| |
| |||||||
Log-Analyse und Auswertung: Neuer GVU Trojaner mit Handschellen+ IP; rechts oben Deutschlandflagge; 100 € zur entsperrungWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
28.04.2013, 13:47
| #1 |
| |  Neuer GVU Trojaner mit Handschellen+ IP; rechts oben Deutschlandflagge; 100 € zur entsperrung Hey, habe mir heute einen echt miesen eingefangen. Habe schon 2 - 3 solche bka und scheiss Troanjer gehabt und konnte mir zum Glück selbst helfen, doch dieser is echt übel. Nur abgesicherter Modus mit eingabeaufforderung funktioniert. habe mit Farbar die TXT erstellt und poste sie als anhang. Danke für die hilfe im Vorfeld mfg Tigaaa Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-04-2013 01
Ran by SYSTEM on 28-04-2013 14:34:10
Running from F:\
Windows 7 Ultimate (X64) OS Language: German Standard
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet001
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe" [415816 2010-08-03] (Logitech Inc.)
HKLM\...\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2412616 2010-08-03] (Logitech Inc.)
HKLM\...\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE [4725320 2010-08-03] (Logitech Inc.)
HKLM-x32\...\Run: [Kone] "C:\Program Files (x86)\ROCCAT\Kone Mouse\KoneHID.EXE" [180224 2009-09-15] (ROCCAT)
HKLM-x32\...\Run: [DATAMNGR] C:\PROGRA~2\WI3C8A~1\Datamngr\DATAMN~1.EXE [1599376 2011-08-09] (Bandoo Media, inc)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-10] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1644680 2013-02-08] (Ask)
HKU\Mader\...\Run: [ISUSPM] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [x]
HKU\Mader\...\Winlogon: [Shell] explorer.exe,C:\Users\Mader\AppData\Roaming\skype.dat [121344 2009-07-14] () <==== ATTENTION
AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll [1791896 2011-08-09] (Bandoo Media, inc)
Startup: C:ProgramData\Start Menu\Programs\Startup\WISO Mein Steuer-Sparbuch heute.lnk
ShortcutTarget: WISO Mein Steuer-Sparbuch heute.lnk -> C:\Program Files (x86)\WISO\Steuersoftware 2013\mshaktuell.exe ()
==================== Services (Whitelisted) =================
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86224 2012-05-10] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-10] (Avira Operations GmbH & Co. KG)
==================== Drivers (Whitelisted) ====================
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-10] (Avira GmbH)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-10] (Avira GmbH)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-10-11] (Avira GmbH)
S3 ewusbnet; C:\Windows\System32\DRIVERS\ewusbnet.sys [246224 2009-12-07] (Huawei Technologies Co., Ltd.)
S3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
S3 KoneFltr; C:\Windows\System32\drivers\Kone.sys [15488 2008-12-11] (ROCCAT Ltd)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [113704 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [19496 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [152616 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [133160 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [34856 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [128552 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [145960 2008-10-21] (MCCI Corporation)
S3 usbet; C:\Windows\System32\DRIVERS\ETdrv.sys [182912 2010-04-29] (Etron)
S3 cpuz130; \??\C:\Users\Mader\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
S3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\safedrv.sys [x]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2070-01-01 01:00 - 2070-01-01 01:00 - 00000000 ____D C:\Users\Mader\Desktop\WISO_ST2013
2013-04-28 18:09 - 2013-04-28 20:12 - 00064464 ____A C:\OTL.Txt
2013-04-28 14:33 - 2013-04-28 14:33 - 00000000 ____D C:\FRST
2013-04-28 09:49 - 2013-04-28 13:01 - 00000004 ____A C:\Users\Mader\AppData\Roaming\skype.ini
2013-04-13 01:26 - 2013-04-13 01:26 - 473721574 ____A C:\Windows\MEMORY.DMP
2013-04-13 01:26 - 2013-04-13 01:26 - 00291512 ____A C:\Windows\Minidump\041313-26364-01.dmp
2013-04-12 14:45 - 2013-04-12 14:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-05 11:21 - 2013-04-05 11:22 - 00000000 ____D C:\Users\Mader\Desktop\rezepte
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Users\Mader\AppData\Local\APN
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Program Files (x86)\Ask.com
2013-03-29 13:24 - 2013-03-29 13:23 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-03-29 13:23 - 2013-03-29 13:23 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
==================== One Month Modified Files and Folders =======
2070-01-01 01:00 - 2070-01-01 01:00 - 00000000 ____D C:\Users\Mader\Desktop\WISO_ST2013
2013-04-28 20:12 - 2013-04-28 18:09 - 00064464 ____A C:\OTL.Txt
2013-04-28 18:04 - 2010-12-16 17:52 - 00000000 ____D C:\users\Mader
2013-04-28 14:33 - 2013-04-28 14:33 - 00000000 ____D C:\FRST
2013-04-28 14:18 - 2012-09-30 21:39 - 00000374 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-04-28 14:17 - 2012-11-04 01:00 - 00004654 ____A C:\Windows\setupact.log
2013-04-28 14:17 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-28 13:06 - 2009-07-14 18:58 - 00643628 ____A C:\Windows\System32\perfh007.dat
2013-04-28 13:06 - 2009-07-14 18:58 - 00126188 ____A C:\Windows\System32\perfc007.dat
2013-04-28 13:06 - 2009-07-14 06:13 - 01472002 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-28 13:01 - 2013-04-28 09:49 - 00000004 ____A C:\Users\Mader\AppData\Roaming\skype.ini
2013-04-28 12:42 - 2010-12-16 17:48 - 02075250 ____A C:\Windows\WindowsUpdate.log
2013-04-28 12:37 - 2012-09-15 03:19 - 00000884 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-04-28 12:25 - 2009-07-14 05:45 - 00016944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-04-28 12:25 - 2009-07-14 05:45 - 00016944 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-04-28 10:05 - 2011-07-24 16:30 - 00000000 ____D C:\Program Files (x86)\Steam
2013-04-28 03:11 - 2010-12-16 18:27 - 00000000 ____D C:\Users\Mader\AppData\Roaming\TS3Client
2013-04-20 18:44 - 2010-12-16 18:27 - 00000000 ____D C:\Program Files\TeamSpeak 3 Client
2013-04-19 17:03 - 2011-01-23 14:39 - 00000000 ____D C:\Users\Mader\Desktop\bild
2013-04-13 10:26 - 2012-08-03 00:01 - 00000000 ____D C:\Users\Mader\Desktop\Neuer Ordner (2)
2013-04-13 01:26 - 2013-04-13 01:26 - 473721574 ____A C:\Windows\MEMORY.DMP
2013-04-13 01:26 - 2013-04-13 01:26 - 00291512 ____A C:\Windows\Minidump\041313-26364-01.dmp
2013-04-13 01:26 - 2012-11-06 16:08 - 00006888 ____A C:\Windows\PFRO.log
2013-04-13 01:26 - 2012-05-05 11:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-04-13 01:26 - 2011-09-23 11:19 - 00000000 ____D C:\Windows\Minidump
2013-04-12 15:57 - 2012-11-15 19:47 - 00000192 ____A C:\Users\Mader\Desktop\bankwechsel.txt
2013-04-12 15:01 - 2013-03-08 17:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox.bak
2013-04-12 14:46 - 2013-04-12 14:45 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-04-05 11:22 - 2013-04-05 11:21 - 00000000 ____D C:\Users\Mader\Desktop\rezepte
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Users\Mader\AppData\Local\APN
2013-03-29 13:34 - 2013-03-29 13:34 - 00000000 ____D C:\Program Files (x86)\Ask.com
2013-03-29 13:23 - 2013-03-29 13:24 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-03-29 13:23 - 2013-03-29 13:23 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-03-29 13:23 - 2012-07-21 14:01 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-03-29 13:23 - 2011-11-26 13:26 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-03-29 13:23 - 2011-11-26 13:26 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-03-29 13:23 - 2011-01-11 01:50 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-03-29 13:23 - 2011-01-11 01:50 - 00000000 ____D C:\Program Files (x86)\Java
2013-03-29 11:26 - 2013-03-03 08:47 - 00052539 ____A C:\Windows\DirectX.log
2013-03-29 11:17 - 2010-12-16 18:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
Other Malware:
===========
C:\Users\Mader\AppData\Roaming\skype.dat
C:\Users\Mader\AppData\Roaming\skype.ini
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2013-04-05 23:00:12
Restore point made on: 2013-04-13 02:23:02
Restore point made on: 2013-04-20 02:44:21
Restore point made on: 2013-04-27 23:00:15
==================== Memory info ===========================
Percentage of memory in use: 15%
Total physical RAM: 4090.93 MB
Available physical RAM: 3476.72 MB
Total Pagefile: 4089.07 MB
Available Pagefile: 3463.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:465.66 GB) (Free:244.64 GB) NTFS (Disk=0 Partition=2)
Drive f: (HITMANPRO) (Removable) (Total:0.47 GB) (Free:0.47 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Datentr„ger ### Status Gr”áe Frei Dyn GPT
--------------- ------------- ------- ------- --- ---
Datentr„ger 0 Online 465 GB 0 B
Datentr„ger 1 Online 489 MB 0 B
Partitions of Disk 0:
===============
Datentr„ger-ID: 678B6837
Partition ### Typ GrӇe Offset
------------- ---------------- ------- -------
Partition 1 Prim„r 100 MB 1024 KB
Partition 2 Prim„r 465 GB 101 MB
==================================================================================
Disk: 0
Partition 1
Typ : 07
Versteckt: Nein
Aktiv : Ja
Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System-rese NTFS Partition 100 MB Fehlerfre
=========================================================
Disk: 0
Partition 2
Typ : 07
Versteckt: Nein
Aktiv : Nein
Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Fehlerfre
=========================================================
Partitions of Disk 1:
===============
Datentr„ger-ID: E2C54677
Partition ### Typ GrӇe Offset
------------- ---------------- ------- -------
Partition 1 Prim„r 486 MB 31 KB
==================================================================================
Disk: 1
Partition 1
Typ : 0B
Versteckt: Nein
Aktiv : Ja
Volume ### Bst Bezeichnung DS Typ GrӇe Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F HITMANPRO FAT32 Wechselmed 486 MB Fehlerfre
=========================================================
============================== MBR & Partition Table ==================
====================================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 678B6837)
Partition 1: (Active) - (Size=100 MB) - (Type=07) (NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07) (NTFS)
====================================================================
Disk: 1 (Size: 489 MB) (Disk ID: E2C54677)
Partition 1: (Active) - (Size=486 MB) - (Type=0B)
Last Boot: 2013-04-26 14:42
=====ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
|
| Themen zu Neuer GVU Trojaner mit Handschellen+ IP; rechts oben Deutschlandflagge; 100 € zur entsperrung |
| adobe, adobe flash player, antivir, association, avg, avira, bandoo, desktop, explorer, farbar, farbar recovery scan tool, flash player, frst.txt, handschellen, installation, launch, malware, minidump, mozilla, nur abgesicherter modus, opera, registry, scan, services.exe, software, svchost.exe, system, teamspeak, temp, trojaner, winlogon.exe, wiso |
Baum-Darstellung