|
Plagegeister aller Art und deren Bekämpfung: Laptop wurde vom GVU Virus/Trojaner befallenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
26.01.2013, 18:05 | #16 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallenLesestoff: Rootkit-Warnung Dein Computer wurde mit einem besonderen Schädling infiziert, der sich vor herkömmlichen Virenscannern und dem Betriebssystem selbst verstecken kann. Zusätzlich hat so ein Schädling meist auch Backdoor-Funktionalität, reißt also ganz bewußt Löcher durch alle Schutzmaßnahmen, damit er weiteren Schadcode nachladen oder die Daten, die er so sammelt, an die "bösen Jungs" weiterleiten kann. Was heißt das jetzt für dich?
Teile mir also mit, wie du dich entschieden hast. Schritt 1: Fix mit FRST
Schritt 2: Rechner neu starten. Schritt 3: Scan mit aswMBR Schritt 4: Scan mit dem TDSS-Killer Lese bitte folgende Anweisungen genau. Wir wollen hier noch nichts "fixen" sondern nur einen Scan Report sehen.
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
26.01.2013, 18:37 | #17 |
| Laptop wurde vom GVU Virus/Trojaner befallen Also ich kann immer noch nicht meinen Rechner normal mit Windows 7 booten. Ich werde jetzt wieder mit der Boot Disc mich soweit vorarbeiten, dass ich in die Eingabeaufforderung komme und dann dort FRST ausführen kann.
__________________Schritt 3 und 4 kann ich dann jedoch nicht direkt auf dem infizierten Rechner ausführen, weil ich ihn ja nicht starten kann. Lassen sich die beiden Programme auch vom Stick speichern. Ich würde ganz gerne den Rechner nochmal Starten, um alle wichtigen Daten zu speichern. Formatieren und neu aufsetzen werde ich ihn dann wohl in geraumer Zeit auch. Kann ja kein Zustand sein, ein infiziertes System zu benutzen. Gibt es eine Möglichkeit, Windows zu reparieren, dass ich ihn normal booten kann ? |
26.01.2013, 18:46 | #18 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallen Hat sich seit dem 2. Fix mit FRST nichts geändert? Eignetlich müsste jetzt alles normal booten ...
__________________
__________________ |
26.01.2013, 18:48 | #19 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallen Prüfe bitte ob du in Abgesichtert mit Eingabeaufforderung booten kannst.
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
26.01.2013, 20:09 | #20 |
| Laptop wurde vom GVU Virus/Trojaner befallen Nein kann ich nicht. Ich kann es zwar auswählen und er lädt dann Windows Dateien. Dann erscheint wieder der Windows-Fehlerbehebungs-Screen wie oben (übrigens ein Beispielbild von Google). Dann hängt er sich wieder auf und kann nicht starten. |
26.01.2013, 21:33 | #21 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallen Das gefällt mir ja gar nicht. Erstelle mir bitte nochmal ein Logfile mit FRST.
__________________ --> Laptop wurde vom GVU Virus/Trojaner befallen |
26.01.2013, 22:31 | #22 |
| Laptop wurde vom GVU Virus/Trojaner befallen Hier das neue Log-File Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013 02 Ran by SYSTEM at 26-01-2013 22:18:35 Running from H:\ Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9955872 2010-01-12] (Realtek Semiconductor) HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [649608 2010-04-13] (ELAN Microelectronic Corp.) HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4156 2010-04-16] () HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation) HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1601536 2010-09-23] () HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS) HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS) HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated) HKLM-x32\...\Run: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe" [64048 2010-09-21] (VMware, Inc.) HKLM-x32\...\Run: [ZoneAlarm Installer] "C:\Program Files (x86)\CheckPoint\Install\Launcher.exe" "C:\Program Files (x86)\CheckPoint\Install\Install.exe" /r download /c "C:\Program Files (x86)\CheckPoint\Install\Install.xml" /l /w [x] HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-10-01] (Adobe Systems Inc.) HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2010-01-22] (NEC Electronics Corporation) HKLM-x32\...\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" [x] HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized [702024 2012-12-13] (Cisco Systems, Inc.) HKU\Admin\...\Run: [Steam] "D:\Program Files (x86)\Steam\Steam.exe" -silent [x] HKU\Admin\...\Run: [GizmoDriveDelegate] "D:\Program Files (x86)\Gizmo\gizmo.exe" /RemountStartupImages [x] HKU\Michael\...\Run: [GizmoDriveDelegate] "D:\Program Files (x86)\Gizmo\gizmo.exe" /RemountStartupImages [x] HKU\Michael\...\Winlogon: [Shell] explorer.exe,C:\Users\Michael\AppData\Roaming\skype.dat [57344 2011-11-17] () HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x] Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 AppInit_DLLs: C:\Windows\system32\nvinitx.dll Tcpip\..\Interfaces\{C19CEEFB-ABBA-4531-9DF6-634B51291FA8}: [NameServer]212.23.115.148 212.23.97.2 Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\CineForm Status.lnk ShortcutTarget: CineForm Status.lnk -> C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe (GoPro) Startup: C:\Users\All Users\Start Menu\Programs\Startup\Gizmo.lnk ShortcutTarget: Gizmo.lnk -> C:\Program Files (x86)\Gizmo\gizmo.exe (No File) Startup: C:\Users\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia) Startup: C:\Users\All Users\Start Menu\Programs\Startup\SRS Premium Sound.lnk ShortcutTarget: SRS Premium Sound.lnk -> C:\Windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe (Acresso Software Inc.) ==================== Services (Whitelisted) =================== 2 ABBYY.Licensing.FineReader.Sprint.9.0; "C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe" -service [759048 2009-05-14] (ABBYY) 2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS) 2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-10-30] (AVAST Software) 2 HWDeviceService64.exe; "C:\ProgramData\DatacardService\HWDeviceService64.exe" -/service [346976 2011-03-14] () 2 Mobile Partner. RunOuc; C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [246112 2012-10-17] () 2 NetPipeActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation) 2 NetTcpActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation) 2 PanService; C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [625304 2012-09-28] (Pandora.TV) 2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [66872 2012-03-10] () 2 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [993848 2011-04-19] (Secunia) 2 Secunia Update Agent; "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [399416 2011-04-19] (Secunia) 2 vpnagent; "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe" [544840 2012-12-13] (Cisco Systems, Inc.) 2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation) 2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation) 2 WajamUpdater; "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" [109064 2012-06-14] (Wajam) 2 BBDemon; "C:\Program Files\Dassault Systemes\B20\win_b64\code\bin\CATSysDemon.exe" -service [x] 2 Gizmo Central; C:\Program Files (x86)\Gizmo\gservice.exe [x] 3 ufad-ws60; "C:\Program Files (x86)\VMware\VMware Player\vmware-ufad.exe" -d "C:\Program Files (x86)\VMware\VMware Player\\" -s ufad-p2v.xml [x] ==================== Drivers (Whitelisted) ===================== 2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software) 1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [28504 2012-03-07] (AVAST Software) 2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software) 1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [42328 2011-11-28] (AVAST Software) 1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software) 1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software) 1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software) 1 GizmoDrv; C:\Windows\System32\Drivers\GizmoDrv.sys [34704 2011-06-23] (Arainia Solutions LLC) 3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( ) 1 LUMDriver; C:\Windows\System32\Drivers\LUMDriver.sys [24848 2008-01-02] (IBM) 2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [13832 2010-04-16] () 3 USBTINSP; C:\Windows\System32\DRIVERS\tinspusb.sys [142848 2012-08-22] (Texas Instruments) 3 vmkbd2; \??\C:\Windows\system32\drivers\VMkbd.sys [31792 2010-09-21] (VMware, Inc.) 2 vstor2-ws60; \??\C:\Program Files (x86)\VMware\VMware Player\vstor2-ws60.sys [32816 2010-08-19] (VMware, Inc.) ==================== NetSvcs (Whitelisted) ==================== ==================== One Month Created Files and Folders ======== 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1355.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Admin\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:14 - 2013-01-25 13:14 - 453636000 ____N C:\Windows\MEMORY.DMP 2013-01-25 13:14 - 2013-01-25 13:14 - 00288408 ____A C:\Windows\Minidump\012513-59186-01.dmp 2013-01-25 12:24 - 2013-01-25 13:57 - 00000000 ____D C:\Users\All Users\HitmanPro 2013-01-23 21:12 - 2013-01-23 21:12 - 00000000 ____D C:\Users\Admin\AppData\Roaming\GoPro 2013-01-23 20:55 - 2013-01-25 13:13 - 00000000 ____A C:\Users\Michael\AppData\Roaming\skype.ini 2013-01-15 17:22 - 2013-01-20 23:02 - 00063488 ____A C:\Users\Michael\Desktop\Ausgaben-Schablone.XLS 2013-01-11 14:41 - 2013-01-11 14:42 - 00000000 ____D C:\Windows\rescache 2013-01-09 18:17 - 2013-01-09 18:18 - 00260054 ____A C:\Windows\msxml4-KB2758694-enu.LOG 2013-01-09 14:58 - 2012-12-07 14:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll 2013-01-09 14:58 - 2012-12-07 14:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll 2013-01-09 14:58 - 2012-12-07 13:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll 2013-01-09 14:58 - 2012-12-07 13:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll 2013-01-09 14:58 - 2012-12-07 12:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs 2013-01-09 14:58 - 2012-11-22 06:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll 2013-01-09 14:58 - 2012-11-22 05:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll 2013-01-09 14:58 - 2012-11-20 06:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2013-01-09 14:58 - 2012-11-20 05:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2013-01-09 14:58 - 2012-11-09 06:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-01-09 14:58 - 2012-11-09 05:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-01-09 14:58 - 2012-11-01 06:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2013-01-09 14:58 - 2012-11-01 06:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2013-01-09 14:58 - 2012-11-01 05:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2013-01-09 14:58 - 2012-11-01 05:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll 2013-01-09 14:57 - 2012-11-30 06:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll 2013-01-09 14:57 - 2012-11-30 06:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll 2013-01-09 14:57 - 2012-11-30 06:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2013-01-09 14:57 - 2012-11-30 05:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll 2013-01-09 14:57 - 2012-11-30 05:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 04:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe 2013-01-09 14:57 - 2012-11-30 03:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2013-01-09 14:57 - 2012-11-30 03:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2013-01-09 14:57 - 2012-11-30 03:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2013-01-09 14:57 - 2012-11-30 03:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2013-01-09 14:57 - 2012-11-30 03:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 03:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 03:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 03:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 00:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls 2013-01-09 14:57 - 2012-11-30 00:15 - 00420064 ____A C:\Windows\System32\locale.nls 2013-01-09 14:57 - 2012-11-23 04:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-01-09 14:57 - 2012-11-23 04:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe 2013-01-04 22:42 - 2013-01-04 22:42 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2013-01-02 18:16 - 2013-01-02 19:33 - 00000000 ____D C:\Users\Admin\AppData\Roaming\DVDVideoSoft 2013-01-02 18:16 - 2013-01-02 18:16 - 00000000 ____D C:\Program Files (x86)\DVDVideoSoft 2013-01-01 13:25 - 2013-01-02 21:43 - 00001497 ____A C:\Users\Michael\Desktop\tomorrowland Musik.txt 2012-12-31 18:03 - 2012-12-31 18:04 - 00000171 ____A C:\Users\Michael\Desktop\premium accs.txt ==================== One Month Modified Files and Folders ======= 2013-01-26 16:46 - 2013-01-26 16:46 - 00000000 ____D C:\FRST 2013-01-25 13:57 - 2013-01-25 12:24 - 00000000 ____D C:\Users\All Users\HitmanPro 2013-01-25 13:57 - 2012-07-19 16:50 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-01-25 13:57 - 2011-06-08 14:57 - 01447777 ____A C:\Windows\WindowsUpdate.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1355.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Admin\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:51 - 2011-06-10 23:30 - 00001108 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-01-25 13:39 - 2009-07-14 05:45 - 00015328 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-01-25 13:39 - 2009-07-14 05:45 - 00015328 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-01-25 13:36 - 2009-07-14 18:58 - 00763496 ____A C:\Windows\System32\perfh007.dat 2013-01-25 13:36 - 2009-07-14 18:58 - 00171608 ____A C:\Windows\System32\perfc007.dat 2013-01-25 13:36 - 2009-07-14 06:13 - 01779394 ____A C:\Windows\System32\PerfStringBackup.INI 2013-01-25 13:31 - 2011-10-12 14:07 - 00000000 ____D C:\Users\All Users\VMware 2013-01-25 13:30 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-01-25 13:30 - 2009-07-14 05:51 - 00045629 ____A C:\Windows\setupact.log 2013-01-25 13:15 - 2012-04-25 09:50 - 00000542 ____A C:\Windows\Tasks\MATLAB R2012a Startup Accelerator.job 2013-01-25 13:14 - 2013-01-25 13:14 - 453636000 ____N C:\Windows\MEMORY.DMP 2013-01-25 13:14 - 2013-01-25 13:14 - 00288408 ____A C:\Windows\Minidump\012513-59186-01.dmp 2013-01-25 13:14 - 2011-09-30 13:36 - 00000000 ____D C:\Windows\Minidump 2013-01-25 13:13 - 2013-01-23 20:55 - 00000000 ____A C:\Users\Michael\AppData\Roaming\skype.ini 2013-01-25 13:13 - 2011-06-10 23:30 - 00001104 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-01-25 13:12 - 2011-09-15 09:14 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Dropbox 2013-01-23 21:34 - 2012-02-26 16:28 - 00000000 ____D C:\Users\All Users\Skype 2013-01-23 21:12 - 2013-01-23 21:12 - 00000000 ____D C:\Users\Admin\AppData\Roaming\GoPro 2013-01-23 21:07 - 2011-06-08 19:05 - 00118040 ____A C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT 2013-01-20 23:02 - 2013-01-15 17:22 - 00063488 ____A C:\Users\Michael\Desktop\Ausgaben-Schablone.XLS 2013-01-20 17:52 - 2011-09-08 20:28 - 00000000 ____D C:\Users\Michael\AppData\Roaming\MagicMaps 2013-01-20 16:30 - 2012-03-02 00:55 - 00000000 ____D C:\Users\Michael\AppData\Local\Captcha_Brotherhood 2013-01-16 22:40 - 2012-11-12 09:56 - 00037888 ____A C:\Users\Michael\Desktop\Notenschnitt.xls 2013-01-14 18:49 - 2011-06-08 15:13 - 00000000 ____D C:\users\Admin 2013-01-11 14:42 - 2013-01-11 14:41 - 00000000 ____D C:\Windows\rescache 2013-01-11 14:03 - 2009-07-14 05:45 - 00483560 ____A C:\Windows\System32\FNTCACHE.DAT 2013-01-09 18:29 - 2012-01-15 12:19 - 00000000 ____D C:\Users\All Users\Microsoft Help 2013-01-09 18:20 - 2011-06-08 22:53 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-01-09 18:18 - 2013-01-09 18:17 - 00260054 ____A C:\Windows\msxml4-KB2758694-enu.LOG 2013-01-09 14:58 - 2012-07-19 16:50 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-01-09 14:58 - 2012-07-19 16:50 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-01-08 15:51 - 2012-04-12 10:25 - 00000000 ____D C:\Program Files (x86)\Cisco 2013-01-08 15:51 - 2011-07-26 11:01 - 00000000 ____D C:\Users\All Users\Cisco 2013-01-04 22:42 - 2013-01-04 22:42 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2013-01-03 23:35 - 2011-06-08 18:45 - 00034056 ____A C:\Windows\PFRO.log 2013-01-02 23:05 - 2011-08-09 09:52 - 00000000 ____D C:\Users\Michael\AppData\Roaming\vlc 2013-01-02 21:43 - 2013-01-01 13:25 - 00001497 ____A C:\Users\Michael\Desktop\tomorrowland Musik.txt 2013-01-02 19:33 - 2013-01-02 18:16 - 00000000 ____D C:\Users\Admin\AppData\Roaming\DVDVideoSoft 2013-01-02 18:28 - 2011-07-24 20:44 - 00000000 ____D C:\Users\Michael\AppData\Roaming\DVDVideoSoft 2013-01-02 18:16 - 2013-01-02 18:16 - 00000000 ____D C:\Program Files (x86)\DVDVideoSoft 2012-12-31 18:04 - 2012-12-31 18:03 - 00000171 ____A C:\Users\Michael\Desktop\premium accs.txt ZeroAccess: C:\$Recycle.Bin\S-1-5-21-3228746791-3087455342-158796021-1002\$452424e02373a955693cd772e55a7f03 ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit TDL4: custom:26000022 <===== ATTENTION! ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-01-23 21:33:57 ==================== Memory info =========================== Percentage of memory in use: 16% Total physical RAM: 3884.41 MB Available physical RAM: 3245.41 MB Total Pagefile: 3882.61 MB Available Pagefile: 3234.34 MB Total Virtual: 8192 MB Available Virtual: 8191.89 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:48.73 GB) (Free:3.38 GB) NTFS 2 Drive e: () (Fixed) (Total:416.93 GB) (Free:26.69 GB) NTFS 3 Drive f: (GRMCPRXFRER_DE_DVD) (CDROM) (Total:3.04 GB) (Free:0 GB) UDF 5 Drive h: (USB) (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32 6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 7 Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection. Datentr„ger ### Status Gr”áe Frei Dyn GPT --------------- ------------- ------- ------- --- --- Datentr„ger 0 Online 465 GB 0 B Datentr„ger 1 Kein Medium 0 B 0 B Datentr„ger 2 Online 3835 MB 0 B Partitions of Disk 0: =============== Datentr„ger-ID: 4FB37A8E Partition ### Typ Gr”áe Offset ------------- ---------------- ------- ------- Partition 1 Prim„r 100 MB 1024 KB Partition 2 Prim„r 48 GB 101 MB Partition 3 Prim„r 416 GB 48 GB ================================================================================== Disk: 0 Partition 1 Typ : 07 Versteckt: Nein Aktiv : Ja Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y System-rese NTFS Partition 100 MB Fehlerfre ========================================================= Disk: 0 Partition 2 Typ : 07 Versteckt: Nein Aktiv : Nein Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 48 GB Fehlerfre ========================================================= Disk: 0 Partition 3 Typ : 07 Versteckt: Nein Aktiv : Nein Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E NTFS Partition 416 GB Fehlerfre ========================================================= Disk: 0 Partition 3 Typ : 07 Versteckt: Nein Aktiv : Nein Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E NTFS Partition 416 GB Fehlerfre ========================================================= Partitions of Disk 2: =============== Datentr„ger-ID: 0DD3DFD6 Partition ### Typ Gr”áe Offset ------------- ---------------- ------- ------- Partition 1 Prim„r 3835 MB 31 KB ================================================================================== Disk: 2 Partition 1 Typ : 0B Versteckt: Nein Aktiv : Ja Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 H USB FAT32 Wechselmed 3835 MB Fehlerfre ========================================================= Disk: 2 Partition 1 Typ : 0B Versteckt: Nein Aktiv : Ja Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 H USB FAT32 Wechselmed 3835 MB Fehlerfre ========================================================= Last Boot: 2013-01-14 00:25 ==================== End Of Log ============================= |
26.01.2013, 22:55 | #23 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallen Es sieht nicht so aus, als ob du Schritt 1 aus Post #16 durchgeführt hättest ... Hast du aber?
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
26.01.2013, 22:58 | #24 |
| Laptop wurde vom GVU Virus/Trojaner befallen Nein das habe ich noch nicht. Wenn du willst, kann ich das machen. |
26.01.2013, 23:02 | #25 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallen Das könnte der Grund sein, warum ich dir diese Anweisungen schreibe...
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
26.01.2013, 23:15 | #26 |
| Laptop wurde vom GVU Virus/Trojaner befallen hier die fixlog.txt Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-01-2013 02 Ran by SYSTEM at 2013-01-26 23:11:49 Run:1 Running from H:\ ============================================== HKEY_USERS\Michael\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully. C:\Users\Michael\AppData\Roaming\skype.dat moved successfully. C:\$Recycle.Bin\S-1-5-21-3228746791-3087455342-158796021-1002 moved successfully. ==== End of Fixlog ==== |
27.01.2013, 09:47 | #27 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallen Gut. Und ging es jetzt weiter?
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
27.01.2013, 10:12 | #28 |
| Laptop wurde vom GVU Virus/Trojaner befallen Also ich kann weder im abgesicherten Modus noch normal Windows starten. Kann ich die beiden anderen Tools auch vom usb stick über die Eingabeaufforderung starten ? |
27.01.2013, 10:14 | #29 |
/// TB-Ausbilder | Laptop wurde vom GVU Virus/Trojaner befallen Die Idee, des FRST-Fixes ist es, dass du wieder normal starten kannst. Erzeuge bitte nochmal ein Logfile.
__________________ Digitale Freibeuter gegen Malware! Keine Hilfe per PM! |
27.01.2013, 11:21 | #30 |
| Laptop wurde vom GVU Virus/Trojaner befallen Gibt es eigentlich eine Möglichkeit das Logfile von Hitmanpro, das ja ganz am Anfang erstellt wurde, auf den stick zu kopieren, weil ich denke, dass da eine Bootdatei zerstört wurde. Ich meine mich zu erinnern, dass in der Aufzählung von Hitmapro am Anfang eine Bootdatei stand, dann die Skype datei und dann noch 6 andere Dateien. Hier das Logfile von Farbar: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013 02 (ATTENTION: FRST version is 6 days old) Ran by SYSTEM at 27-01-2013 11:15:32 Running from H:\ Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9955872 2010-01-12] (Realtek Semiconductor) HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [649608 2010-04-13] (ELAN Microelectronic Corp.) HKLM\...\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" [4156 2010-04-16] () HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-03-13] (Microsoft Corporation) HKLM-x32\...\Run: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1601536 2010-09-23] () HKLM-x32\...\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS) HKLM-x32\...\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS) HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated) HKLM-x32\...\Run: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe" [64048 2010-09-21] (VMware, Inc.) HKLM-x32\...\Run: [ZoneAlarm Installer] "C:\Program Files (x86)\CheckPoint\Install\Launcher.exe" "C:\Program Files (x86)\CheckPoint\Install\Install.exe" /r download /c "C:\Program Files (x86)\CheckPoint\Install\Install.xml" /l /w [x] HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640376 2008-10-01] (Adobe Systems Inc.) HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2010-01-22] (NEC Electronics Corporation) HKLM-x32\...\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" [x] HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized [702024 2012-12-13] (Cisco Systems, Inc.) HKU\Admin\...\Run: [Steam] "D:\Program Files (x86)\Steam\Steam.exe" -silent [x] HKU\Admin\...\Run: [GizmoDriveDelegate] "D:\Program Files (x86)\Gizmo\gizmo.exe" /RemountStartupImages [x] HKU\Michael\...\Run: [GizmoDriveDelegate] "D:\Program Files (x86)\Gizmo\gizmo.exe" /RemountStartupImages [x] HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x] Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 AppInit_DLLs: C:\Windows\system32\nvinitx.dll Tcpip\..\Interfaces\{C19CEEFB-ABBA-4531-9DF6-634B51291FA8}: [NameServer]212.23.115.148 212.23.97.2 Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\CineForm Status.lnk ShortcutTarget: CineForm Status.lnk -> C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe (GoPro) Startup: C:\Users\All Users\Start Menu\Programs\Startup\Gizmo.lnk ShortcutTarget: Gizmo.lnk -> C:\Program Files (x86)\Gizmo\gizmo.exe (No File) Startup: C:\Users\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files (x86)\Secunia\PSI\psi_tray.exe (Secunia) Startup: C:\Users\All Users\Start Menu\Programs\Startup\SRS Premium Sound.lnk ShortcutTarget: SRS Premium Sound.lnk -> C:\Windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe (Acresso Software Inc.) ==================== Services (Whitelisted) =================== 2 ABBYY.Licensing.FineReader.Sprint.9.0; "C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe" -service [759048 2009-05-14] (ABBYY) 2 ATKGFNEXSrv; C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe [96896 2009-12-15] (ASUS) 2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-10-30] (AVAST Software) 2 HWDeviceService64.exe; "C:\ProgramData\DatacardService\HWDeviceService64.exe" -/service [346976 2011-03-14] () 2 Mobile Partner. RunOuc; C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [246112 2012-10-17] () 2 NetPipeActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation) 2 NetTcpActivator; "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" [116560 2009-06-10] (Microsoft Corporation) 2 PanService; C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [625304 2012-09-28] (Pandora.TV) 2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [66872 2012-03-10] () 2 Secunia PSI Agent; "C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service [993848 2011-04-19] (Secunia) 2 Secunia Update Agent; "C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service [399416 2011-04-19] (Secunia) 2 vpnagent; "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe" [544840 2012-12-13] (Cisco Systems, Inc.) 2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation) 2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation) 2 WajamUpdater; "C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe" [109064 2012-06-14] (Wajam) 2 BBDemon; "C:\Program Files\Dassault Systemes\B20\win_b64\code\bin\CATSysDemon.exe" -service [x] 2 Gizmo Central; C:\Program Files (x86)\Gizmo\gservice.exe [x] 3 ufad-ws60; "C:\Program Files (x86)\VMware\VMware Player\vmware-ufad.exe" -d "C:\Program Files (x86)\VMware\VMware Player\\" -s ufad-p2v.xml [x] ==================== Drivers (Whitelisted) ===================== 2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software) 1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [28504 2012-03-07] (AVAST Software) 2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software) 1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [42328 2011-11-28] (AVAST Software) 1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software) 1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software) 1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software) 1 GizmoDrv; C:\Windows\System32\Drivers\GizmoDrv.sys [34704 2011-06-23] (Arainia Solutions LLC) 3 kbfiltr; C:\Windows\System32\Drivers\kbfiltr.sys [15416 2009-07-20] ( ) 1 LUMDriver; C:\Windows\System32\Drivers\LUMDriver.sys [24848 2008-01-02] (IBM) 2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [13832 2010-04-16] () 3 USBTINSP; C:\Windows\System32\DRIVERS\tinspusb.sys [142848 2012-08-22] (Texas Instruments) 3 vmkbd2; \??\C:\Windows\system32\drivers\VMkbd.sys [31792 2010-09-21] (VMware, Inc.) 2 vstor2-ws60; \??\C:\Program Files (x86)\VMware\VMware Player\vstor2-ws60.sys [32816 2010-08-19] (VMware, Inc.) ==================== NetSvcs (Whitelisted) ==================== ==================== One Month Created Files and Folders ======== 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1355.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Admin\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:14 - 2013-01-25 13:14 - 453636000 ____N C:\Windows\MEMORY.DMP 2013-01-25 13:14 - 2013-01-25 13:14 - 00288408 ____A C:\Windows\Minidump\012513-59186-01.dmp 2013-01-25 12:24 - 2013-01-25 13:57 - 00000000 ____D C:\Users\All Users\HitmanPro 2013-01-23 21:12 - 2013-01-23 21:12 - 00000000 ____D C:\Users\Admin\AppData\Roaming\GoPro 2013-01-23 20:55 - 2013-01-25 13:13 - 00000000 ____A C:\Users\Michael\AppData\Roaming\skype.ini 2013-01-15 17:22 - 2013-01-20 23:02 - 00063488 ____A C:\Users\Michael\Desktop\Ausgaben-Schablone.XLS 2013-01-11 14:41 - 2013-01-11 14:42 - 00000000 ____D C:\Windows\rescache 2013-01-09 18:17 - 2013-01-09 18:18 - 00260054 ____A C:\Windows\msxml4-KB2758694-enu.LOG 2013-01-09 14:58 - 2012-12-07 14:20 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\Wpc.dll 2013-01-09 14:58 - 2012-12-07 14:15 - 02746368 ____A (Microsoft Corporation) C:\Windows\System32\gameux.dll 2013-01-09 14:58 - 2012-12-07 13:26 - 00308736 ____A (Microsoft Corporation) C:\Windows\SysWOW64\Wpc.dll 2013-01-09 14:58 - 2012-12-07 13:20 - 02576384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gameux.dll 2013-01-09 14:58 - 2012-12-07 12:20 - 00045568 ____A (Microsoft) C:\Windows\System32\oflc-nz.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00044544 ____A (Microsoft) C:\Windows\System32\pegibbfc.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00043520 ____A (Microsoft) C:\Windows\System32\csrr.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00030720 ____A (Microsoft) C:\Windows\System32\usk.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00023552 ____A (Microsoft) C:\Windows\System32\oflc.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-pt.rs 2013-01-09 14:58 - 2012-12-07 12:20 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi-fi.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00055296 ____A (Microsoft) C:\Windows\System32\cero.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00051712 ____A (Microsoft) C:\Windows\System32\esrb.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00046592 ____A (Microsoft) C:\Windows\System32\fpb.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00040960 ____A (Microsoft) C:\Windows\System32\cob-au.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00021504 ____A (Microsoft) C:\Windows\System32\grb.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00020480 ____A (Microsoft) C:\Windows\System32\pegi.rs 2013-01-09 14:58 - 2012-12-07 12:19 - 00015360 ____A (Microsoft) C:\Windows\System32\djctq.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00055296 ____A (Microsoft) C:\Windows\SysWOW64\cero.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00051712 ____A (Microsoft) C:\Windows\SysWOW64\esrb.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00046592 ____A (Microsoft) C:\Windows\SysWOW64\fpb.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00045568 ____A (Microsoft) C:\Windows\SysWOW64\oflc-nz.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00044544 ____A (Microsoft) C:\Windows\SysWOW64\pegibbfc.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00043520 ____A (Microsoft) C:\Windows\SysWOW64\csrr.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00040960 ____A (Microsoft) C:\Windows\SysWOW64\cob-au.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00030720 ____A (Microsoft) C:\Windows\SysWOW64\usk.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00023552 ____A (Microsoft) C:\Windows\SysWOW64\oflc.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00021504 ____A (Microsoft) C:\Windows\SysWOW64\grb.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-pt.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi-fi.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00020480 ____A (Microsoft) C:\Windows\SysWOW64\pegi.rs 2013-01-09 14:58 - 2012-12-07 11:46 - 00015360 ____A (Microsoft) C:\Windows\SysWOW64\djctq.rs 2013-01-09 14:58 - 2012-11-22 06:44 - 00800768 ____A (Microsoft Corporation) C:\Windows\System32\usp10.dll 2013-01-09 14:58 - 2012-11-22 05:45 - 00626688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll 2013-01-09 14:58 - 2012-11-20 06:48 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll 2013-01-09 14:58 - 2012-11-20 05:51 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll 2013-01-09 14:58 - 2012-11-09 06:45 - 00750592 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-01-09 14:58 - 2012-11-09 05:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll 2013-01-09 14:58 - 2012-11-01 06:43 - 02002432 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll 2013-01-09 14:58 - 2012-11-01 06:43 - 01882624 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll 2013-01-09 14:58 - 2012-11-01 05:47 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll 2013-01-09 14:58 - 2012-11-01 05:47 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll 2013-01-09 14:57 - 2012-11-30 06:45 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll 2013-01-09 14:57 - 2012-11-30 06:43 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll 2013-01-09 14:57 - 2012-11-30 06:41 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll 2013-01-09 14:57 - 2012-11-30 06:41 - 00424448 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 06:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2013-01-09 14:57 - 2012-11-30 05:53 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll 2013-01-09 14:57 - 2012-11-30 05:53 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 05:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 04:23 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe 2013-01-09 14:57 - 2012-11-30 03:44 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2013-01-09 14:57 - 2012-11-30 03:44 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2013-01-09 14:57 - 2012-11-30 03:44 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2013-01-09 14:57 - 2012-11-30 03:44 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2013-01-09 14:57 - 2012-11-30 03:38 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 03:38 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 03:38 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 03:38 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll 2013-01-09 14:57 - 2012-11-30 00:17 - 00420064 ____A C:\Windows\SysWOW64\locale.nls 2013-01-09 14:57 - 2012-11-30 00:15 - 00420064 ____A C:\Windows\System32\locale.nls 2013-01-09 14:57 - 2012-11-23 04:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2013-01-09 14:57 - 2012-11-23 04:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe 2013-01-04 22:42 - 2013-01-04 22:42 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2013-01-02 18:16 - 2013-01-02 19:33 - 00000000 ____D C:\Users\Admin\AppData\Roaming\DVDVideoSoft 2013-01-02 18:16 - 2013-01-02 18:16 - 00000000 ____D C:\Program Files (x86)\DVDVideoSoft 2013-01-01 13:25 - 2013-01-02 21:43 - 00001497 ____A C:\Users\Michael\Desktop\tomorrowland Musik.txt 2012-12-31 18:03 - 2012-12-31 18:04 - 00000171 ____A C:\Users\Michael\Desktop\premium accs.txt ==================== One Month Modified Files and Folders ======= 2013-01-26 16:46 - 2013-01-26 16:46 - 00000000 ____D C:\FRST 2013-01-25 13:57 - 2013-01-25 12:24 - 00000000 ____D C:\Users\All Users\HitmanPro 2013-01-25 13:57 - 2012-07-19 16:50 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-01-25 13:57 - 2011-06-08 14:57 - 01447777 ____A C:\Windows\WindowsUpdate.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Michael\Desktop\HitmanPro_20130125_1355.log 2013-01-25 13:56 - 2013-01-25 13:56 - 00022268 ____A C:\Users\Admin\Desktop\HitmanPro_20130125_1356.log 2013-01-25 13:51 - 2011-06-10 23:30 - 00001108 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-01-25 13:39 - 2009-07-14 05:45 - 00015328 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-01-25 13:39 - 2009-07-14 05:45 - 00015328 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-01-25 13:36 - 2009-07-14 18:58 - 00763496 ____A C:\Windows\System32\perfh007.dat 2013-01-25 13:36 - 2009-07-14 18:58 - 00171608 ____A C:\Windows\System32\perfc007.dat 2013-01-25 13:36 - 2009-07-14 06:13 - 01779394 ____A C:\Windows\System32\PerfStringBackup.INI 2013-01-25 13:31 - 2011-10-12 14:07 - 00000000 ____D C:\Users\All Users\VMware 2013-01-25 13:30 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-01-25 13:30 - 2009-07-14 05:51 - 00045629 ____A C:\Windows\setupact.log 2013-01-25 13:15 - 2012-04-25 09:50 - 00000542 ____A C:\Windows\Tasks\MATLAB R2012a Startup Accelerator.job 2013-01-25 13:14 - 2013-01-25 13:14 - 453636000 ____N C:\Windows\MEMORY.DMP 2013-01-25 13:14 - 2013-01-25 13:14 - 00288408 ____A C:\Windows\Minidump\012513-59186-01.dmp 2013-01-25 13:14 - 2011-09-30 13:36 - 00000000 ____D C:\Windows\Minidump 2013-01-25 13:13 - 2013-01-23 20:55 - 00000000 ____A C:\Users\Michael\AppData\Roaming\skype.ini 2013-01-25 13:13 - 2011-06-10 23:30 - 00001104 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-01-25 13:12 - 2011-09-15 09:14 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Dropbox 2013-01-23 21:34 - 2012-02-26 16:28 - 00000000 ____D C:\Users\All Users\Skype 2013-01-23 21:12 - 2013-01-23 21:12 - 00000000 ____D C:\Users\Admin\AppData\Roaming\GoPro 2013-01-23 21:07 - 2011-06-08 19:05 - 00118040 ____A C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT 2013-01-20 23:02 - 2013-01-15 17:22 - 00063488 ____A C:\Users\Michael\Desktop\Ausgaben-Schablone.XLS 2013-01-20 17:52 - 2011-09-08 20:28 - 00000000 ____D C:\Users\Michael\AppData\Roaming\MagicMaps 2013-01-20 16:30 - 2012-03-02 00:55 - 00000000 ____D C:\Users\Michael\AppData\Local\Captcha_Brotherhood 2013-01-16 22:40 - 2012-11-12 09:56 - 00037888 ____A C:\Users\Michael\Desktop\Notenschnitt.xls 2013-01-14 18:49 - 2011-06-08 15:13 - 00000000 ____D C:\users\Admin 2013-01-11 14:42 - 2013-01-11 14:41 - 00000000 ____D C:\Windows\rescache 2013-01-11 14:03 - 2009-07-14 05:45 - 00483560 ____A C:\Windows\System32\FNTCACHE.DAT 2013-01-09 18:29 - 2012-01-15 12:19 - 00000000 ____D C:\Users\All Users\Microsoft Help 2013-01-09 18:20 - 2011-06-08 22:53 - 67599240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-01-09 18:18 - 2013-01-09 18:17 - 00260054 ____A C:\Windows\msxml4-KB2758694-enu.LOG 2013-01-09 14:58 - 2012-07-19 16:50 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-01-09 14:58 - 2012-07-19 16:50 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-01-08 15:51 - 2012-04-12 10:25 - 00000000 ____D C:\Program Files (x86)\Cisco 2013-01-08 15:51 - 2011-07-26 11:01 - 00000000 ____D C:\Users\All Users\Cisco 2013-01-04 22:42 - 2013-01-04 22:42 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf 2013-01-03 23:35 - 2011-06-08 18:45 - 00034056 ____A C:\Windows\PFRO.log 2013-01-02 23:05 - 2011-08-09 09:52 - 00000000 ____D C:\Users\Michael\AppData\Roaming\vlc 2013-01-02 21:43 - 2013-01-01 13:25 - 00001497 ____A C:\Users\Michael\Desktop\tomorrowland Musik.txt 2013-01-02 19:33 - 2013-01-02 18:16 - 00000000 ____D C:\Users\Admin\AppData\Roaming\DVDVideoSoft 2013-01-02 18:28 - 2011-07-24 20:44 - 00000000 ____D C:\Users\Michael\AppData\Roaming\DVDVideoSoft 2013-01-02 18:16 - 2013-01-02 18:16 - 00000000 ____D C:\Program Files (x86)\DVDVideoSoft 2012-12-31 18:04 - 2012-12-31 18:03 - 00000171 ____A C:\Users\Michael\Desktop\premium accs.txt ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit TDL4: custom:26000022 <===== ATTENTION! ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-01-23 21:33:57 ==================== Memory info =========================== Percentage of memory in use: 16% Total physical RAM: 3884.41 MB Available physical RAM: 3252.8 MB Total Pagefile: 3882.61 MB Available Pagefile: 3243.64 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Partitions ============================= 1 Drive c: () (Fixed) (Total:48.73 GB) (Free:3.38 GB) NTFS 2 Drive e: () (Fixed) (Total:416.93 GB) (Free:26.69 GB) NTFS 3 Drive f: (GRMCPRXFRER_DE_DVD) (CDROM) (Total:3.04 GB) (Free:0 GB) UDF 5 Drive h: (USB) (Removable) (Total:3.74 GB) (Free:3.73 GB) FAT32 6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS 7 Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection. Datentr„ger ### Status Gr”áe Frei Dyn GPT --------------- ------------- ------- ------- --- --- Datentr„ger 0 Online 465 GB 0 B Datentr„ger 1 Kein Medium 0 B 0 B Datentr„ger 2 Online 3835 MB 0 B Partitions of Disk 0: =============== Datentr„ger-ID: 4FB37A8E Partition ### Typ Gr”áe Offset ------------- ---------------- ------- ------- Partition 1 Prim„r 100 MB 1024 KB Partition 2 Prim„r 48 GB 101 MB Partition 3 Prim„r 416 GB 48 GB ================================================================================== Disk: 0 Partition 1 Typ : 07 Versteckt: Nein Aktiv : Ja Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 Y System-rese NTFS Partition 100 MB Fehlerfre ========================================================= Disk: 0 Partition 2 Typ : 07 Versteckt: Nein Aktiv : Nein Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C NTFS Partition 48 GB Fehlerfre ========================================================= Disk: 0 Partition 3 Typ : 07 Versteckt: Nein Aktiv : Nein Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E NTFS Partition 416 GB Fehlerfre ========================================================= Disk: 0 Partition 3 Typ : 07 Versteckt: Nein Aktiv : Nein Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 E NTFS Partition 416 GB Fehlerfre ========================================================= Partitions of Disk 2: =============== Datentr„ger-ID: 0DD3DFD6 Partition ### Typ Gr”áe Offset ------------- ---------------- ------- ------- Partition 1 Prim„r 3835 MB 31 KB ================================================================================== Disk: 2 Partition 1 Typ : 0B Versteckt: Nein Aktiv : Ja Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 H USB FAT32 Wechselmed 3835 MB Fehlerfre ========================================================= Disk: 2 Partition 1 Typ : 0B Versteckt: Nein Aktiv : Ja Volume ### Bst Bezeichnung DS Typ Gr”áe Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 5 H USB FAT32 Wechselmed 3835 MB Fehlerfre ========================================================= Last Boot: 2013-01-14 00:25 ==================== End Of Log ============================= |
Themen zu Laptop wurde vom GVU Virus/Trojaner befallen |
arten, auf einmal, befallen, bildschirm, bösartig, entfern, entferne, entfernen, entfernt, google, googlen, gvu trojaner, laptop, neustarten, surfe, surfen, total, troja, trojaner, virus/trojaner, vorgehen, weißer, weißer bildschirm, zahlungsaufforderung |