| |
| |||||||
Log-Analyse und Auswertung: GVU Trojaner - Win7 - kein abgesicherter ModusWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
07.09.2013, 11:33
| #1 |
| |  GVU Trojaner - Win7 - kein abgesicherter Modus Hallo zusammen, mein Zweitrechner (Win7 64Bit) hat sich wohl den GVU (Bundestrojaner) eingefangen. Auch wenn ich den Rechner im abgesicherten Modus starten möchte, fährt dieser konsequent direkt wieder runter. Quasi das gleiche Problem wie hier (http://www.trojaner-board.de/140714-...ne-runter.html) Ich habe nun wie in dem anderen Post von hier beschrieben den Rechner im Reperaturmodus gestartet und einen Scan mit FRS64 durchgeführt und das Logfile erhalten. Jetzt weiß ich nur nicht wie ich ein passendes FixFile erstelle, bzw. was drin stehen muss. Vielen Dank für eure Hilfe! edit: Tut mir Leid dass ich das File angehangen habe, habe die Code Funktion leider zu Spät entdeckt und weiß nicht wie ich den Anhang wieder entfernen kann FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-09-2013
Ran by SYSTEM on MININT-CNUHD7I on 07-09-2013 12:15:29
Running from G:\
Windows 7 Home Premium (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [PC-Doctor for Windows localizer] - C:\Program Files\PC-Doctor for Windows\localizer.exe [95728 2009-09-16] (PC-Doctor, Inc.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2726728 2010-03-24] (CANON INC.)
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [NoActiveDesktopChanges] 1
HKLM-x32\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] - C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] - c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Easybits Recovery] - C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe [60464 2009-09-02] (EasyBits Software AS)
HKLM-x32\...\Run: [CanonSolutionMenuEx] - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [AVMWlanClient] - C:\Program Files (x86)\avmwlanstick\wlangui.exe [2105344 2010-10-21] (AVM Berlin)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1573584 2012-10-18] (Ask)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [347192 2013-08-20] (Avira Operations GmbH & Co. KG)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\UpdatusUser\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Wolle\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1685048 2009-09-29] (Hewlett-Packard)
HKU\Wolle\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3481408 2012-02-13] (DT Soft Ltd)
HKU\Wolle\...\Run: [NNdR26FL3S.exe] - C:\Users\Wolle\AppData\Local\qHpYczLSjZ\NNdR26FL3S.exe [123248 2013-09-06] (Microsoft Corporation)
HKU\Wolle\...\Command Processor: "C:\Users\Wolle\AppData\Local\qHpYczLSjZ\NNdR26FL3S.exe" <===== ATTENTION!
Startup: C:\Users\Wolle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3bnljw90.lnk
ShortcutTarget: 3bnljw90.lnk -> C:\PROGRA~3\09wjlnb3.plz ()
==================== Services (Whitelisted) =================
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [84024 2013-08-20] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [108088 2013-08-20] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [815160 2013-08-20] (Avira Operations GmbH & Co. KG)
S2 AVM WLAN Connection Service; C:\Program Files (x86)\avmwlanstick\WlanNetService.exe [376832 2010-10-21] (AVM Berlin)
S3 pla; C:\Windows\system32\pla.dll [0 2010-11-20] ()
S2 Winmgmt; C:\PROGRA~3\3bnljw90.pzz [58456 2013-09-06] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~3\3bnljw90.pzz [58456 2013-09-06] (Microsoft Corporation)
S2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [x]
==================== Drivers (Whitelisted) ====================
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [105344 2013-09-03] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132088 2013-08-20] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-03-27] (Avira Operations GmbH & Co. KG)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-21] (AVM Berlin)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-04-01] (DT Soft Ltd)
S3 FWLANUSB; C:\Windows\System32\DRIVERS\fwlanusb.sys [460800 2010-10-21] (AVM GmbH)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-09-06 14:02 - 2013-09-06 14:02 - 00322560 _____ C:\Users\Wolle\AppData\Roaming\oQoNVO3Su
2013-09-06 14:02 - 2013-09-06 14:02 - 00322560 _____ C:\Users\Wolle\AppData\Local\QbvvW1f8N7j
2013-09-06 14:02 - 2013-09-06 14:02 - 00322560 _____ C:\ProgramData\OwUY0SoBl
2013-09-06 13:46 - 2013-09-06 13:46 - 00322560 _____ C:\Users\Wolle\AppData\Roaming\5YT5VV2U5Q
2013-09-06 13:46 - 2013-09-06 13:46 - 00322560 _____ C:\Users\Wolle\AppData\Local\IccpBoL3
2013-09-06 13:46 - 2013-09-06 13:46 - 00322560 _____ C:\ProgramData\BMkxFQm3V
2013-09-06 13:14 - 2013-09-07 01:51 - 00000000 _____ C:\ProgramData\3bnljw90.ctrl
2013-09-06 13:14 - 2013-09-06 19:35 - 95025368 ____T C:\ProgramData\3bnljw90.pff
2013-09-06 13:14 - 2013-09-06 13:16 - 00000000 ____D C:\Users\Wolle\AppData\Local\qHpYczLSjZ
2013-09-06 13:14 - 2013-09-06 13:14 - 00322560 _____ C:\Users\Wolle\AppData\Roaming\RCVArMUclt
2013-09-06 13:14 - 2013-09-06 13:14 - 00322560 _____ C:\Users\Wolle\AppData\Local\qoks3j3s
2013-09-06 13:14 - 2013-09-06 13:14 - 00322560 _____ C:\ProgramData\GdlfbmPH
2013-09-06 13:14 - 2013-09-06 13:14 - 00166912 _____ C:\ProgramData\09wjlnb3.plz
2013-09-06 13:14 - 2013-09-06 13:14 - 00058456 ____T (Microsoft Corporation) C:\ProgramData\3bnljw90.pzz
2013-08-29 20:15 - 2013-09-06 06:16 - 00000000 ____D C:\Users\Wolle\Desktop\Termine
2013-08-21 02:48 - 2013-08-21 02:48 - 00000000 ____D C:\Users\Wolle\AppData\Roaming\Malwarebytes
2013-08-21 02:47 - 2013-08-21 02:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-21 02:46 - 2013-08-21 02:47 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Wolle\Downloads\mbam-setup-1.75.0.1300.exe
2013-08-20 06:25 - 2013-08-20 06:25 - 99508550 _____ C:\Windows\SysWOW64\ି鱛ᵌR
2013-08-08 19:55 - 2013-08-08 20:43 - 00000000 ____D C:\Users\Wolle\AppData\Roaming\Autodesk
==================== One Month Modified Files and Folders =======
2013-09-07 02:11 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-07 02:11 - 2009-07-13 20:51 - 00099134 _____ C:\Windows\setupact.log
2013-09-07 02:08 - 2012-04-01 07:18 - 01581475 _____ C:\Windows\WindowsUpdate.log
2013-09-07 02:02 - 2009-07-13 20:45 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-07 02:02 - 2009-07-13 20:45 - 00015568 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-07 01:51 - 2013-09-06 13:14 - 00000000 _____ C:\ProgramData\3bnljw90.ctrl
2013-09-07 01:51 - 2012-04-01 08:58 - 00001104 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-07 00:34 - 2012-04-01 08:58 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-07 00:09 - 2012-04-01 09:05 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-06 19:35 - 2013-09-06 13:14 - 95025368 ____T C:\ProgramData\3bnljw90.pff
2013-09-06 14:05 - 2010-01-06 17:28 - 00654006 _____ C:\Windows\System32\perfh007.dat
2013-09-06 14:05 - 2010-01-06 17:28 - 00129878 _____ C:\Windows\System32\perfc007.dat
2013-09-06 14:05 - 2009-07-13 21:13 - 01498506 _____ C:\Windows\System32\PerfStringBackup.INI
2013-09-06 14:02 - 2013-09-06 14:02 - 00322560 _____ C:\Users\Wolle\AppData\Roaming\oQoNVO3Su
2013-09-06 14:02 - 2013-09-06 14:02 - 00322560 _____ C:\Users\Wolle\AppData\Local\QbvvW1f8N7j
2013-09-06 14:02 - 2013-09-06 14:02 - 00322560 _____ C:\ProgramData\OwUY0SoBl
2013-09-06 13:46 - 2013-09-06 13:46 - 00322560 _____ C:\Users\Wolle\AppData\Roaming\5YT5VV2U5Q
2013-09-06 13:46 - 2013-09-06 13:46 - 00322560 _____ C:\Users\Wolle\AppData\Local\IccpBoL3
2013-09-06 13:46 - 2013-09-06 13:46 - 00322560 _____ C:\ProgramData\BMkxFQm3V
2013-09-06 13:16 - 2013-09-06 13:14 - 00000000 ____D C:\Users\Wolle\AppData\Local\qHpYczLSjZ
2013-09-06 13:14 - 2013-09-06 13:14 - 00322560 _____ C:\Users\Wolle\AppData\Roaming\RCVArMUclt
2013-09-06 13:14 - 2013-09-06 13:14 - 00322560 _____ C:\Users\Wolle\AppData\Local\qoks3j3s
2013-09-06 13:14 - 2013-09-06 13:14 - 00322560 _____ C:\ProgramData\GdlfbmPH
2013-09-06 13:14 - 2013-09-06 13:14 - 00166912 _____ C:\ProgramData\09wjlnb3.plz
2013-09-06 13:14 - 2013-09-06 13:14 - 00058456 ____T (Microsoft Corporation) C:\ProgramData\3bnljw90.pzz
2013-09-06 06:16 - 2013-08-29 20:15 - 00000000 ____D C:\Users\Wolle\Desktop\Termine
2013-09-06 06:10 - 2012-04-17 00:17 - 00000000 ____D C:\Users\Wolle\Desktop\extern Wolfgang bis 2012-11-25
2013-09-06 01:12 - 2012-04-04 21:34 - 00031760 _____ C:\Users\Wolle\AppData\Roaming\wklnhst.dat
2013-09-06 00:53 - 2013-05-19 00:33 - 00000000 ____D C:\Users\Wolle\Desktop\2€ Koffer
2013-09-03 22:16 - 2009-07-13 21:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-03 02:01 - 2013-03-27 19:47 - 00105344 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
2013-09-02 20:50 - 2012-05-09 05:34 - 00000000 ____D C:\Users\Wolle\Desktop\meine Familie
2013-09-02 04:13 - 2012-04-09 05:05 - 00000000 ____D C:\Users\Wolle\AppData\Roaming\HpUpdate
2013-09-02 04:13 - 2012-04-09 05:05 - 00000000 ____D C:\Users\Wolle\AppData\Roaming\HP Support Assistant
2013-08-31 00:24 - 2012-04-01 07:27 - 00000544 _____ C:\Windows\Tasks\PCDRScheduledMaintenance.job
2013-08-28 00:56 - 2012-04-18 00:07 - 00000000 ____D C:\Users\Wolle\Desktop\Wohnungs Ordner
2013-08-21 18:59 - 2010-01-06 08:38 - 00269904 _____ C:\Windows\PFRO.log
2013-08-21 02:48 - 2013-08-21 02:48 - 00000000 ____D C:\Users\Wolle\AppData\Roaming\Malwarebytes
2013-08-21 02:47 - 2013-08-21 02:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-21 02:47 - 2013-08-21 02:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Wolle\Downloads\mbam-setup-1.75.0.1300.exe
2013-08-21 02:09 - 2012-04-01 09:05 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-21 02:09 - 2012-04-01 09:05 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-21 02:09 - 2012-04-01 09:05 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-20 06:25 - 2013-08-20 06:25 - 99508550 _____ C:\Windows\SysWOW64\ି鱛ᵌR
2013-08-20 00:26 - 2013-05-02 01:47 - 00081112 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
2013-08-20 00:26 - 2013-03-27 19:47 - 00132088 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2013-08-08 20:43 - 2013-08-08 19:55 - 00000000 ____D C:\Users\Wolle\AppData\Roaming\Autodesk
2013-08-08 20:27 - 2012-04-01 07:24 - 00000000 ____D C:\Users\Wolle\AppData\Local\VirtualStore
Files to move or delete:
====================
C:\Users\Wolle\AppData\Local\qHpYczLSjZ\NNdR26FL3S.exe
C:\Users\Wolle\AppData\Local\Temp\dngenibhfxwvnhetvte.bfg
C:\Users\Wolle\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\Wolle\AppData\Local\Temp\inbmpg.dll
C:\Users\Wolle\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Wolle\AppData\Local\Temp\NEW1390.tmp.exe
C:\Users\Wolle\AppData\Local\Temp\ose00000.exe
C:\Users\Wolle\AppData\Local\Temp\setup.exe
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2013-08-28 05:47:55
Restore point made on: 2013-08-29 05:13:02
Restore point made on: 2013-08-29 10:19:16
Restore point made on: 2013-08-30 02:11:48
Restore point made on: 2013-08-30 07:27:15
Restore point made on: 2013-08-31 05:14:20
Restore point made on: 2013-09-01 04:20:23
Restore point made on: 2013-09-01 09:17:17
Restore point made on: 2013-09-02 00:59:47
Restore point made on: 2013-09-02 05:44:27
Restore point made on: 2013-09-03 04:15:01
Restore point made on: 2013-09-03 08:50:20
Restore point made on: 2013-09-04 09:50:37
Restore point made on: 2013-09-04 23:17:11
Restore point made on: 2013-09-05 05:05:44
Restore point made on: 2013-09-05 09:48:52
Restore point made on: 2013-09-06 06:08:14
==================== Memory info ===========================
Percentage of memory in use: 19%
Total physical RAM: 4095.3 MB
Available physical RAM: 3303.45 MB
Total Pagefile: 4093.45 MB
Available Pagefile: 3316.19 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB
==================== Drives ================================
Drive c: (COMPAQ) (Fixed) (Total:453.54 GB) (Free:317.71 GB) NTFS
Drive e: (FACTORY_IMAGE) (Fixed) (Total:12.12 GB) (Free:1.7 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:14.83 GB) (Free:14.82 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=454 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=12 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=15 GB) - (Type=0B)
LastRegBack: 2013-09-01 00:33
==================== End Of Log ============================
--- --- --- --- --- --- Geändert von bensa89 (07.09.2013 um 11:45 Uhr) |
| Themen zu GVU Trojaner - Win7 - kein abgesicherter Modus |
| adobe, adobe flash player, antivir, association, avg, avira, explorer, explorer.exe, farbar, farbar recovery scan tool, flash player, home, logfile, microsoft, opera, problem, registry, scan, services.exe, software, starten, stick, svchost.exe, system, temp, trojaner, usb, winlogon.exe |
Baum-Darstellung