | 000,594,704 | ---- | M] (Intel® Corporation) [Auto] -- E:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe -- (ZeroConfigService) Intel(R) SRV:64bit: - [2011/12/07 20:43:56 | 000,273,168 | ---- | M] () [On_Demand] -- E:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS) SRV:64bit: - [2011/12/07 20:43:48 | 000,618,256 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R) SRV:64bit: - [2011/12/07 20:43:44 | 000,148,752 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R) SRV:64bit: - [2011/12/04 19:30:50 | 000,659,968 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe -- (AMPPALR3) SRV:64bit: - [2011/12/04 18:55:36 | 000,135,952 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe -- (BTHSSecurityMgr) Intel(R) Centrino(R) Wireless Bluetooth(R) SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2013/01/11 06:10:18 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- E:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2012/12/18 09:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto] -- E:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice) SRV - [2012/07/18 11:06:12 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2012/07/18 11:06:03 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService) SRV - [2012/07/18 11:06:01 | 000,375,760 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService) SRV - [2012/07/18 11:06:01 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2012/06/11 04:33:26 | 000,724,376 | ---- | M] (Nokia) [On_Demand] -- E:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer) SRV - [2012/02/13 01:02:24 | 000,031,624 | ---- | M] () [Auto] -- E:\Program Files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe -- (SamsungDeviceConfigurationWinService) SRV - [2012/02/10 04:28:06 | 000,240,408 | ---- | M] (Microsoft Corporation.) [On_Demand] -- E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE -- (BBUpdate) SRV - [2012/02/10 04:28:06 | 000,193,816 | ---- | M] (Microsoft Corporation.) [Auto] -- E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE -- (BBSvc) SRV - [2012/02/07 21:03:36 | 000,363,800 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R) SRV - [2012/02/07 21:03:34 | 000,277,784 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R) SRV - [2012/02/07 21:03:28 | 000,128,280 | ---- | M] () [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe -- (Intel(R) ME Service) Intel(R) SRV - [2012/02/07 21:03:16 | 000,161,560 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe -- (jhi_service) Intel(R) SRV - [2012/02/02 12:28:10 | 000,274,200 | ---- | M] (Intel Corporation) [On_Demand] -- E:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs) Intel(R) SRV - [2012/02/01 01:12:16 | 002,458,944 | ---- | M] (NVIDIA Corporation) [Auto] -- E:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService) SRV - [2012/01/10 13:30:16 | 000,201,344 | ---- | M] (Telefónica) [Auto] -- E:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe -- (TGCM_ImportWiFiSvc) SRV - [2011/12/19 05:16:50 | 001,104,208 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe -- (Bluetooth OBEX Service) SRV - [2011/12/19 05:16:48 | 001,304,912 | ---- | M] (Intel Corporation) [On_Demand] -- E:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe -- (Bluetooth Media Service) SRV - [2011/12/19 05:16:44 | 001,014,096 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe -- (Bluetooth Device Monitor) SRV - [2010/10/22 06:08:18 | 001,039,360 | ---- | M] (Hewlett-Packard Co.) [Auto] -- E:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC) SRV - [2010/03/18 06:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- E:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2012/07/18 11:06:32 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System] -- E:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV:64bit: - [2012/07/18 11:06:32 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto] -- E:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV:64bit: - [2012/07/18 11:06:32 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System] -- E:\Windows\System32\drivers\avkmgr.sys -- (avkmgr) DRV:64bit: - [2012/06/11 04:33:46 | 000,026,112 | ---- | M] (Nokia) [Kernel | On_Demand] -- E:\Windows\System32\drivers\pccsmcfdx64.sys -- (pccsmcfd) DRV:64bit: - [2012/02/01 01:12:14 | 000,028,992 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- E:\Windows\System32\drivers\nvpciflt.sys -- (nvpciflt) DRV:64bit: - [2012/01/05 05:36:54 | 014,652,768 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\igdkmd64.sys -- (igfx) DRV:64bit: - [2012/01/04 13:58:50 | 000,786,200 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iusb3xhc.sys -- (iusb3xhc) Intel(R) DRV:64bit: - [2012/01/04 13:58:50 | 000,355,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iusb3hub.sys -- (iusb3hub) Intel(R) DRV:64bit: - [2012/01/04 13:58:50 | 000,016,152 | ---- | M] (Intel Corporation) [Kernel | Boot] -- E:\Windows\System32\drivers\iusb3hcs.sys -- (iusb3hcs) Intel(R) DRV:64bit: - [2011/12/20 03:38:36 | 000,034,200 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\intelaud.sys -- (intaud_WaveExtensible) DRV:64bit: - [2011/12/20 03:38:36 | 000,025,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iwdbus.sys -- (iwdbus) DRV:64bit: - [2011/12/14 00:26:56 | 000,060,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iBtFltCoex.sys -- (ibtfltcoex) DRV:64bit: - [2011/12/12 21:26:20 | 000,747,008 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\btmhsf.sys -- (btmhsf) DRV:64bit: - [2011/12/12 21:26:18 | 000,094,720 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\btmaux.sys -- (btmaux) DRV:64bit: - [2011/12/05 13:23:08 | 000,331,264 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R) DRV:64bit: - [2011/12/04 19:22:58 | 000,195,584 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand] -- E:\Windows\System32\drivers\AmpPal.sys -- (AMPPALP) DRV:64bit: - [2011/12/04 19:22:58 | 000,195,584 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand] -- E:\Windows\System32\drivers\AmpPal.sys -- (AMPPAL) DRV:64bit: - [2011/12/01 08:51:00 | 011,417,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\NETwNs64.sys -- (NETwNs64) ___ Intel(R) DRV:64bit: - [2011/11/23 09:02:20 | 000,648,808 | ---- | M] (Realtek ) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2011/11/10 04:04:14 | 000,060,184 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\HECIx64.sys -- (MEIx64) Intel(R) DRV:64bit: - [2011/08/17 02:19:38 | 000,031,216 | ---- | M] (CyberLink Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\clwvd.sys -- (clwvd) DRV:64bit: - [2011/05/03 02:42:40 | 000,222,464 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV:64bit: - [2011/04/11 05:55:24 | 000,007,680 | ---- | M] (Phoenix Technologies Ltd.) [Kernel | Auto] -- E:\Windows\System32\drivers\SGDrv64.sys -- (SGDrv) DRV:64bit: - [2011/01/30 05:19:34 | 000,086,016 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ew_jubusenum.sys -- (huawei_enumerator) DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010/10/08 03:59:40 | 000,032,768 | ---- | M] (Huawei Tech. Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ewdcsc.sys -- (Huawei) DRV:64bit: - [2010/07/26 20:52:16 | 000,117,248 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ew_hwusbdev.sys -- (ew_hwusbdev) DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- E:\Windows\System32\wbem\ntfs.mof -- (Ntfs) DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\windows\system32\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\windows\system32\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\Besitzer_ON_E\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com IE - HKU\Besitzer_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ IE - HKU\Besitzer_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\System32\Macromed\Flash\NPSWF64_11_5_502_146.dll () FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: E:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll () FF - HKLM\Software\Wow6432Node\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59: E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: E:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: E:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: E:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: E:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: E:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: File not found FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: E:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/09/03 03:25:25 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/09/03 03:25:25 | 000,000,000 | ---D | M] O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4:64bit: - HKLM..\Run: [BTMTrayAgent] E:\Program Files (x86)\Intel\Bluetooth\btmshell.dll (Intel Corporation) O4:64bit: - HKLM..\Run: [RtHDVCpl] E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [avgnt] E:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG) O4 - HKU\Besitzer_ON_E..\Run: [ieodjrzotp] E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe (BitTech Co. Ltd.) O4 - HKU\Besitzer_ON_E..\Run: [PC Suite Tray] E:\Program Files (x86)\Nokia PC Suite\Nokia PC Suite 7\PCSuite.exe (Nokia) O4 - HKU\LocalService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\NetworkService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\UpdatusUser_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin] File not found O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin] File not found O4 - HKU\UpdatusUser_ON_E..\RunOnce: [mctadmin] File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O7 - HKU\Besitzer_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1 O7 - HKU\UpdatusUser_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000020 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG) O13:64bit: - gopher Prefix: missing O13 - gopher Prefix: missing O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found O20:64bit: - AppInit_DLLs: (C:\windows\system32\nvinitx.dll) - E:\Windows\System32\nvinitx.dll (NVIDIA Corporation) O20 - AppInit_DLLs: (C:\windows\SysWOW64\nvinit.dll) - E:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - E:\windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (C:\ProgramData\phxzbypky) - E:\ProgramData\phxzbypky.exe (BitTech Co. Ltd.) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - E:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (explorer.exe) - E:\windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/03/21 15:20:10 | 000,059,310 | RHS- | M] () - D:\autorun.inf -- [ FAT32 ] O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ] O33 - MountPoints2\{d85d1922-b70c-11e1-a33a-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{d85d1922-b70c-11e1-a33a-806e6f6e6963}\Shell\AutoRun\command - "" = D:\reatogoMenu.exe O33 - MountPoints2\{e9a6221e-f2a8-11e1-bcc8-c48508596d06}\Shell - "" = AutoRun O33 - MountPoints2\{e9a6221e-f2a8-11e1-bcc8-c48508596d06}\Shell\AutoRun\command - "" = E:\AutoRun.exe 64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found 64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 7 Days ========== [2013/01/21 14:33:09 | 000,000,000 | ---D | C] -- E:\Kaspersky Rescue Disk 10.0 [2013/01/20 07:08:01 | 000,000,000 | ---D | C] -- E:\Users\Besitzer\Documents\Youcam [2013/01/20 07:07:58 | 000,000,000 | ---D | C] -- E:\Users\Besitzer\AppData\Roaming\CyberLink [2013/01/20 07:07:58 | 000,000,000 | ---D | C] -- E:\Users\Besitzer\AppData\Local\CyberLink [2013/01/20 07:00:57 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe [2013/01/20 06:57:41 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Local\phxzbypky.exe [2013/01/20 06:57:40 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\ProgramData\phxzbypky.exe ========== Files - Modified Within 7 Days ========== [2013/01/22 07:22:30 | 000,067,584 | --S- | M] () -- E:\windows\bootstat.dat [2013/01/22 07:17:00 | 000,000,328 | ---- | M] () -- E:\windows\tasks\Xerox PhotoCafe Communicator.job [2013/01/22 07:14:42 | 000,020,992 | -H-- | M] () -- E:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/01/22 07:14:42 | 000,020,992 | -H-- | M] () -- E:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/01/22 07:12:13 | 000,696,870 | ---- | M] () -- E:\windows\System32\perfh007.dat [2013/01/22 07:12:13 | 000,652,148 | ---- | M] () -- E:\windows\System32\perfh009.dat [2013/01/22 07:12:13 | 000,148,134 | ---- | M] () -- E:\windows\System32\perfc007.dat [2013/01/22 07:12:13 | 000,121,080 | ---- | M] () -- E:\windows\System32\perfc009.dat [2013/01/22 07:09:00 | 000,000,884 | ---- | M] () -- E:\windows\tasks\Adobe Flash Player Updater.job [2013/01/22 07:07:13 | 000,174,592 | ---- | M] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Local\phxzbypky.exe [2013/01/22 07:07:12 | 000,174,592 | ---- | M] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe [2013/01/22 07:07:01 | 4187,361,279 | -HS- | M] () -- E:\hiberfil.sys [2013/01/22 07:05:21 | 000,174,592 | ---- | M] (BitTech Co. Ltd.) -- E:\ProgramData\phxzbypky.exe [2013/01/21 13:29:51 | 000,000,830 | ---- | M] () -- E:\windows\tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job ========== Files Created - No Company Name ========== [2012/09/03 03:23:36 | 000,274,256 | ---- | C] () -- E:\windows\hpwins05.dat [2012/09/03 03:23:36 | 000,003,111 | ---- | C] () -- E:\windows\hpwmdl05.dat [2012/09/03 02:09:05 | 001,590,378 | ---- | C] () -- E:\windows\SysWow64\PerfStringBackup.INI [2012/03/02 09:17:08 | 000,307,200 | ---- | C] () -- E:\windows\SetDisplayResolution.exe [2012/03/02 08:30:00 | 000,001,340 | ---- | C] () -- E:\windows\HotFixList.ini [2012/02/05 21:29:35 | 000,734,772 | ---- | C] () -- E:\windows\SysWow64\igkrng700.bin [2012/02/05 21:29:30 | 000,557,476 | ---- | C] () -- E:\windows\SysWow64\igfcg700m.bin [2012/02/05 21:29:27 | 000,058,880 | ---- | C] () -- E:\windows\SysWow64\igdde32.dll [2012/02/05 21:29:25 | 012,978,688 | ---- | C] () -- E:\windows\SysWow64\ig7icd32.dll [2012/02/02 08:08:26 | 000,001,536 | ---- | C] () -- E:\windows\SysWow64\IusEventLog.dll [2010/11/20 22:24:49 | 000,252,928 | ---- | C] () -- E:\windows\SysWow64\DShowRdpFilter.dll [2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- E:\windows\bootstat.dat [2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- E:\windows\SysWow64\NOISE.DAT [2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- E:\windows\SysWow64\dssec.dat [2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- E:\windows\mib.bin [2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- E:\windows\SysWow64\BWContextHandler.dll [2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- E:\windows\SysWow64\ir32_32.dll [2009/07/13 16:59:36 | 000,982,196 | ---- | C] () -- E:\windows\SysWow64\igkrng500.bin [2009/07/13 16:59:36 | 000,139,824 | ---- | C] () -- E:\windows\SysWow64\igfcg500.bin [2009/07/13 16:59:36 | 000,097,448 | ---- | C] () -- E:\windows\SysWow64\igfcg500m.bin [2009/07/13 16:59:35 | 000,417,344 | ---- | C] () -- E:\windows\SysWow64\igcompkrng500.bin [2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- E:\windows\SysWow64\msjetoledb40.dll [2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- E:\windows\SysWow64\mlang.dat ========== LOP Check ========== [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Application Data [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Desktop [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Documents [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favorites [2012/09/09 14:27:08 | 000,000,000 | ---D | M] -- E:\ProgramData\Installations [2012/09/09 14:34:01 | 000,000,000 | ---D | M] -- E:\ProgramData\PC Suite [2012/03/02 08:07:20 | 000,000,000 | ---D | M] -- E:\ProgramData\Roaming [2012/03/04 23:07:41 | 000,000,000 | ---D | M] -- E:\ProgramData\SAMSUNG [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Start Menu [2012/08/30 04:37:09 | 000,000,000 | ---D | M] -- E:\ProgramData\Synaptics [2012/03/02 09:19:07 | 000,000,000 | ---D | M] -- E:\ProgramData\Temp [2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Templates [2012/08/30 05:02:52 | 000,000,000 | ---D | M] -- E:\ProgramData\WildTangent [2012/03/05 18:11:47 | 000,000,000 | ---D | M] -- E:\ProgramData\WinClon [2012/03/02 08:21:16 | 000,000,000 | ---D | M] -- E:\ProgramData\Xerox PhotoCafe [2012/08/30 04:52:48 | 000,000,828 | ---- | M] () -- E:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job [2013/01/21 13:29:51 | 000,000,830 | ---- | M] () -- E:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job [2012/12/05 15:03:34 | 000,032,546 | ---- | M] () -- E:\windows\Tasks\SCHEDLGU.TXT [2013/01/22 07:17:00 | 000,000,328 | ---- | M] () -- E:\windows\Tasks\Xerox PhotoCafe Communicator.job ========== Purity Check ========== < End of report > Geändert von JeffreyG (22.01.2013 um 14:31 Uhr) |
22.01.2013, 14:32 | #2 |
/// Malware-holic | GVU-Trojaner mit Webcam neu ? Hi,
__________________falls du deinen Nutzernamen im Log unkenntlich gemacht hast, passe ihn im Script an. auf deinem zweiten pc gehe auf start, programme zubehör editor, kopiere dort rein: Code:
ATTFilter :OTL O4 - HKU\Besitzer_ON_E..\Run: [ieodjrzotp] E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe (BitTech Co. Ltd.) O20:64bit: - HKLM Winlogon: Shell - (C:\ProgramData\phxzbypky) - E:\ProgramData\phxzbypky.exe (BitTech Co. Ltd.) [2013/01/20 06:57:41 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Local\phxzbypky.exe :Files E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe :Commands [EMPTYFLASH] [emptytemp] dieses speicherst du auf nem usb stick als fix.txt nutze nun wieder OTLPENet.exe (starte also von der erstellten cd) und hake alles an, wie es bereits im post zu OTLPENet.exe beschrieben ist. • Klicke nun bitte auf den Fix Button. es sollte nun eine meldung ähnlich dieser: "load fix from file" erscheinen, lade also die fix.txt von deinem stick. wenn dies nicht funktioniert, bitte den fix manuell eintragen. dann klicke erneut den fix buton. pc startet evtl. neu. wenn ja, nimm die cd aus dem laufwerk, windows sollte nun normal starten und die otl.txt öffnen, log posten bitte. falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang in den Thread posten! Drücke bitte die + E Taste.
__________________ |
22.01.2013, 15:49 | #3 |
| GVU-Trojaner mit Webcam neu ? Ich habe die fix.txt eingefügt und auf Fix geklickt ...seit dem geht alles wider ... :-)
__________________danke. nur verstehe ich noch nicht ganz was ihr mit dem txt. jetzt woll bzw. was muss ich noch etwas machen ? Code:
ATTFilter ========== OTL ========== Registry key HKEY_USERS\Besitzer_ON_E\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run not found. E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe moved successfully. 64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\ProgramData\phxzbypky deleted successfully. E:\ProgramData\phxzbypky.exe moved successfully. E:\Users\Besitzer\AppData\Local\phxzbypky.exe moved successfully. ========== FILES ========== File\Folder E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe not found. ========== COMMANDS ========== [EMPTYFLASH] User: All Users User: Besitzer User: Default User: Default User User: Public User: UpdatusUser Total Flash Files Cleaned = 0.00 mb [EMPTYTEMP] User: All Users User: Besitzer User: Default User: Default User User: Public User: UpdatusUser %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 310898091 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes Total Files Cleaned = 297.00 mb OTLPE by OldTimer - Version 3.1.48.0 log created on 01222013_151049 |
22.01.2013, 16:23 | #4 |
/// Malware-holic | GVU-Trojaner mit Webcam neu ? lies bitte weiter, der Upload fehlt
__________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet |
22.01.2013, 17:33 | #5 |
| GVU-Trojaner mit Webcam neu ? habe es nun so hochgeladen , wie es beschireben ist. Hoffe es passt so ja es hat problemlos geklappr. :-) |
22.01.2013, 17:46 | #6 |
/// Malware-holic | GVU-Trojaner mit Webcam neu ? Passt, danke download tdss killer: http://www.trojaner-board.de/82358-t...entfernen.html Klicke auf Change parameters • Setze die Haken bei Verify driver digital signatures und Detect TDLFS file system • Klick auf OK und anschließend auf Start scan - bei funden erst mal immer skip wählen, log posten c: öffnen, tdsskiller-datum-version.txt öffnen, Inhalt posten
__________________ --> GVU-Trojaner mit Webcam neu ? |
Themen zu GVU-Trojaner mit Webcam neu ? |
besitzer, bild, bingbar, chip, erfolg, forum, große, gvu-trjaner, gvu-trojaner, hoffe, integrierte, kaspersky, kaspersky windowsunlocker, laptop, neu, neue, neuen, neues, neueste, nvidia update, nvpciflt.sys, otl.txt, plug-in, sprechen, threads, version, verwendet, webcam, zugreife, zugreifen |