|
Log-Analyse und Auswertung: GVU-Trojaner auf Windows 8Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
02.07.2013, 15:05 | #1 |
| GVU-Trojaner auf Windows 8 Hallo! Ich hab mir vor ein paar Tagen einen GVU-Trojaner eingefangen, mein Asus Pro55s-Laptop läuft mittlerweile mit Windows 8, war ursprünglich ein Windows Vista. Ich bin noch nicht allzu erfahren, hab mir bisher aber andere, ähnliche Beiträge zu dieser Problembehebung durchgelesen. Der PC läuft noch bis zum Login, der Desktop ist ab dann aber blockiert. Ich habe das infizierte Gerät schon mit OLTPE gescannt, dabei hab ich eine Textdatei OTL.txt bekommen. Hoffe auf Happy End für meinen Laptop Grüße! Schmalle7 |
02.07.2013, 15:10 | #2 |
| GVU-Trojaner auf Windows 8 Hier die OTL.txt Datei
__________________ |
02.07.2013, 15:35 | #3 |
/// TB-Ausbilder | GVU-Trojaner auf Windows 8 Hallo,
__________________startet der Rechner nach folgendem Fix wieder normal ohne den Sperrbildschirm?
Code:
ATTFilter :OTL [2013/06/25 10:27:30 | 001,084,721 | ---- | C] () -- C:\Users\ciss\AppData\Local\2433f433 [2013/06/25 10:27:30 | 001,084,706 | ---- | C] () -- C:\Users\ciss\AppData\Roaming\2433f433 [2013/06/25 10:27:30 | 001,084,663 | ---- | C] () -- C:\ProgramData\2433f433 O20 - HKU\ciss_ON_C Winlogon: Shell - (cmd.exe) - C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - HKU\ciss_ON_C..\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\ciss\AppData\Local\Temp\fvvhqwfndmsivpqtd.exe (NVIDIA Corporation) :files C:\Users\ciss\AppData\Local\Temp\fvvhqwfndmsivpqtd.dll
__________________ |
02.07.2013, 20:57 | #4 |
| GVU-Trojaner auf Windows 8 Hi Leo! Der Bildschirm sieht wieder aus wie vorher! Hier noch die Textdatei: Code:
ATTFilter Error: Unable to interpret <:OTL [2013/06/25 10:27:30 | 001,084,721 | ---- | C] () -- C:\Users\ciss\AppData\Local\2433f433 [2013/06/25 10:27:30 | 001,084,706 | ---- | C] () -- C:\Users\ciss\AppData\Roaming\2433f433 [2013/06/25 10:27:30 | 001,084,663 | ---- | C] () -- C:\ProgramData\2433f433 O20 - HKU\ciss_ON_C Winlogon: Shell - (cmd.exe) - C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - HKU\ciss_ON_C..\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\ciss\AppData\Local\Temp\fvvhqwfndmsivpqtd.exe (NVIDIA Corporation) :files C:\Users\ciss\AppData\Local\Temp\fvvhqwfndmsivpqtd.dll> in the current context! OTLPE by OldTimer - Version 3.1.48.0 log created on 07032013_014021 Grüße! Kevin |
03.07.2013, 00:01 | #5 |
/// TB-Ausbilder | GVU-Trojaner auf Windows 8 Hi Kevin, also der Fix hat überhaupt nicht geklappt! Bei dir sind offenbar die Zeilenumbrüche aus dem Fixskript verloren gegangen.. Kannst du den Rechner denn wirklich trotzdem wieder normal starten?? Falls nein, dann wiederhole den obigen Fix (aber achte dieses Mal darauf, dass jede Zeile vom Fix auch in der OTL-Textbox auf einer eigenen Zeile steht). Falls ja, dann mach so weiter: Downloade dir bitte die für dein System passende Version (32-bit/64-bit) von Farbar Recovery Scan Tool (FRST) und speichere es auf den Desktop. (Wenn du nicht sicher bist, welche du benötigst: Start -> Computer (Rechtsklick) -> Eigenschaften)
__________________ cheers, Leo |
03.07.2013, 15:18 | #6 |
| GVU-Trojaner auf Windows 8 Hallo Leo, der PC funktioniert normal, aber hier die beiden Textdateien: Danke! Kevin |
03.07.2013, 17:10 | #7 |
/// TB-Ausbilder | GVU-Trojaner auf Windows 8 Hallo Kevin, es liegt aber noch mehr im Argen hier.. Schritt 1 Scan mit Combofix
Schritt 2 Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
03.07.2013, 20:06 | #8 |
| GVU-Trojaner auf Windows 8 Hi, hier erstmal die Textdatei von ComboFix, Schritt 2 mache ich gleich. Code:
ATTFilter ComboFix 13-07-03.01 - ciss 03.07.2013 20:47:35.1.2 - x86 Microsoft Windows 8 Pro 6.2.9200.0.1252.49.1031.18.3071.2051 [GMT 2:00] ausgeführt von:: c:\users\ciss\Desktop\ComboFix.exe AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\ciss\4.0 c:\users\ciss\Documents\Downloads\Integrated_CT2629906.exe . . ((((((((((((((((((((((( Dateien erstellt von 2013-06-03 bis 2013-07-03 )))))))))))))))))))))))))))))) . . 2013-07-03 18:54 . 2013-07-03 18:54 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-07-03 18:44 . 2013-07-03 18:44 29904 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2A9C1D57-52E8-4D8E-AD18-A3117009B37B}\MpKsl9bb92288.sys 2013-07-03 14:33 . 2013-07-03 14:33 243888 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10208.bin 2013-07-03 14:20 . 2013-06-12 04:18 7068072 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2A9C1D57-52E8-4D8E-AD18-A3117009B37B}\mpengine.dll 2013-07-03 14:14 . 2013-07-03 14:14 -------- d-----w- C:\FRST 2013-07-03 05:40 . 2013-07-03 05:40 -------- d-----w- C:\_OTL 2013-06-12 15:51 . 2013-05-04 04:57 10788864 ----a-w- c:\windows\system32\Windows.UI.Xaml.dll 2013-06-10 12:16 . 2010-06-02 02:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll 2013-06-10 12:15 . 2008-05-30 12:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll 2013-06-09 19:39 . 2013-06-10 12:14 -------- d-----w- c:\programdata\WarThunder 2013-06-09 19:39 . 2013-06-09 19:39 -------- d-----w- c:\users\ciss\AppData\Local\WarThunder 2013-06-09 19:38 . 2013-06-09 19:38 -------- d-----w- c:\users\ciss\AppData\Local\Programs 2013-06-09 10:02 . 2013-06-09 10:10 -------- d-----w- c:\users\ciss\AppData\Local\Google 2013-06-09 10:01 . 2013-06-09 10:02 -------- d-----w- c:\program files\Google . . . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-06-16 10:13 . 2013-02-01 15:00 50784 ----a-w- c:\programdata\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin 2013-06-10 15:00 . 2013-03-31 17:16 17536 ----a-w- c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin 2013-06-04 22:09 . 2012-07-26 06:55 78200 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-06-04 22:09 . 2012-07-26 06:55 693112 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-05-29 20:16 . 2012-07-26 06:53 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2013-05-02 15:28 . 2013-02-02 10:07 238872 ------w- c:\windows\system32\MpSigStub.exe 2013-04-16 01:15 . 2013-05-16 12:08 1229576 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys 2013-04-13 05:56 . 2013-05-16 12:08 444416 ----a-w- c:\windows\apppatch\AcSpecfc.dll 2013-04-08 23:44 . 2013-05-29 19:36 123880 ----a-w- c:\windows\system32\wscapi.dll 2013-04-08 23:39 . 2013-05-29 19:36 1476024 ----a-w- c:\windows\system32\ntdll.dll 2013-04-08 23:38 . 2013-05-29 19:36 248576 ----a-w- c:\windows\system32\kd_02_10ec.dll 2013-04-08 23:37 . 2013-05-29 19:36 426024 ----a-w- c:\windows\system32\AudioEng.dll 2013-04-08 23:37 . 2013-05-29 19:36 324368 ----a-w- c:\windows\system32\AudioSes.dll 2013-04-08 23:37 . 2013-05-29 19:36 207576 ----a-w- c:\windows\system32\audiodg.exe 2013-04-08 21:52 . 2013-05-29 19:36 302592 ----a-w- c:\windows\system32\SearchProtocolHost.exe 2013-04-08 21:52 . 2013-05-29 19:36 670208 ----a-w- c:\windows\system32\SearchIndexer.exe 2013-04-08 21:52 . 2013-05-29 19:36 614912 ----a-w- c:\windows\system32\RecoveryDrive.exe 2013-04-08 21:52 . 2013-05-29 19:36 171008 ----a-w- c:\windows\system32\SearchFilterHost.exe 2013-04-08 21:52 . 2013-05-29 19:36 106496 ----a-w- c:\windows\system32\Robocopy.exe 2013-04-08 21:52 . 2013-05-29 19:36 300032 ----a-w- c:\windows\system32\conhost.exe 2013-04-08 21:52 . 2013-05-29 19:36 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll 2013-04-08 21:52 . 2013-05-29 19:36 393216 ----a-w- c:\windows\system32\wpncore.dll 2013-04-08 21:52 . 2013-05-29 19:36 77312 ----a-w- c:\windows\system32\wscsvc.dll 2013-04-08 21:51 . 2013-05-29 19:36 411136 ----a-w- c:\windows\system32\Windows.Networking.dll 2013-04-08 21:51 . 2013-05-29 19:36 268800 ----a-w- c:\windows\system32\Windows.Networking.BackgroundTransfer.dll 2013-04-08 21:51 . 2013-05-29 19:36 2767360 ----a-w- c:\windows\system32\tquery.dll 2013-04-08 21:51 . 2013-05-29 19:36 324096 ----a-w- c:\windows\system32\schannel.dll 2013-04-08 21:51 . 2013-05-29 19:36 942080 ----a-w- c:\windows\system32\schedsvc.dll 2013-04-08 21:51 . 2013-05-29 19:36 1593344 ----a-w- c:\windows\system32\mssrch.dll 2013-04-08 21:51 . 2013-05-29 19:36 403968 ----a-w- c:\windows\system32\mssph.dll 2013-04-08 21:51 . 2013-05-29 19:36 659456 ----a-w- c:\windows\system32\mssvp.dll 2013-04-08 21:51 . 2013-05-29 19:36 186880 ----a-w- c:\windows\system32\mssphtb.dll 2013-04-08 21:51 . 2013-05-29 19:36 35328 ----a-w- c:\windows\system32\mssprxy.dll 2013-04-08 21:51 . 2013-05-29 19:36 10752 ----a-w- c:\windows\system32\msshooks.dll 2013-04-08 21:51 . 2013-05-29 19:36 1113600 ----a-w- c:\windows\system32\MSAudDecMFT.dll 2013-04-08 21:51 . 2013-05-29 19:36 214528 ----a-w- c:\windows\system32\mfreadwrite.dll 2013-04-08 21:51 . 2013-05-29 19:36 361984 ----a-w- c:\windows\system32\MFMediaEngine.dll 2013-04-08 21:51 . 2013-05-29 19:36 656896 ----a-w- c:\windows\system32\kerberos.dll 2013-04-08 21:51 . 2013-05-29 19:36 201216 ----a-w- c:\windows\system32\iuilp.dll 2013-04-08 21:51 . 2013-05-29 19:36 181760 ----a-w- c:\windows\system32\fhengine.dll 2013-04-08 21:51 . 2013-05-29 19:36 239616 ----a-w- c:\windows\system32\fhcfg.dll 2013-04-08 21:51 . 2013-05-29 19:36 41984 ----a-w- c:\windows\system32\fmifs.dll 2013-04-08 21:51 . 2013-05-29 19:36 100352 ----a-w- c:\windows\system32\EncDump.dll 2013-04-08 21:51 . 2013-05-29 19:36 139264 ----a-w- c:\windows\system32\dwmredir.dll 2013-04-08 21:51 . 2013-05-29 19:36 155648 ----a-w- c:\windows\system32\dmvdsitf.dll 2013-04-08 21:51 . 2013-05-29 19:36 598528 ----a-w- c:\windows\system32\audiosrv.dll 2013-04-08 21:51 . 2013-05-29 19:36 136704 ----a-w- c:\windows\system32\AudioEndpointBuilder.dll 2013-04-08 21:40 . 2013-05-29 19:36 3390464 ----a-w- c:\windows\system32\win32k.sys 2013-04-06 04:59 . 2013-05-29 19:36 81920 ----a-w- c:\windows\system32\drivers\hidbth.sys 2013-04-06 04:58 . 2013-05-29 19:36 48640 ----a-w- c:\windows\system32\drivers\ndproxy.sys 2013-04-06 04:57 . 2013-05-29 19:36 494592 ----a-w- c:\windows\system32\drivers\srv2.sys 2013-04-06 04:56 . 2013-05-29 19:36 709632 ----a-w- c:\windows\system32\drivers\PEAuth.sys 2013-04-06 04:55 . 2013-05-29 19:36 196096 ----a-w- c:\windows\system32\drivers\srvnet.sys 2013-04-06 04:55 . 2013-05-29 19:36 70656 ----a-w- c:\windows\system32\drivers\wanarp.sys 2013-04-04 22:07 . 2013-05-29 19:36 457624 ----a-w- c:\windows\system32\ci.dll . . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Facebook Update"="c:\users\ciss\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2013-02-27 138096] "Spotify"="c:\users\ciss\AppData\Roaming\Spotify\Spotify.exe" [2013-06-16 4643328] "Spotify Web Helper"="c:\users\ciss\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-06-16 1104384] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720] "MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2012-03-20 69632] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-15 152392] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "EnableCursorSuppression"= 1 (0x1) "EnableUIADesktopToggle"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-03-16 102784] R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\System32\drivers\ew_usbenumfilter.sys [2012-03-16 11136] R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [2012-03-16 89856] R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\System32\drivers\ew_juextctrl.sys [2012-03-16 26624] R3 huawei_wwanecm;huawei_wwanecm;c:\windows\system32\DRIVERS\ew_juwwanecm.sys [2012-03-16 193536] R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2012-09-10 18432] S1 MpKsl9bb92288;MpKsl9bb92288;c:\programdata\Microsoft\Windows Defender\Definition Updates\{2A9C1D57-52E8-4D8E-AD18-A3117009B37B}\MpKsl9bb92288.sys [2013-07-03 29904] S2 VmbService;Vodafone-Mobile-Broadband-Dienst;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2012-03-20 8704] S3 huawei_enumerator;huawei_enumerator;c:\windows\System32\drivers\ew_jubusenum.sys [2012-03-16 73984] S3 SiSGbeLH;NDIS 6.0-Treiber für SiS191/SiS190-Ethernet-Gerät;c:\windows\system32\DRIVERS\SiSGB6.sys [2012-06-02 48128] S3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys [2012-07-26 155136] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] DcomLaunch REG_MULTI_SZ Power BrokerInfrastructure LSM PlugPlay DeviceInstall DcomLaunch LocalServiceAndNoImpersonation REG_MULTI_SZ TimeBroker SSDPSRV upnphost SCardSvr BthHFSrv QWAVE fdrespub wcncsvc WSService SensrSvc LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc NcdAutoSetup WwanSvc ICService REG_MULTI_SZ vmicheartbeat vmicrdv print REG_MULTI_SZ PrintNotify . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs wlidsvc SystemEventsBroker DsmSvc NcaSvc . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted svsvc AllUserInstallAgent fhsvc vmickvpexchange vmicshutdown vmicvss . . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService bthserv . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted AppIDSvc wcmsvc vmictimesync . . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4340}] 2013-03-06 05:03 17561600 ----a-w- c:\windows\System32\shell32.dll . Inhalt des "geplante Tasks" Ordners . 2013-07-03 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2226582012-2746248457-2725141191-1000Core.job - c:\users\ciss\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-02-27 19:07] . 2013-07-03 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2226582012-2746248457-2725141191-1000UA.job - c:\users\ciss\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-02-27 19:07] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.de/ uDefault_Search_URL = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 TCP: DhcpNameServer = 192.168.2.1 . . --------------------- Gesperrte Registrierungsschluessel --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96d-e325-11ce-bfc1-08002be10318}\0003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) @SACL=(02 0000) . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\DS\ObjectNames] @DACL=(02 0000) @SACL= "Directory Service Object"=dword:00001e00 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\LSA\ObjectNames] @DACL=(02 0000) @SACL= "UserAccountObject"=dword:00001630 "PolicyObject"=dword:00001600 "TrustedDomainObject"=dword:00001620 "AdtSecurity"=dword:00001f00 "SecretObject"=dword:00001610 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\SC Manager\ObjectNames] @DACL=(02 0000) @SACL= "SERVICE Object"=dword:00001c10 "SC_MANAGER Object"=dword:00001c00 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Security\ObjectNames] @DACL=(02 0000) @SACL= "Device"=dword:00001100 "WindowStation"=dword:00001a00 "Section"=dword:000011a0 "Event"=dword:00001120 "Desktop"=dword:00001a10 "WaitablePort"=dword:00001170 "Directory"=dword:00001110 "Thread"=dword:000011d0 "EventPair"=dword:00001130 "NamedPipe"=dword:00001140 "Port"=dword:00001170 "File"=dword:00001140 "KeyedEvent"=dword:00001640 "Profile"=dword:00001190 "Channel"=dword:00001400 "WMI Namespace"=dword:00004200 "Timer"=dword:000011e0 "Token"=dword:000011f0 "Job"=dword:00001410 "IoCompletion"=dword:00001300 "Process"=dword:00001180 "Mutant"=dword:00001160 "Type"=dword:00001200 "Semaphore"=dword:000011b0 "ALPC Port"=dword:00001170 "SymbolicLink"=dword:000011c0 "MailSlot"=dword:00001140 "Key"=dword:00001150 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Security Account Manager\ObjectNames] @DACL=(02 0000) @SACL= "SAM_USER"=dword:00001540 "SAM_ALIAS"=dword:00001530 "SAM_GROUP"=dword:00001520 "SAM_DOMAIN"=dword:00001510 "SAM_SERVER"=dword:00001500 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\Spooler\ObjectNames] @DACL=(02 0000) @SACL= "Document"=dword:00001b20 "Server"=dword:00001b00 "Printer"=dword:00001b10 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\TCP/IP\ObjectNames] @DACL=(02 0000) @SACL= "InternetPort"=dword:00001f80 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\0\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\0\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\1\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\1\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\10\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\10\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\2\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\2\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\3\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\3\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\4\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\4\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\5\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\5\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\6\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\6\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\7\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\7\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\8\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\8\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\9\Ip] @DACL=(02 0000) "ProtocolId"=dword:00000021 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\Interfaces\9\Ipv6] @DACL=(02 0000) "ProtocolId"=dword:00000057 "InterfaceInfo"=hex:01,00,00,00,68,00,00,00,03,00,00,00,05,00,ff,ff,48,00,00, 00,00,00,00,00,40,00,00,00,04,00,ff,ff,04,00,00,00,01,00,00,00,40,00,00,00,\ . Zeit der Fertigstellung: 2013-07-03 20:57:35 ComboFix-quarantined-files.txt 2013-07-03 18:57 . Vor Suchlauf: 12 Verzeichnis(se), 49.082.888.192 Bytes frei Nach Suchlauf: 20 Verzeichnis(se), 48.999.485.440 Bytes frei . - - End Of File - - 4F8D90C45EAE33F3571639D9A0B57FF9 5C616939100B85E558DA92B899A0FC36 Kevin |
04.07.2013, 12:41 | #9 |
/// TB-Ausbilder | GVU-Trojaner auf Windows 8 Ok, ich warte noch auf Schritt 2 (MBAR).
__________________ cheers, Leo |
05.07.2013, 06:54 | #10 |
| GVU-Trojaner auf Windows 8 Hallo Leo, das mit den Scans hat jetzt etwas gedauert. Ich musste 3 Scans machen, weil er beim ersten und zweiten Scan Malware entdeckt hat. Der dritte Scan war sauber. Hier die Logfiles von den drei Scans: Scan 1: Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.06.0.1004 www.malwarebytes.org Database version: v2013.06.01.01 Windows 8 x86 NTFS Internet Explorer 10.0.9200.16599 ciss :: CISS-PC [administrator] 03.07.2013 21:13:48 mbar-log-2013-07-03 (21-13-48).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: PUP Objects scanned: 208441 Time elapsed: 15 minute(s), 13 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 1 c:\Users\ciss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVASoft Professional Antivirus (Rogue.AVASoftPAV) -> Delete on reboot. Files Detected: 1 c:\Users\ciss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVASoft Professional Antivirus\AVASoft Professional Antivirus.lnk (Rogue.AVASoftPAV) -> Delete on reboot. Physical Sectors Detected: 0 (No malicious items detected) (end) Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.06.0.1004 www.malwarebytes.org Database version: v2013.06.01.01 Windows 8 x86 NTFS Internet Explorer 10.0.9200.16599 ciss :: CISS-PC [administrator] 04.07.2013 16:04:31 mbar-log-2013-07-04 (16-04-31).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: PUP Objects scanned: 208485 Time elapsed: 18 minute(s), 46 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 1 c:\Users\ciss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVASoft Professional Antivirus (Rogue.AVASoftPAV) -> Delete on reboot. Files Detected: 2 c:\Users\ciss\AppData\Local\Temp\RKGcEr9.exe (Trojan.Ransom) -> Delete on reboot. c:\Users\ciss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVASoft Professional Antivirus\AVASoft Professional Antivirus.lnk (Rogue.AVASoftPAV) -> Delete on reboot. Physical Sectors Detected: 0 (No malicious items detected) (end) Code:
ATTFilter Malwarebytes Anti-Rootkit BETA 1.06.0.1004 www.malwarebytes.org Database version: v2013.06.01.01 Windows 8 x86 NTFS Internet Explorer 10.0.9200.16599 ciss :: CISS-PC [administrator] 04.07.2013 17:48:34 mbar-log-2013-07-04 (17-48-34).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: PUP Objects scanned: 208401 Time elapsed: 18 minute(s), 37 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) Kevin |
05.07.2013, 10:25 | #11 |
/// TB-Ausbilder | GVU-Trojaner auf Windows 8 Hallo Kevin, Starte noch einmal FRST.
__________________ cheers, Leo |
05.07.2013, 10:40 | #12 |
| GVU-Trojaner auf Windows 8 Hallo Leo, hier das FRST-Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-07-2013 Ran by ciss (administrator) on 05-07-2013 11:37:13 Running from F:\Virusbekämpfung Microsoft Windows 8 Pro (X86) OS Language: German Standard Internet Explorer Version 10 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Microsoft Corporation) C:\WINDOWS\system32\dashost.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe (Vodafone) C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe (Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Vodafone) C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Spotify Ltd) C:\Users\ciss\AppData\Roaming\Spotify\Spotify.exe (Microsoft Corporation) C:\WINDOWS\system32\printfilterpipelinesvc.exe (Farbar) F:\Virusbekämpfung\FRST 32bit.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.) HKLM\...\Run: [MobileBroadband] C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe /silent [69632 2012-03-20] (Vodafone) HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-05-15] (Apple Inc.) HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess HKCU\...\Run: [Facebook Update] "C:\Users\ciss\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2013-02-27] (Facebook Inc.) HKCU\...\Run: [Spotify] "C:\Users\ciss\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart [4640768 2013-07-05] (Spotify Ltd) HKCU\...\Run: [Spotify Web Helper] "C:\Users\ciss\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1104384 2013-07-05] (Spotify Ltd) MountPoints2: {0f0b6cb0-a04c-11e2-afef-00224351a70e} - "F:\setup_vmb_lite.exe" /checkApplicationPresence MountPoints2: {0f0b6d04-a04c-11e2-afef-0023547f8d98} - "F:\setup_vmb_lite.exe" /checkApplicationPresence MountPoints2: {0f0b6e1a-a04c-11e2-afef-0023547f8d98} - "F:\setup_vmb_lite.exe" /checkApplicationPresence MountPoints2: {9f9ceab5-9df5-11e2-afee-0023547f8d98} - "F:\setup_vmb_lite.exe" /checkApplicationPresence MountPoints2: {9f9ceb83-9df5-11e2-afee-0023547f8d98} - "F:\setup_vmb_lite.exe" /checkApplicationPresence MountPoints2: {9f9cee66-9df5-11e2-afee-0023547f8d98} - "F:\setup_vmb_lite.exe" /checkApplicationPresence ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/ HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://t.de.msn.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 FireFox: ======== FF ProfilePath: C:\Users\ciss\AppData\Roaming\Mozilla\Firefox\Profiles\xvl5gdrk.default FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll () FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.) FF Plugin: @java.com/DTPlugin,version=10.7.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\ciss\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited) ========================== Services (Whitelisted) ================= R2 VmbService; C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [8704 2012-03-20] (Vodafone) R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [13344 2013-01-29] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== R3 athr; C:\Windows\system32\DRIVERS\athr.sys [2273280 2012-06-02] (Qualcomm Atheros Communications, Inc.) S3 huawei_cdcacm; C:\Windows\system32\DRIVERS\ew_jucdcacm.sys [89856 2012-03-16] (Huawei Technologies Co., Ltd.) S3 huawei_ext_ctrl; C:\Windows\System32\drivers\ew_juextctrl.sys [26624 2012-03-16] (Huawei Technologies Co., Ltd.) S3 huawei_wwanecm; C:\Windows\system32\DRIVERS\ew_juwwanecm.sys [193536 2012-03-16] (Huawei Technologies Co., Ltd.) R3 MTsensor; C:\Windows\System32\drivers\ATKACPI.sys [7680 2007-07-31] (ATK0100) R3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [155136 2012-07-26] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-03 21:13 - 2013-07-03 21:13 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-07-03 21:12 - 2013-07-03 21:12 - 00000000 ____D C:\Users\ciss\Desktop\bar 2013-07-03 21:09 - 2013-07-03 20:42 - 13399154 ____A C:\Users\ciss\Desktop\mbar-1.06.0.1004.zip 2013-07-03 20:57 - 2013-07-03 20:57 - 00021756 ____A C:\ComboFix.txt 2013-07-03 20:44 - 2013-07-03 23:43 - 00000000 ____D C:\Windows\erdnt 2013-07-03 20:44 - 2013-07-03 20:57 - 00000000 ____D C:\Qoobox 2013-07-03 16:14 - 2013-07-03 16:14 - 00000000 ____D C:\FRST 2013-07-03 07:42 - 2013-07-03 07:42 - 00001380 ____A C:\Users\ciss\Desktop\07032013_014021.log 2013-07-03 07:40 - 2013-07-03 07:40 - 00000000 ____D C:\_OTL 2013-06-27 00:02 - 2013-07-03 00:54 - 00092052 ____A C:\OTL.Txt 2013-06-17 10:24 - 2013-06-17 10:24 - 00294264 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-12 17:52 - 2013-05-31 01:20 - 01011712 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll 2013-06-12 17:52 - 2013-05-24 01:27 - 01075200 ____A (Microsoft Corporation) C:\Windows\System32\gdi32.dll 2013-06-12 17:52 - 2013-05-16 00:37 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\UXInit.dll 2013-06-12 17:52 - 2013-05-16 00:36 - 14320640 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2013-06-12 17:52 - 2013-05-14 11:23 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2013-06-12 17:52 - 2013-05-04 07:45 - 05575424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe 2013-06-12 17:52 - 2013-04-29 00:31 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2013-06-12 17:52 - 2013-04-29 00:30 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2013-06-12 17:52 - 2013-04-29 00:30 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2013-06-12 17:52 - 2013-04-29 00:30 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2013-06-12 17:52 - 2013-04-29 00:30 - 01767936 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2013-06-12 17:52 - 2013-04-29 00:30 - 01141248 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2013-06-12 17:52 - 2013-04-29 00:30 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2013-06-12 17:52 - 2013-04-29 00:30 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2013-06-12 17:52 - 2013-04-24 01:13 - 01013248 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe 2013-06-12 17:52 - 2013-04-24 01:12 - 01569792 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll 2013-06-12 17:52 - 2013-04-24 01:12 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll 2013-06-12 17:52 - 2013-04-24 01:12 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll 2013-06-12 17:52 - 2013-04-03 01:37 - 00025088 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll 2013-06-12 17:51 - 2013-05-15 04:24 - 00793088 ____A (Microsoft Corporation) C:\Windows\System32\autochk.exe 2013-06-12 17:51 - 2013-05-15 04:24 - 00482816 ____A (Microsoft Corporation) C:\Windows\System32\untfs.dll 2013-06-12 17:51 - 2013-05-04 07:54 - 00103176 ____A (Microsoft Corporation) C:\Windows\System32\AuthHost.exe 2013-06-12 17:51 - 2013-05-04 07:37 - 00052056 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe 2013-06-12 17:51 - 2013-05-04 07:20 - 00362240 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\USBHUB3.SYS 2013-06-12 17:51 - 2013-05-04 07:20 - 00238336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\spaceport.sys 2013-06-12 17:51 - 2013-05-04 07:20 - 00180488 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\UCX01000.SYS 2013-06-12 17:51 - 2013-05-04 07:14 - 01801472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2013-06-12 17:51 - 2013-05-04 06:58 - 02561536 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll 2013-06-12 17:51 - 2013-05-04 06:58 - 01555456 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll 2013-06-12 17:51 - 2013-05-04 06:58 - 01150976 ____A (Microsoft Corporation) C:\Windows\System32\VSSVC.exe 2013-06-12 17:51 - 2013-05-04 06:58 - 00758784 ____A (Microsoft Corporation) C:\Windows\System32\Magnify.exe 2013-06-12 17:51 - 2013-05-04 06:58 - 00621056 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll 2013-06-12 17:51 - 2013-05-04 06:58 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\WUSettingsProvider.dll 2013-06-12 17:51 - 2013-05-04 06:58 - 00125952 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll 2013-06-12 17:51 - 2013-05-04 06:58 - 00083968 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll 2013-06-12 17:51 - 2013-05-04 06:58 - 00034304 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe 2013-06-12 17:51 - 2013-05-04 06:57 - 10788864 ____A (Microsoft Corporation) C:\Windows\System32\Windows.UI.Xaml.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 08857088 ____A (Microsoft Corporation) C:\Windows\System32\twinui.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 01049600 ____A (Microsoft Corporation) C:\Windows\System32\sysmain.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00371200 ____A (Microsoft Corporation) C:\Windows\System32\netprofmsvc.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00303616 ____A (Microsoft Corporation) C:\Windows\System32\stobject.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00247296 ____A (Microsoft Corporation) C:\Windows\System32\ubpm.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00151040 ____A (Microsoft Corporation) C:\Windows\System32\netplwiz.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00146944 ____A (Microsoft Corporation) C:\Windows\System32\storewuauth.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00115712 ____A (Microsoft Corporation) C:\Windows\System32\netprofm.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00073728 ____A (Microsoft Corporation) C:\Windows\System32\psmsrv.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00018432 ____A (Microsoft Corporation) C:\Windows\System32\npmproxy.dll 2013-06-12 17:51 - 2013-05-04 06:57 - 00014336 ____A (Microsoft Corporation) C:\Windows\System32\muifontsetup.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 02035712 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00975360 ____A (Microsoft Corporation) C:\Windows\System32\AppXDeploymentServer.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00582144 ____A (Microsoft Corporation) C:\Windows\System32\gpprefcl.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00554496 ____A (Microsoft Corporation) C:\Windows\System32\AppXDeploymentExtensions.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00449536 ____A (Microsoft Corporation) C:\Windows\System32\DevicePairing.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00411136 ____A (Microsoft Corporation) C:\Windows\System32\mfmp4srcsnk.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00309760 ____A (Microsoft Corporation) C:\Windows\System32\BCP47Langs.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00143360 ____A (Microsoft Corporation) C:\Windows\System32\bisrv.dll 2013-06-12 17:51 - 2013-05-04 06:56 - 00092160 ____A (Microsoft Corporation) C:\Windows\System32\biwinrt.dll 2013-06-12 17:51 - 2013-05-04 06:55 - 00389632 ____A (Microsoft Corporation) C:\Windows\System32\intl.cpl 2013-06-12 17:51 - 2013-05-04 06:10 - 00014848 ____A (Microsoft) C:\Windows\System32\rars.rs 2013-06-12 17:51 - 2013-05-04 06:08 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hidclass.sys 2013-06-12 17:51 - 2013-05-04 06:08 - 00019456 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hidusb.sys 2013-06-12 17:51 - 2013-05-04 06:06 - 00320512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdbss.sys 2013-06-12 17:51 - 2013-05-03 00:04 - 00386646 ____A C:\Windows\System32\ApnDatabase.xml 2013-06-12 17:51 - 2013-04-27 05:21 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll 2013-06-10 14:16 - 2010-06-02 04:55 - 00527192 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll 2013-06-10 14:16 - 2010-06-02 04:55 - 00239960 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_7.dll 2013-06-10 14:16 - 2010-06-02 04:55 - 00074072 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll 2013-06-10 14:16 - 2010-05-26 11:41 - 01868128 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_43.dll 2013-06-10 14:16 - 2010-05-26 11:41 - 00470880 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_43.dll 2013-06-10 14:16 - 2010-05-26 11:41 - 00248672 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll 2013-06-10 14:16 - 2010-02-04 10:01 - 00528216 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_6.dll 2013-06-10 14:16 - 2010-02-04 10:01 - 00238936 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_6.dll 2013-06-10 14:16 - 2010-02-04 10:01 - 00074072 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_4.dll 2013-06-10 14:16 - 2010-02-04 10:01 - 00022360 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_7.dll 2013-06-10 14:16 - 2009-09-04 17:44 - 00515416 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_5.dll 2013-06-10 14:16 - 2009-09-04 17:44 - 00238936 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_5.dll 2013-06-10 14:16 - 2009-09-04 17:44 - 00069464 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_3.dll 2013-06-10 14:16 - 2009-09-04 17:29 - 05501792 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_42.dll 2013-06-10 14:16 - 2009-09-04 17:29 - 01974616 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_42.dll 2013-06-10 14:16 - 2009-09-04 17:29 - 00235344 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_42.dll 2013-06-10 14:16 - 2009-03-16 14:18 - 00517448 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_4.dll 2013-06-10 14:16 - 2009-03-16 14:18 - 00235352 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_4.dll 2013-06-10 14:16 - 2009-03-16 14:18 - 00022360 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_6.dll 2013-06-10 14:16 - 2009-03-09 15:27 - 04178264 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_41.dll 2013-06-10 14:16 - 2009-03-09 15:27 - 01846632 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_41.dll 2013-06-10 14:16 - 2009-03-09 15:27 - 00453456 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_41.dll 2013-06-10 14:16 - 2008-10-27 10:04 - 00514384 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_3.dll 2013-06-10 14:16 - 2008-10-27 10:04 - 00235856 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_3.dll 2013-06-10 14:16 - 2008-10-27 10:04 - 00070992 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_2.dll 2013-06-10 14:16 - 2008-10-27 10:04 - 00023376 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_5.dll 2013-06-10 14:16 - 2008-10-10 04:52 - 04379984 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_40.dll 2013-06-10 14:16 - 2008-10-10 04:52 - 02036576 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_40.dll 2013-06-10 14:16 - 2008-10-10 04:52 - 00452440 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_40.dll 2013-06-10 14:16 - 2008-07-31 10:41 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_2.dll 2013-06-10 14:16 - 2008-07-31 10:41 - 00068616 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_1.dll 2013-06-10 14:16 - 2008-07-31 10:40 - 00509448 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_2.dll 2013-06-10 14:16 - 2008-07-10 11:01 - 00467984 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_39.dll 2013-06-10 14:16 - 2008-07-10 11:00 - 03851784 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_39.dll 2013-06-10 14:16 - 2008-07-10 11:00 - 01493528 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_39.dll 2013-06-10 14:16 - 2008-05-30 14:19 - 00507400 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_1.dll 2013-06-10 14:16 - 2008-05-30 14:18 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_1.dll 2013-06-10 14:16 - 2008-05-30 14:17 - 00065032 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_0.dll 2013-06-10 14:16 - 2008-05-30 14:17 - 00025608 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_4.dll 2013-06-10 14:16 - 2008-05-30 14:11 - 01491992 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_38.dll 2013-06-10 14:15 - 2008-05-30 14:11 - 03850760 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_38.dll 2013-06-10 14:15 - 2008-05-30 14:11 - 00467984 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_38.dll 2013-06-10 14:15 - 2008-03-05 16:03 - 00479752 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_0.dll 2013-06-10 14:15 - 2008-03-05 16:03 - 00238088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_0.dll 2013-06-10 14:15 - 2008-03-05 16:00 - 00025608 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_3.dll 2013-06-10 14:15 - 2008-03-05 15:56 - 03786760 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_37.dll 2013-06-10 14:15 - 2008-03-05 15:56 - 01420824 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_37.dll 2013-06-10 14:15 - 2008-02-05 23:07 - 00462864 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_37.dll 2013-06-10 14:15 - 2007-10-22 03:39 - 00267272 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_10.dll 2013-06-10 14:15 - 2007-10-22 03:37 - 00017928 ____A (Microsoft Corporation) C:\Windows\System32\X3DAudio1_2.dll 2013-06-10 14:15 - 2007-10-12 15:14 - 03734536 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_36.dll 2013-06-10 14:15 - 2007-10-12 15:14 - 01374232 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_36.dll 2013-06-10 14:15 - 2007-10-02 09:56 - 00444776 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_36.dll 2013-06-10 14:15 - 2007-07-20 00:57 - 00267112 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_9.dll 2013-06-10 14:15 - 2007-07-19 18:14 - 03727720 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_35.dll 2013-06-10 14:15 - 2007-07-19 18:14 - 01358192 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_35.dll 2013-06-10 14:15 - 2007-07-19 18:14 - 00444776 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_35.dll 2013-06-10 14:15 - 2007-06-20 20:46 - 00266088 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_8.dll 2013-06-10 14:15 - 2007-05-16 16:45 - 03497832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_34.dll 2013-06-10 14:15 - 2007-05-16 16:45 - 01124720 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_34.dll 2013-06-10 14:15 - 2007-05-16 16:45 - 00443752 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_34.dll 2013-06-10 14:15 - 2007-04-04 18:55 - 00261480 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_7.dll 2013-06-10 14:15 - 2007-03-15 16:57 - 00443752 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_33.dll 2013-06-10 14:15 - 2007-03-12 16:42 - 03495784 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_33.dll 2013-06-10 14:15 - 2007-03-12 16:42 - 01123696 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_33.dll 2013-06-10 14:15 - 2007-03-05 12:42 - 00015128 ____A (Microsoft Corporation) C:\Windows\System32\x3daudio1_1.dll 2013-06-10 14:15 - 2007-01-24 15:27 - 00255848 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_6.dll 2013-06-10 14:15 - 2006-12-08 12:02 - 00251672 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_5.dll 2013-06-10 14:15 - 2006-11-29 13:06 - 03426072 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_32.dll 2013-06-10 14:15 - 2006-11-29 13:06 - 00440080 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10.dll 2013-06-10 14:15 - 2006-09-28 16:05 - 02414360 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_31.dll 2013-06-10 14:15 - 2006-09-28 16:05 - 00237848 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_4.dll 2013-06-10 14:15 - 2006-07-28 09:30 - 00236824 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_3.dll 2013-06-10 14:15 - 2006-07-28 09:30 - 00062744 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_2.dll 2013-06-10 14:15 - 2006-05-31 07:24 - 00230168 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_2.dll 2013-06-10 14:15 - 2006-03-31 12:40 - 02388176 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_30.dll 2013-06-10 14:15 - 2006-03-31 12:39 - 00229584 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_1.dll 2013-06-10 14:15 - 2006-03-31 12:39 - 00062672 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_1.dll 2013-06-10 14:15 - 2006-02-03 08:43 - 02332368 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_29.dll 2013-06-10 14:15 - 2006-02-03 08:42 - 00230096 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_0.dll 2013-06-10 14:15 - 2006-02-03 08:41 - 00014032 ____A (Microsoft Corporation) C:\Windows\System32\x3daudio1_0.dll 2013-06-10 14:15 - 2005-12-05 18:09 - 02323664 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_28.dll 2013-06-10 14:15 - 2005-07-22 19:59 - 02319568 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_27.dll 2013-06-10 14:15 - 2005-05-26 15:34 - 02297552 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_26.dll 2013-06-10 14:15 - 2005-03-18 17:19 - 02337488 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_25.dll 2013-06-10 14:15 - 2005-02-05 19:45 - 02222800 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_24.dll 2013-06-10 14:13 - 2013-06-10 14:16 - 00000000 ____D C:\Windows\System32\directx 2013-06-10 14:13 - 2013-06-10 14:15 - 00000000 ___HD C:\Windows\msdownld.tmp 2013-06-09 21:39 - 2013-06-10 14:14 - 00000000 ____D C:\ProgramData\WarThunder 2013-06-09 21:39 - 2013-06-09 21:39 - 00000000 ____D C:\Users\ciss\Documents\My Games 2013-06-09 21:39 - 2013-06-09 21:39 - 00000000 ____D C:\Users\ciss\AppData\Local\WarThunder 2013-06-09 12:10 - 2013-06-09 12:10 - 00001075 ____A C:\Users\Public\Desktop\Picasa 3.lnk 2013-06-09 12:02 - 2013-06-09 12:10 - 00000000 ____D C:\Users\ciss\AppData\Local\Google 2013-06-09 12:01 - 2013-06-09 12:02 - 00000000 ____D C:\Program Files\Google ==================== One Month Modified Files and Folders ======== 2013-07-05 11:34 - 2013-05-16 14:05 - 00000000 ____D C:\Users\ciss\AppData\Roaming\Spotify 2013-07-05 11:33 - 2013-01-31 23:23 - 01745416 ____A C:\Windows\System32\PerfStringBackup.INI 2013-07-05 11:30 - 2013-01-31 23:21 - 01155796 ____A C:\Windows\WindowsUpdate.log 2013-07-05 11:22 - 2013-03-20 22:19 - 00000000 ____D C:\Users\ciss\Desktop\Flugvorbereitung & Infos 2013-07-05 11:19 - 2012-07-26 08:04 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2013-07-05 07:02 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\System32\sru 2013-07-05 05:12 - 2013-02-27 21:07 - 00000940 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2226582012-2746248457-2725141191-1000UA.job 2013-07-05 03:03 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\Microsoft.NET 2013-07-04 20:12 - 2013-02-27 21:07 - 00000918 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2226582012-2746248457-2725141191-1000Core.job 2013-07-04 17:45 - 2013-01-31 23:08 - 00004726 ____A C:\Windows\PFRO.log 2013-07-04 17:45 - 2012-07-26 06:17 - 00262144 __ASH C:\Windows\System32\config\BBI 2013-07-04 17:43 - 2012-07-26 10:45 - 00000000 ____D C:\Windows\SKB 2013-07-04 15:58 - 2013-01-31 23:13 - 00000000 ____D C:\users\ciss 2013-07-04 00:24 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\WinStore 2013-07-04 00:24 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\System32\ras 2013-07-04 00:23 - 2012-07-26 08:53 - 00000000 ___RD C:\Windows\ImmersiveControlPanel 2013-07-04 00:23 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\System32\de-DE 2013-07-04 00:23 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\L2Schemas 2013-07-03 23:43 - 2013-07-03 20:44 - 00000000 ____D C:\Windows\erdnt 2013-07-03 23:22 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\registration 2013-07-03 22:53 - 2012-07-26 06:43 - 00000000 __RHD C:\users\Default 2013-07-03 21:13 - 2013-07-03 21:13 - 00000000 ____D C:\ProgramData\Malwarebytes 2013-07-03 21:12 - 2013-07-03 21:12 - 00000000 ____D C:\Users\ciss\Desktop\bar 2013-07-03 20:57 - 2013-07-03 20:57 - 00021756 ____A C:\ComboFix.txt 2013-07-03 20:57 - 2013-07-03 20:44 - 00000000 ____D C:\Qoobox 2013-07-03 20:42 - 2013-07-03 21:09 - 13399154 ____A C:\Users\ciss\Desktop\mbar-1.06.0.1004.zip 2013-07-03 16:14 - 2013-07-03 16:14 - 00000000 ____D C:\FRST 2013-07-03 15:19 - 2013-05-16 14:06 - 00000000 ____D C:\Users\ciss\AppData\Local\Spotify 2013-07-03 07:42 - 2013-07-03 07:42 - 00001380 ____A C:\Users\ciss\Desktop\07032013_014021.log 2013-07-03 07:40 - 2013-07-03 07:40 - 00000000 ____D C:\_OTL 2013-07-03 02:45 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\System32\LogFiles 2013-07-03 01:54 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\AUInstallAgent 2013-07-03 00:54 - 2013-06-27 00:02 - 00092052 ____A C:\OTL.Txt 2013-06-17 10:24 - 2013-06-17 10:24 - 00294264 ____A C:\Windows\System32\FNTCACHE.DAT 2013-06-16 13:15 - 2012-07-26 08:53 - 00000000 ____D C:\Windows\rescache 2013-06-16 12:47 - 2012-07-26 08:53 - 00000000 ___RD C:\Windows\ToastData 2013-06-16 12:47 - 2012-07-26 08:53 - 00000000 ____D C:\Program Files\Windows Photo Viewer 2013-06-16 12:47 - 2012-07-26 08:49 - 00000000 ____D C:\Windows\System32\DriverStore 2013-06-12 18:08 - 2013-02-02 12:12 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2013-06-11 16:28 - 2013-05-24 13:01 - 00000000 ____D C:\Users\ciss\Desktop\109_FUJI 2013-06-11 16:23 - 2013-02-01 08:59 - 00013824 __ASH C:\Users\ciss\Desktop\Thumbs.db 2013-06-10 14:16 - 2013-06-10 14:13 - 00000000 ____D C:\Windows\System32\directx 2013-06-10 14:15 - 2013-06-10 14:13 - 00000000 ___HD C:\Windows\msdownld.tmp 2013-06-10 14:14 - 2013-06-09 21:39 - 00000000 ____D C:\ProgramData\WarThunder 2013-06-09 21:39 - 2013-06-09 21:39 - 00000000 ____D C:\Users\ciss\Documents\My Games 2013-06-09 21:39 - 2013-06-09 21:39 - 00000000 ____D C:\Users\ciss\AppData\Local\WarThunder 2013-06-09 21:39 - 2009-04-10 18:37 - 00000000 ____D C:\SPIELE 2013-06-09 12:10 - 2013-06-09 12:10 - 00001075 ____A C:\Users\Public\Desktop\Picasa 3.lnk 2013-06-09 12:10 - 2013-06-09 12:02 - 00000000 ____D C:\Users\ciss\AppData\Local\Google 2013-06-09 12:02 - 2013-06-09 12:01 - 00000000 ____D C:\Program Files\Google 2013-06-09 11:49 - 2012-12-26 21:50 - 00000000 ____D C:\Users\ciss\Desktop\unserekam 2013-06-09 11:46 - 2011-11-01 15:57 - 00000000 ____D C:\Users\ciss\Desktop\Iphone 2013-06-06 19:40 - 2013-05-02 15:18 - 00000000 ____D C:\Users\ciss\Desktop\107_FUJI 2013-06-05 00:09 - 2012-07-26 08:55 - 00693112 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe 2013-06-05 00:09 - 2012-07-26 08:55 - 00078200 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2013-07-02 22:07 ==================== End Of Log ============================ Besten Gruß! Kevin |
05.07.2013, 11:20 | #13 |
/// TB-Ausbilder | GVU-Trojaner auf Windows 8 Hallo Kevin, wie läuft der Rechner jetzt? Schritt 1 Drücke die + R Taste und schreibe "notepad" in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument: Code:
ATTFilter HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
Schritt 2 Downloade Dir bitte Malwarebytes Anti-Malware
Schritt 3 ESET Online Scanner
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
05.07.2013, 20:17 | #14 |
| GVU-Trojaner auf Windows 8 Hallo Leo, hier die Logfiles von FRST, mbam und ESET: FRST Fixlog: Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-07-2013 Ran by ciss at 2013-07-05 12:49:19 Run:1 Running from C:\Users\ciss\Desktop Boot Mode: Normal ============================================== HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully. ==== End of Fixlog ==== Code:
ATTFilter Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Datenbank Version: v2013.07.05.01 Windows 8 x86 NTFS Internet Explorer 10.0.9200.16599 ciss :: CISS-PC [Administrator] 05.07.2013 14:49:30 mbam-log-2013-07-05 (14-49-30).txt Art des Suchlaufs: Quick-Scan Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM Deaktivierte Suchlaufeinstellungen: P2P Durchsuchte Objekte: 202862 Laufzeit: 7 Minute(n), 42 Sekunde(n) Infizierte Speicherprozesse: 0 (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: 0 (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: 0 (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: 0 (Keine bösartigen Objekte gefunden) Infizierte Dateien: 0 (Keine bösartigen Objekte gefunden) (Ende) Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok ESETSmartInstaller@High as downloader log: all ok # version=8 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6920 # api_version=3.0.2 # EOSSerial=9ba3478f8171214aadb0d69f64375cb4 # engine=14283 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=false # unsafe_checked=false # antistealth_checked=true # utc_time=2013-07-05 06:17:11 # local_time=2013-07-05 08:17:11 (+0100, Mitteleuropäische Sommerzeit) # country="Germany" # lang=1033 # osver=6.2.9200 NT # compatibility_mode=5893 16776573 100 94 25866 13637378 0 0 # scanned=213340 # found=3 # cleaned=0 # scan_time=10564 sh=3A2F16E5048EC47C0077ACA332D679FF155C4ECE ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.OTB trojan" ac=I fn="C:\Users\ciss\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\51275a4c-25b4d44a" sh=D5873B3E76288567132798E7A554259CA9404D17 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.OTB trojan" ac=I fn="C:\Users\ciss\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\4226ce5-210d2064" sh=B37CA21491CCA1532C0074D410D54498E42E7036 ft=1 fh=5e3cee8227fb261e vn="Win32/Corkow.J trojan" ac=I fn="C:\Users\ciss\AppData\Roaming\Microsoft Corporation\KBDramp.peg" Kevin |
05.07.2013, 21:52 | #15 |
/// TB-Ausbilder | GVU-Trojaner auf Windows 8 Hallo Kevin, machen wir weiter: Schritt 1 Lade SystemLook (von jpshortstuff) herunter und speichere das Tool auf dem Desktop.
Schritt 2 Lade dir TFC (von Oldtimer) herunter und speichere es auf den Desktop.
Schritt 3 Dein Java ist nicht mehr aktuell. Ältere Versionen enthalten Sicherheitslücken, die von Malware zur Infizierung per Drive-by Download missbraucht werden können. Die aktuelle Version ist Java 7 Update 25.
Überleg dir also, ob du eine Java-Installation wirklich brauchst. Falls du Java weiterhin verwenden möchtest, dann:
Schritt 4 Dein Flashplayer ist veraltet. Installiere folgendermassen die aktuelle Version:
Schritt 5 Starte noch einmal FRST.
Bitte poste in deiner nächsten Antwort:
__________________ cheers, Leo |
Themen zu GVU-Trojaner auf Windows 8 |
andere, asus, beiträge, datei, desktop, eingefangen, gefangen, gerät, gescannt, gvu-trojaner, happy, infizierte, login, oltpe, otl.txt, pc läuft, tagen, textdatei, windows, windows 8 |