Cyber Crime Investigation Virus Schweiz - kann mir jemand helfen bitte?

joel87 · 14.08.2013, 10:17

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2013 01
Ran by SYSTEM on 13-08-2013 23:35:38
Running from L:\
Windows 7 Home Premium (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek Semiconductor)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2726728 2010-03-24] (CANON INC.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe [588648 2009-07-24] (Symantec Corporation)
HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe [202256 2010-05-16] (RealNetworks, Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-08-10] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421160 2010-09-01] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [246504 2010-01-11] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1391272 2012-01-03] (Ask)
HKLM-x32\...\Run: [CanonSolutionMenuEx] - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Packard Bell\Screensaver\run_Packard Bell.exe [162336 2009-07-21] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Packard Bell\Screensaver\run_Packard Bell.exe [162336 2009-07-21] ()
HKU\Joël\...\Run: [Spotify Web Helper] - C:\Users\Joël\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [932528 2012-05-14] ()
HKU\Joël\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\JOL~1\AppData\Local\Temp\qwckjjlokdcqmsshh.exe [66560 2013-08-11] (Valve) <===== ATTENTION
HKU\Joël\...\Winlogon: [Shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION 
HKU\Joël\...\Command Processor: "C:\Users\JOL~1\AppData\Local\Temp\qwckjjlokdcqmsshh.exe" <===== ATTENTION!
HKU\UpdatusUser\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Packard Bell\Screensaver\run_Packard Bell.exe [162336 2009-07-21] ()

==================== Services (Whitelisted) =================

S2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [625184 2009-05-29] ()
S2 Greg_Service; C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe [1150496 2009-06-04] (Acer Incorporated)
S2 Norton Internet Security; C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [117648 2011-09-21] (Symantec Corporation)
S2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [207904 2009-05-29] ()
S2 Updater Service; C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe [240160 2009-07-03] (Acer)

==================== Drivers (Whitelisted) ====================

S1 BHDrvx64; C:\Windows\System32\Drivers\NISx64\1008030.006\BHDrvx64.sys [334384 2009-08-21] (Symantec Corporation)
S1 ccHP; C:\Windows\System32\Drivers\NISx64\1008030.006\ccHPx64.sys [561800 2011-10-11] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [475696 2010-01-24] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [475696 2010-01-24] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [132656 2010-01-24] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100310.001\IDSvia64.sys [466992 2009-10-28] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100310.001\IDSvia64.sys [466992 2009-10-28] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100312.003\ENG64.SYS [116272 2010-02-04] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100312.003\ENG64.SYS [116272 2010-02-04] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100312.003\EX64.SYS [1742896 2010-02-04] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100312.003\EX64.SYS [1742896 2010-02-04] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1008030.006\SRTSP64.SYS [476720 2009-08-21] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1008030.006\SRTSPX64.SYS [32304 2009-08-21] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NISx64\1008030.006\SYMEFA64.SYS [402992 2009-08-21] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2010-01-10] (Symantec Corporation)
S1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [31280 2009-08-21] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\NISx64\1008030.006\SYMTDI.SYS [279160 2011-09-21] (Symantec Corporation)
S3 SYMFW; \SystemRoot\System32\Drivers\NISx64\1008000.029\SYMFW.SYS [x]
S3 SYMNDISV; \SystemRoot\System32\Drivers\NISx64\1008000.029\SYMNDISV.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-08-11 13:08 - 2013-08-11 13:08 - 00104573 _____ C:\Users\Joël\AppData\Roaming\2433f433
2013-08-11 13:08 - 2013-08-11 13:08 - 00104573 _____ C:\Users\Joël\AppData\Local\2433f433
2013-08-11 13:08 - 2013-08-11 13:08 - 00104546 _____ C:\ProgramData\2433f433
2013-08-05 20:53 - 2013-08-05 20:53 - 00000000 ____D C:\Windows\System32\MRT
2013-07-29 12:44 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-29 12:44 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-29 12:44 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-29 12:44 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-29 12:44 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-29 12:44 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-29 12:44 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-29 12:44 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-29 12:44 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-29 12:44 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-29 12:44 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-29 12:44 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-29 12:44 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-29 12:44 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-29 12:44 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-29 12:44 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-29 12:44 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-29 12:44 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-29 12:44 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-29 12:44 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-29 12:44 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-29 12:44 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-29 12:31 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-29 12:31 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-29 12:30 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-29 12:30 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-29 12:29 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-29 12:26 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-29 12:26 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll

==================== One Month Modified Files and Folders =======

2013-08-12 22:29 - 2009-10-16 22:10 - 00000000 ____D C:\ProgramData\NVIDIA
2013-08-12 22:29 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-12 22:29 - 2009-07-13 20:51 - 00115975 _____ C:\Windows\setupact.log
2013-08-12 13:58 - 2009-10-16 22:01 - 01229701 _____ C:\Windows\WindowsUpdate.log
2013-08-12 13:58 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-12 13:58 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-11 13:23 - 2009-07-13 21:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-08-11 13:08 - 2013-08-11 13:08 - 00104573 _____ C:\Users\Joël\AppData\Roaming\2433f433
2013-08-11 13:08 - 2013-08-11 13:08 - 00104573 _____ C:\Users\Joël\AppData\Local\2433f433
2013-08-11 13:08 - 2013-08-11 13:08 - 00104546 _____ C:\ProgramData\2433f433
2013-08-08 12:33 - 2012-04-22 11:09 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-05 20:54 - 2013-08-05 20:53 - 00000000 ____D C:\Windows\System32\MRT
2013-08-04 14:01 - 2012-10-15 10:03 - 00000000 ____D C:\ProgramData\CanonIJPLM
2013-08-04 11:26 - 2009-07-13 20:45 - 00351168 _____ C:\Windows\System32\FNTCACHE.DAT
2013-08-04 11:25 - 2013-03-17 15:10 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-08-04 11:25 - 2013-03-17 15:10 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-08-04 11:25 - 2009-07-13 23:45 - 00000000 ____D C:\Program Files\Windows Journal
2013-08-04 11:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-08-04 11:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-29 12:44 - 2009-08-14 16:33 - 00000000 ____D C:\ProgramData\Microsoft Help

Files to move or delete:
====================
C:\Users\JOL~1\AppData\Local\Temp\qwckjjlokdcqmsshh.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-28 16:41:28
Restore point made on: 2013-06-03 11:02:11
Restore point made on: 2013-06-03 13:40:33
Restore point made on: 2013-06-03 13:42:13
Restore point made on: 2013-06-08 14:18:04
Restore point made on: 2013-06-12 11:26:09
Restore point made on: 2013-06-12 13:30:29
Restore point made on: 2013-06-16 13:31:34
Restore point made on: 2013-06-16 14:41:42
Restore point made on: 2013-07-02 11:22:44
Restore point made on: 2013-07-05 12:03:09
Restore point made on: 2013-07-29 12:25:27
Restore point made on: 2013-07-29 12:42:02
Restore point made on: 2013-08-04 11:34:49
Restore point made on: 2013-08-05 20:52:49
Restore point made on: 2013-08-11 12:51:39

==================== Memory info =========================== 

Percentage of memory in use: 16%
Total physical RAM: 4095.24 MB
Available physical RAM: 3437.69 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3436.71 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (Packard Bell) (Fixed) (Total:457.95 GB) (Free:388.15 GB) NTFS (Disk=0 Partition=3)
Drive e: (DATA) (Fixed) (Total:458.46 GB) (Free:458.16 GB) NTFS (Disk=0 Partition=4)
Drive f: (PQSERVICE) (Fixed) (Total:15 GB) (Free:5.85 GB) NTFS (Disk=0 Partition=1)
Drive g: (KRD10) (CDROM) (Total:0.26 GB) (Free:0 GB) CDFS
Drive l: () (Removable) (Total:0.98 GB) (Free:0.91 GB) FAT (Disk=5 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: CF41A627)
Partition 1: (Not Active) - (Size=15 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=458 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=458 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 1000 MB) (Disk ID: 91F72D24)
Partition 1: (Active) - (Size=1000 MB) - (Type=06)


LastRegBack: 2013-06-03 11:18

==================== End Of Log ============================

--- --- ---

--- --- ---

Cyber Crime Investigation Virus Schweiz - kann mir jemand helfen bitte?

Log-Analyse und Auswertung: Cyber Crime Investigation Virus Schweiz - kann mir jemand helfen bitte?

Cyber Crime Investigation Virus Schweiz - kann mir jemand helfen bitte?

Ähnliche Themen: Cyber Crime Investigation Virus Schweiz - kann mir jemand helfen bitte?