![]() |
|
Log-Analyse und Auswertung: GVU Trojaner auf Windows 7 64Bit Sytem eingefangenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
![]() | #1 |
![]() ![]() | ![]() GVU Trojaner auf Windows 7 64Bit Sytem eingefangen Hallo Zusammen, habe hier einen Rechner mit dem GVU Trojaner. Nachdem der erste Schritt immer der Gleiche zu sein scheint, habe den frst64 laufen lassen und die frst.txt Datei erstellt. Wäre klasse wenn Ihr mir helfen könntet. LG, Bozza Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-07-2013 01 Ran by SYSTEM on 23-07-2013 00:16:04 Running from H:\ Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-14] (Synaptics Incorporated) HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.) HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-07-21] () HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [171520 2009-08-26] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [StartCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-02] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [HPCam_Menu] - "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [218408 2009-02-25] (CyberLink Corp.) HKLM-x32\...\Run: [QlbCtrl.exe] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [323640 2010-02-25] ( Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [UpdatePRCShortCut] - "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover" [222504 2009-05-19] (CyberLink Corp.) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2011-01-31] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Easybits Recovery] - C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [60464 2009-06-22] (EasyBits Software AS) HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard) HKLM-x32\...\Run: [] - [x] HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated) HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-01] (Apple Inc.) HKLM-x32\...\Run: [WirelessAssistant] - C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-03-23] (Hewlett-Packard Company) HKLM-x32\...\Run: [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253672 2011-01-07] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.) HKLM-x32\...\Run: [avgnt] - "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-08] (Avira Operations GmbH & Co. KG) HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.) HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-24] (Apple Inc.) HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard) HKU\Default\...\Policies\system: [WallpaperStyle] 2 HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard) HKU\Default User\...\Policies\system: [WallpaperStyle] 2 HKU\klaus\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1668664 2009-07-15] (Hewlett-Packard) HKU\klaus\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-06-17] (Hewlett-Packard Company) HKU\klaus\...\Run: [swg] - "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-12-12] (Google Inc.) HKU\klaus\...\Run: [Remote Mouse] - C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe [872448 2011-12-07] () HKU\klaus\...\Run: [MobileDocuments] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x] HKU\klaus\...\Run: [Userinit] - C:\Users\klaus\AppData\Roaming\appconf32.exe [x] HKU\klaus\...\Run: [MyTomTomSA.exe] - "C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe" [436728 2012-09-10] (TomTom) HKU\klaus\...\Run: [TomTomHOME.exe] - "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [248208 2013-03-21] (TomTom) HKU\klaus\...\Policies\system: [WallpaperStyle] 2 HKU\klaus\...\Policies\system: [DisableLockWorkstation] 0 HKU\klaus\...\Policies\system: [DisableChangePassword] 0 HKU\klaus\...\Winlogon: [Shell] explorer.exe,C:\Users\klaus\AppData\Roaming\skype.dat <==== ATTENTION ==================== Services (Whitelisted) ================= S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation) S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86224 2012-05-08] (Avira Operations GmbH & Co. KG) S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-08] (Avira Operations GmbH & Co. KG) S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] () S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe [240128 2009-07-21] (IDT, Inc.) S2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [x] ==================== Drivers (Whitelisted) ==================== S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-08] (Avira GmbH) S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-08] (Avira GmbH) S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-09-16] (Avira GmbH) S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited) S4 eabfiltr; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-07-23 00:15 - 2013-07-23 00:15 - 00000000 ____D C:\FRST 2013-06-30 03:05 - 2013-07-22 14:02 - 00000004 _____ C:\Users\klaus\AppData\Roaming\skype.ini ==================== One Month Modified Files and Folders ======= 2013-07-23 00:15 - 2013-07-23 00:15 - 00000000 ____D C:\FRST 2013-07-22 14:02 - 2013-06-30 03:05 - 00000004 _____ C:\Users\klaus\AppData\Roaming\skype.ini 2013-07-22 14:00 - 2012-09-20 13:59 - 00001104 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-07-22 14:00 - 2009-12-10 11:52 - 00000000 ____D C:\users\klaus 2013-07-22 13:59 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-07-22 13:59 - 2009-07-13 20:51 - 00988455 _____ C:\Windows\setupact.log 2013-07-21 17:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration 2013-07-21 06:21 - 2009-09-29 15:28 - 01286908 _____ C:\Windows\WindowsUpdate.log 2013-06-30 12:08 - 2012-09-20 13:59 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-06-30 12:07 - 2010-04-18 00:07 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{4AC032B7-827C-46D2-A436-2ACA09287214} 2013-06-30 11:38 - 2012-09-20 13:58 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-06-30 11:35 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-06-30 11:35 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-06-30 11:32 - 2009-08-26 11:46 - 00654400 _____ C:\Windows\System32\perfh007.dat 2013-06-30 11:32 - 2009-08-26 11:46 - 00130240 _____ C:\Windows\System32\perfc007.dat 2013-06-30 11:32 - 2009-07-13 21:13 - 01498742 _____ C:\Windows\System32\PerfStringBackup.INI 2013-06-30 06:41 - 2009-09-29 15:51 - 00228126 _____ C:\Windows\PFRO.log 2013-06-30 01:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache ZeroAccess: C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98} C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98}\@ C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98}\L C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98}\U Files to move or delete: ==================== C:\Users\klaus\AppData\Roaming\skype.dat C:\Users\klaus\AppData\Roaming\skype.ini C:\ProgramData\dsgsdgdsgdsgw.pad C:\ProgramData\e4vl.pad C:\ProgramData\lv4e.dat ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2013-05-28 21:06:36 Restore point made on: 2013-06-12 23:23:10 Restore point made on: 2013-06-12 23:26:23 Restore point made on: 2013-06-12 23:48:59 Restore point made on: 2013-06-13 23:54:26 Restore point made on: 2013-06-19 02:08:49 Restore point made on: 2013-06-23 22:53:50 Restore point made on: 2013-06-30 00:26:51 Restore point made on: 2013-07-21 06:23:31 ==================== Memory info =========================== Percentage of memory in use: 17% Total physical RAM: 4092.2 MB Available physical RAM: 3356.38 MB Total Pagefile: 4090.35 MB Available Pagefile: 3353.03 MB Total Virtual: 8192 MB Available Virtual: 8191.86 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:452.24 GB) (Free:336.31 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)] Drive e: (RECOVERY) (Fixed) (Total:13.23 GB) (Free:2.2 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)] Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 (Disk=0 Partition=4) Drive h: (USB DISK) (Removable) (Total:7.45 GB) (Free:7.1 GB) FAT32 (Disk=1 Partition=1) Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 466 GB) (Disk ID: 32527F16) Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=452 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=103 MB) - (Type=0C) ======================================================== Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18) Partition 1: (Not Active) - (Size=7 GB) - (Type=0C) LastRegBack: 2013-06-30 01:19 ==================== End Of Log ============================ |
Themen zu GVU Trojaner auf Windows 7 64Bit Sytem eingefangen |
.dll, adobe, adobe flash player, antivir, association, autorun, avg, avira, desktop, explorer, farbar, farbar recovery scan tool, flash player, frst.txt, google, home, launch, log, neu, opera, registry, scan, services.exe, software, svchost.exe, system, trojaner, windows, windows xp, winlogon.exe |