GVU-Trojaner beendet abgesicherten Modus

planetofrock · 13.07.2013, 11:14

Hallo,
auch ich habe mir jetzt den Trojaner eingefangen. Ich komme weder in den abgesicherten Modus noch auf die normale Windows 7 Oberfläche.
Ich habe mich schon ein wenig hier durchgelesen, aber leider bisher ohne Erfolg.
Hier meine FRST Logdatei

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-07-2013 02
Ran by SYSTEM on 13-07-2013 12:05:37
Running from E:\
Windows 7 Professional (X86) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet004
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
HKLM\...\Run: [Adobe ARM] - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [KiesTrayAgent] - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [3524536 2012-07-16] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [EEventManager] - "C:\Program Files\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [TrojanScanner] - C:\Program Files\Trojan Remover\Trjscan.exe /boot [1247504 2012-09-14] (Simply Super Software)
HKLM\...\Run: [SunJavaUpdateSched] - "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] - "C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized [685048 2012-08-03] (Cisco Systems, Inc.)
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
HKU\Imperator\...\Run: [KiesPreload] - C:\Program Files\Samsung\Kies\Kies.exe /preload [ 2012-07-16] (Samsung)
HKU\Imperator\...\Run: [KiesAirMessage] - C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup [x]
HKU\Imperator\...\Run: [Skype] - "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [ 2013-04-19] (Skype Technologies S.A.)
HKU\Imperator\...\Command Processor: "C:\Users\IMPERA~1\AppData\Local\Temp\ydkveiyjeavjlepgv.exe" <===== ATTENTION!
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Launcher.lnk
ShortcutTarget: Launcher.lnk -> C:\Program Files\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Launcher.exe ()
Startup: C:\Users\Imperator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)

========================== Services (Whitelisted) =================

S2 ALDITALKVerbindungsassistent_Service; C:\Program Files\ALDITALKVerbindungsassistent\ALDITALKVerbindungsassistent_Service.exe [343024 2012-08-13] ()
S2 EPSON_EB_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [153600 2009-09-14] (SEIKO EPSON CORPORATION)
S2 EPSON_PM_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [121856 2009-09-14] (SEIKO EPSON CORPORATION)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
S2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [537592 2012-08-03] (Cisco Systems, Inc.)

==================== Drivers (Whitelisted) ====================

S3 acsock; C:\Windows\System32\DRIVERS\acsock.sys [87976 2012-08-03] (Cisco Systems, Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S1 jmopyvlk; \??\C:\Windows\system32\drivers\jmopyvlk.sys [x]
S1 jzoyioxf; \??\C:\Windows\system32\drivers\jzoyioxf.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-13 02:37 - 2013-07-13 12:48 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-07-13 00:32 - 2013-07-13 00:32 - 00000000 ____D C:\FRST
2013-07-13 00:13 - 2013-07-13 10:52 - 00008133 _____ C:\Windows\WindowsUpdate.log
2013-07-12 22:59 - 2013-07-13 10:52 - 00196608 _____ C:\Windows\System32\Ikeext.etl
2013-07-12 22:58 - 2013-07-13 10:49 - 00000560 _____ C:\Windows\setupact.log
2013-07-09 10:30 - 2013-07-09 10:30 - 00000000 ____D C:\Windows\System32\SPReview
2013-07-09 10:29 - 2013-07-09 10:29 - 00163072 _____ C:\Users\All Users\2433f433
2013-07-09 10:29 - 2013-07-09 10:29 - 00163054 _____ C:\Users\Imperator\AppData\Local\2433f433
2013-07-09 10:29 - 2013-07-09 10:29 - 00162998 _____ C:\Users\Imperator\AppData\Roaming\2433f433
2013-07-02 21:40 - 2013-07-02 21:40 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-27 10:29 - 2013-06-27 10:30 - 00000000 ____D C:\Users\Imperator\Desktop\keine angst vor röntgenbildern
2013-06-22 08:10 - 2013-06-02 16:21 - 73381792 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-20 21:17 - 2013-07-13 10:49 - 00000437 _____ C:\Windows\System32\Drivers\etc\hosts.ics

==================== One Month Modified Files and Folders =======

2013-07-13 12:48 - 2013-07-13 02:37 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-07-13 10:52 - 2013-07-13 00:13 - 00008133 _____ C:\Windows\WindowsUpdate.log
2013-07-13 10:52 - 2013-07-12 22:59 - 00196608 _____ C:\Windows\System32\Ikeext.etl
2013-07-13 10:52 - 2009-07-14 05:34 - 00013456 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-13 10:52 - 2009-07-14 05:34 - 00013456 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-13 10:49 - 2013-07-12 22:58 - 00000560 _____ C:\Windows\setupact.log
2013-07-13 10:49 - 2013-06-20 21:17 - 00000437 _____ C:\Windows\System32\Drivers\etc\hosts.ics
2013-07-13 01:00 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\tracing
2013-07-13 00:32 - 2013-07-13 00:32 - 00000000 ____D C:\FRST
2013-07-09 15:48 - 2012-08-06 20:47 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-09 10:30 - 2013-07-09 10:30 - 00000000 ____D C:\Windows\System32\SPReview
2013-07-09 10:29 - 2013-07-09 10:29 - 00163072 _____ C:\Users\All Users\2433f433
2013-07-09 10:29 - 2013-07-09 10:29 - 00163054 _____ C:\Users\Imperator\AppData\Local\2433f433
2013-07-09 10:29 - 2013-07-09 10:29 - 00162998 _____ C:\Users\Imperator\AppData\Roaming\2433f433
2013-07-09 10:14 - 2012-08-09 13:00 - 00000000 ____D C:\Users\Imperator\AppData\Roaming\Skype
2013-07-06 09:48 - 2012-08-09 12:46 - 00000000 ____D C:\Users\Imperator\AppData\Roaming\Dropbox
2013-07-02 21:40 - 2013-07-02 21:40 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-07-02 15:30 - 2012-05-01 14:05 - 00000000 ____D C:\Users\Imperator\Desktop\Sevilla
2013-07-02 08:36 - 2012-08-06 19:43 - 01498506 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-02 08:31 - 2012-08-09 12:53 - 00000000 ___RD C:\Users\Imperator\Dropbox
2013-06-27 10:30 - 2013-06-27 10:29 - 00000000 ____D C:\Users\Imperator\Desktop\keine angst vor röntgenbildern
2013-06-25 08:40 - 2009-07-14 03:37 - 00000000 __RHD C:\Users\Public\Libraries
2013-06-24 22:47 - 2012-08-13 16:29 - 00000000 ____D C:\Users\Imperator\AppData\Roaming\ALDITALKVerbindungsassistent
2013-06-23 16:18 - 2013-01-05 20:48 - 00010348 _____ C:\Users\Imperator\Desktop\Spielzeugausgaben2013.xlsx
2013-06-13 12:29 - 2012-12-25 16:11 - 00000000 ____D C:\Users\All Users\Microsoft Help

Files to move or delete:
====================
C:\ProgramData\7909034.pad

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-12 14:48] - [2012-09-06 17:48] - 0245616 ____A (Microsoft Corporation) 59F06B4968E58BC83DFC56CA4517960E


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info =========================== 

Percentage of memory in use: 11%
Total physical RAM: 4051.17 MB
Available physical RAM: 3569.32 MB
Total Pagefile: 4049.45 MB
Available Pagefile: 3577.39 MB
Total Virtual: 2047.88 MB
Available Virtual: 1944.07 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:148.93 GB) (Free:16.98 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: () (Removable) (Total:3.73 GB) (Free:2.63 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: 98DEB064)
Partition 1: (Not Active) - (Size=125 MB) - (Type=DE)
Partition 2: (Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2013-06-24 22:41

==================== End Of Log ============================

Ich hoffe ihr könnt mir helfen

GVU-Trojaner beendet abgesicherten Modus

Plagegeister aller Art und deren Bekämpfung: GVU-Trojaner beendet abgesicherten Modus

GVU-Trojaner beendet abgesicherten Modus

Ähnliche Themen: GVU-Trojaner beendet abgesicherten Modus