GVU Trojaner auf Windows 7 64Bit Sytem eingefangen

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-07-2013 01
Ran by SYSTEM on 23-07-2013 00:16:04
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1815848 2009-07-14] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.)
HKLM\...\Run: [SmartMenu] - C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-07-21] ()
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [171520 2009-08-26] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [StartCCC] - "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-07-02] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPCam_Menu] - "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [218408 2009-02-25] (CyberLink Corp.)
HKLM-x32\...\Run: [QlbCtrl.exe] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [323640 2010-02-25] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [UpdatePRCShortCut] - "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2011-01-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Easybits Recovery] - C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [60464 2009-06-22] (EasyBits Software AS)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AppleSyncNotifier] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-01] (Apple Inc.)
HKLM-x32\...\Run: [WirelessAssistant] - C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-03-23] (Hewlett-Packard Company)
HKLM-x32\...\Run: [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253672 2011-01-07] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] - "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348664 2012-08-08] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-24] (Apple Inc.)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)
HKU\Default\...\Policies\system: [WallpaperStyle] 2
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)
HKU\Default User\...\Policies\system: [WallpaperStyle] 2
HKU\klaus\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW [1668664 2009-07-15] (Hewlett-Packard)
HKU\klaus\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-06-17] (Hewlett-Packard Company)
HKU\klaus\...\Run: [swg] - "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-12-12] (Google Inc.)
HKU\klaus\...\Run: [Remote Mouse] - C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe [872448 2011-12-07] ()
HKU\klaus\...\Run: [MobileDocuments] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
HKU\klaus\...\Run: [Userinit] - C:\Users\klaus\AppData\Roaming\appconf32.exe [x]
HKU\klaus\...\Run: [MyTomTomSA.exe] - "C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe" [436728 2012-09-10] (TomTom)
HKU\klaus\...\Run: [TomTomHOME.exe] - "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [248208 2013-03-21] (TomTom)
HKU\klaus\...\Policies\system: [WallpaperStyle] 2
HKU\klaus\...\Policies\system: [DisableLockWorkstation] 0
HKU\klaus\...\Policies\system: [DisableChangePassword] 0
HKU\klaus\...\Winlogon: [Shell] explorer.exe,C:\Users\klaus\AppData\Roaming\skype.dat <==== ATTENTION 

==================== Services (Whitelisted) =================

S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [86224 2012-05-08] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [110032 2012-05-08] (Avira Operations GmbH & Co. KG)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe [240128 2009-07-21] (IDT, Inc.)
S2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [x]

==================== Drivers (Whitelisted) ====================

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [98848 2012-05-08] (Avira GmbH)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132832 2012-05-08] (Avira GmbH)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [27760 2011-09-16] (Avira GmbH)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited)
S4 eabfiltr; 

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-23 00:15 - 2013-07-23 00:15 - 00000000 ____D C:\FRST
2013-06-30 03:05 - 2013-07-22 14:02 - 00000004 _____ C:\Users\klaus\AppData\Roaming\skype.ini

==================== One Month Modified Files and Folders =======

2013-07-23 00:15 - 2013-07-23 00:15 - 00000000 ____D C:\FRST
2013-07-22 14:02 - 2013-06-30 03:05 - 00000004 _____ C:\Users\klaus\AppData\Roaming\skype.ini
2013-07-22 14:00 - 2012-09-20 13:59 - 00001104 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-22 14:00 - 2009-12-10 11:52 - 00000000 ____D C:\users\klaus
2013-07-22 13:59 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-22 13:59 - 2009-07-13 20:51 - 00988455 _____ C:\Windows\setupact.log
2013-07-21 17:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-07-21 06:21 - 2009-09-29 15:28 - 01286908 _____ C:\Windows\WindowsUpdate.log
2013-06-30 12:08 - 2012-09-20 13:59 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-30 12:07 - 2010-04-18 00:07 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{4AC032B7-827C-46D2-A436-2ACA09287214}
2013-06-30 11:38 - 2012-09-20 13:58 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-30 11:35 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-30 11:35 - 2009-07-13 20:45 - 00023248 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-30 11:32 - 2009-08-26 11:46 - 00654400 _____ C:\Windows\System32\perfh007.dat
2013-06-30 11:32 - 2009-08-26 11:46 - 00130240 _____ C:\Windows\System32\perfc007.dat
2013-06-30 11:32 - 2009-07-13 21:13 - 01498742 _____ C:\Windows\System32\PerfStringBackup.INI
2013-06-30 06:41 - 2009-09-29 15:51 - 00228126 _____ C:\Windows\PFRO.log
2013-06-30 01:31 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache

ZeroAccess:
C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98}
C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98}\@
C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98}\L
C:\Users\klaus\AppData\Local\{ade2952b-2416-bc8d-8427-85532ef19a98}\U

Files to move or delete:
====================
C:\Users\klaus\AppData\Roaming\skype.dat
C:\Users\klaus\AppData\Roaming\skype.ini
C:\ProgramData\dsgsdgdsgdsgw.pad
C:\ProgramData\e4vl.pad
C:\ProgramData\lv4e.dat

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-28 21:06:36
Restore point made on: 2013-06-12 23:23:10
Restore point made on: 2013-06-12 23:26:23
Restore point made on: 2013-06-12 23:48:59
Restore point made on: 2013-06-13 23:54:26
Restore point made on: 2013-06-19 02:08:49
Restore point made on: 2013-06-23 22:53:50
Restore point made on: 2013-06-30 00:26:51
Restore point made on: 2013-07-21 06:23:31

==================== Memory info =========================== 

Percentage of memory in use: 17%
Total physical RAM: 4092.2 MB
Available physical RAM: 3356.38 MB
Total Pagefile: 4090.35 MB
Available Pagefile: 3353.03 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:452.24 GB) (Free:336.31 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:13.23 GB) (Free:2.2 GB) NTFS (Disk=0 Partition=3) ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 (Disk=0 Partition=4)
Drive h: (USB DISK) (Removable) (Total:7.45 GB) (Free:7.1 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 32527F16)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=452 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0C)


LastRegBack: 2013-06-30 01:19

==================== End Of Log ============================