Interpol Virus Farbar Recovery Scan durchgeführt

aabdi · 08.09.2013, 21:08

Hi Leute,
Ich hab mir vor einigen Tagen den Interpolvirus eingefangen. Mitlerweile habe ich die Farbar Recovery Scan Tool durch geführt. Hier der Text. Leute ich brauche dringend Hilfe.
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-09-2013
Ran by SYSTEM on MINWINPC on 08-09-2013 20:09:59
Running from G:\
Windows Vista (TM) Home Premium (X86) OS Language: German Standard
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [StartCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-01-21] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1033512 2008-01-18] (Synaptics, Inc.)
HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [468264 2008-05-14] (CyberLink Corp.)
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2008-03-14] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] - C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554288 2007-11-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2007-11-20] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [442433 2008-04-15] (IDT, Inc.)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2314416 2013-09-07] ()
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\a\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2008-02-26] (Hewlett-Packard Company)
HKU\a\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-21] (Microsoft Corporation)
HKU\a\...\Run: [PcSync] - C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
HKU\a\...\Run: [TU] - C:\Users\a\AppData\Roaming\SDIV 2.0\Prot\tu\tu.exe [ 2012-10-16] ()
HKU\a\...\Run: [SCheck] - C:\Users\a\AppData\Roaming\SCheck\SCheck.exe [ 2013-04-09] ()
HKU\a\...\Run: [Snoozer] - C:\Users\a\AppData\Roaming\Snz\Snz.exe [ 2013-07-23] ()
HKU\a\...\Run: [DataMgr] - C:\Users\a\AppData\Roaming\DataMgr\DataMgr.exe [ 2012-10-16] (HTTO Group, Ltd.)
HKU\a\...\Run: [Intermediate] - C:\Users\a\AppData\Roaming\Intermediate\Intermediate.exe [ 2013-04-09] ()
HKU\Ambin\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Ambin\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [ 2008-02-26] (Hewlett-Packard Company)
HKU\Ambin\...\Run: [Facebook Update] - C:\Users\Ambin\AppData\Local\Facebook\Update\FacebookUpdate.exe [ 2012-07-16] (Facebook Inc.)
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
Startup: C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3odiwir.lnk
ShortcutTarget: 3odiwir.lnk -> C:\Users\a\AppData\Local\Temp\riwido3.dat (Microsoft Corporation)
Startup: C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Ambin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3odiwir.lnk
ShortcutTarget: 3odiwir.lnk -> c:\progra~2\riwido3.dat (Microsoft Corporation)
Startup: C:\Users\Ambin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
ShortcutTarget: ctfmon.lnk -> C:\Users\Ambin\AppData\Local\Temp\wpbt0.dll (No File)
Startup: C:\Users\Ambin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gaaulemejdtpmciyabc.lnk
ShortcutTarget: gaaulemejdtpmciyabc.lnk -> C:\Users\Ambin\AppData\Local\Temp\cbayicmptdjemeluaag.bfg (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_9a642328\aestsrv.exe [73728 2008-02-12] (Andrea Electronics Corporation)
S2 Freemake Improver; C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [100864 2012-09-07] (Freemake)
S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-04-15] (Hewlett-Packard)
S2 QPCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [292248 2008-05-14] ()
S2 QPSched; C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [116112 2008-05-14] ()
S2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [341328 2008-03-26] ()
S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_9a642328\STacSV.exe [221239 2008-04-15] (IDT, Inc.)
S2 TuneUp.UtilitiesSvc; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [1723744 2012-11-29] (TuneUp Software)
S3 usnjsvc; C:\Program Files\MSN Messenger\usnsvc.exe [97136 2007-01-19] (Microsoft Corporation)
S2 vToolbarUpdater15.5.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-09-07] (AVG Secure Search)
S3 WajamUpdater; C:\Program Files\Wajam\Updater\WajamUpdater.exe [109064 2012-10-05] (Wajam)
S2 Winmgmt; C:\PROGRA~2\riwido3.dat [192512 2013-08-10] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-09-07] (AVG Technologies)
S0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-11] (Microsoft Corporation)
S3 LgBttPort; C:\Windows\System32\DRIVERS\lgbtport.sys [12160 2009-09-29] (LG Electronics Inc.)
S3 lgbusenum; C:\Windows\System32\DRIVERS\lgbtbus.sys [10496 2009-09-29] (LG Electronics Inc.)
S3 LGVMODEM; C:\Windows\System32\DRIVERS\lgvmodem.sys [12928 2009-09-29] (LG Electronics Inc.)
S3 TuneUpUtilitiesDrv; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [10088 2012-11-16] (TuneUp Software)
S1 eabfiltr;
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 usbbus; system32\DRIVERS\lgusbbus.sys [x]
S3 UsbDiag; system32\DRIVERS\lgusbdiag.sys [x]
S3 USBModem; system32\DRIVERS\lgusbmodem.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-08 18:18 - 2013-09-08 18:18 - 00138720 _____ C:\Windows\Minidump\Mini090813-01.dmp
2013-09-07 19:55 - 2013-09-07 19:57 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-08-10 14:21 - 2013-08-10 14:21 - 00192512 _____ (Microsoft Corporation) C:\ProgramData\riwido3.dat
2013-08-10 14:21 - 2013-08-10 14:21 - 00192512 _____ (Microsoft Corporation) C:\ProgramData\1rllo.dat

==================== One Month Modified Files and Folders =======

2013-09-08 20:09 - 2013-09-08 20:09 - 00000000 ____D C:\FRST
2013-09-08 18:18 - 2013-09-08 18:18 - 00138720 _____ C:\Windows\Minidump\Mini090813-01.dmp
2013-09-08 18:18 - 2013-06-25 01:08 - 00000000 ____D C:\Windows\Minidump
2013-09-08 18:18 - 2013-06-25 01:07 - 111738323 _____ C:\Windows\MEMORY.DMP
2013-09-08 18:18 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-08 18:18 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-08 18:04 - 2008-09-06 05:32 - 00000217 _____ C:\Users\Public\Documents\hpqp.ini
2013-09-08 18:04 - 2008-09-06 05:32 - 00000217 _____ C:\ProgramData\Documents\hpqp.ini
2013-09-08 18:02 - 2008-06-13 03:37 - 00000012 _____ C:\Windows\bthservsdp.dat
2013-09-08 18:01 - 2012-02-14 21:03 - 00006944 _____ C:\Users\Ambin\AppData\Local\d3d9caps.dat
2013-09-08 17:58 - 2009-02-06 21:30 - 00006944 _____ C:\Users\a\AppData\Local\d3d9caps.dat
2013-09-08 17:56 - 2008-09-06 04:33 - 01375086 _____ C:\Windows\WindowsUpdate.log
2013-09-08 16:41 - 2012-09-25 08:46 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-09-07 20:54 - 2013-03-09 08:54 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-09-07 20:54 - 2012-08-27 00:19 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-09-07 19:57 - 2013-09-07 19:55 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-07 18:56 - 2012-09-05 19:12 - 00037664 _____ (AVG Technologies) C:\Windows\System32\Drivers\avgtpx86.sys
2013-09-07 18:56 - 2011-12-16 19:27 - 00000000 ____D C:\Program Files\AVG Secure Search
2013-09-07 18:56 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\System32\LogFiles
2013-08-10 14:21 - 2013-08-10 14:21 - 00192512 _____ (Microsoft Corporation) C:\ProgramData\riwido3.dat
2013-08-10 14:21 - 2013-08-10 14:21 - 00192512 _____ (Microsoft Corporation) C:\ProgramData\1rllo.dat
2013-08-10 14:19 - 2013-02-09 05:13 - 00000374 _____ C:\Windows\System32\Drivers\etc\hosts.ics
2013-08-09 16:54 - 2008-01-21 03:47 - 00232118 _____ C:\Windows\PFRO.log
2013-08-09 09:31 - 2012-05-19 13:08 - 00000000 ____D C:\Users\Ambin\AppData\Local\AVG Secure Search

Files to move or delete:
====================
rundll32.exe oobefldr.dll,ShowWelcomeCenter
C:\ProgramData\0tbpw.pad
C:\ProgramData\1rllo.dat
C:\ProgramData\ezsid.dat
C:\ProgramData\lsass.exe
C:\ProgramData\riwido3.dat
C:\Users\a\AppData\Local\Temp\ApnToolbarInstaller.exe
C:\Users\a\AppData\Local\Temp\AskSLib.dll
C:\Users\a\AppData\Local\Temp\avguidx.dll
C:\Users\a\AppData\Local\Temp\BrowserSet.dll
C:\Users\a\AppData\Local\Temp\cabex.dll
C:\Users\a\AppData\Local\Temp\Certified_Toolbar.exe
C:\Users\a\AppData\Local\Temp\CommonInstaller.exe
C:\Users\a\AppData\Local\Temp\contentDATs.exe
C:\Users\a\AppData\Local\Temp\DivXSetup.exe
C:\Users\a\AppData\Local\Temp\DivXWebPlayerInstaller.exe
C:\Users\a\AppData\Local\Temp\DWPUpgradeInstaller.exe
C:\Users\a\AppData\Local\Temp\ffunzip.exe
C:\Users\a\AppData\Local\Temp\FreemakeVideoConverter_3.0.1.25.exe
C:\Users\a\AppData\Local\Temp\FreemakeVideoConverter_3.1.2.0.exe
C:\Users\a\AppData\Local\Temp\FreemakeVideoConverter_3.2.1.0.exe
C:\Users\a\AppData\Local\Temp\GLF2B2E.tmp.ConduitEngineSetup.exe
C:\Users\a\AppData\Local\Temp\GRRemove.exe
C:\Users\a\AppData\Local\Temp\HPQSi.exe
C:\Users\a\AppData\Local\Temp\iGearedHelper.dll
C:\Users\a\AppData\Local\Temp\installChecker.exe
C:\Users\a\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv_5b51740d.exe
C:\Users\a\AppData\Local\Temp\MyClaroTB.exe
C:\Users\a\AppData\Local\Temp\OdfAddInForOfficeSetup-de_4.0.5309.exe
C:\Users\a\AppData\Local\Temp\prxGLF2B2E.tmp.tbDVDV.dll
C:\Users\a\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\a\AppData\Local\Temp\setup.exe
C:\Users\a\AppData\Local\Temp\SkypeSetup.exe
C:\Users\a\AppData\Local\Temp\svd_dap.exe
C:\Users\a\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\a\AppData\Local\Temp\wajam_install.exe
C:\Users\a\AppData\Local\Temp\wmpfirefoxplugin.exe
C:\Users\a\AppData\Local\Temp\ydetect.exe
C:\Users\a\AppData\Local\Temp\_isAA04.exe
C:\Users\a\AppData\Local\Temp\{B088AD48-3F16-40DD-835F-47B42A5930A4}-25.0.1364.172_chrome_installer.exe
C:\Users\Ambin\AppData\Local\Temp\AskSLib.dll
C:\Users\Ambin\AppData\Local\Temp\cbayicmptdjemeluaag.bfg

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-04-25 21:22:25
Restore point made on: 2013-05-09 11:13:36
Restore point made on: 2013-05-10 22:25:08
Restore point made on: 2013-05-19 10:10:21
Restore point made on: 2013-05-21 11:32:21
Restore point made on: 2013-06-14 09:49:46
Restore point made on: 2013-06-14 19:24:37
Restore point made on: 2013-06-16 15:04:39
Restore point made on: 2013-06-17 08:02:57
Restore point made on: 2013-06-18 18:56:46
Restore point made on: 2013-06-18 22:32:35
Restore point made on: 2013-07-02 07:48:21
Restore point made on: 2013-07-06 13:16:06
Restore point made on: 2013-07-24 16:50:17
Restore point made on: 2013-08-08 22:27:29
Restore point made on: 2013-09-07 19:59:02

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4093.03 MB
Available physical RAM: 3502.09 MB
Total Pagefile: 3792.46 MB
Available Pagefile: 3583.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1963.39 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:224.04 GB) (Free:76.73 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:232.88 GB) (Free:232.78 GB) NTFS
Drive e: (HP_RECOVERY) (Fixed) (Total:8.84 GB) (Free:1.61 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:3.77 GB) (Free:3.76 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 7129B57F)
Partition 1: (Active) - (Size=224 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: 36CD77B2)
Partition 1: (Not Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)

LastRegBack: 2013-09-08 17:55

==================== End Of Log ============================

aharonov · 08.09.2013, 21:34

Hi,

startet der Rechner nach diesem Fix wieder normal?

Drücke bitte die

+ R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

ATTFilter

Startup: C:\Users\Ambin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3odiwir.lnk
ShortcutTarget: 3odiwir.lnk -> c:\progra~2\riwido3.dat (Microsoft Corporation)
Startup: C:\Users\Ambin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.lnk
ShortcutTarget: ctfmon.lnk -> C:\Users\Ambin\AppData\Local\Temp\wpbt0.dll (No File)
Startup: C:\Users\Ambin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gaaulemejdtpmciyabc.lnk
ShortcutTarget: gaaulemejdtpmciyabc.lnk -> C:\Users\Ambin\AppData\Local\Temp\cbayicmptdjemeluaag.bfg (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~2\riwido3.dat [192512 2013-08-10] (Microsoft Corporation)
2013-08-10 14:21 - 2013-08-10 14:21 - 00192512 _____ (Microsoft Corporation) C:\ProgramData\riwido3.dat
2013-08-10 14:21 - 2013-08-10 14:21 - 00192512 _____ (Microsoft Corporation) C:\ProgramData\1rllo.dat
 C:\Users\Ambin\AppData\Local\Temp\cbayicmptdjemeluaag.bfg
C:\ProgramData\0tbpw.pad
C:\ProgramData\1rllo.dat
C:\ProgramData\ezsid.dat
C:\ProgramData\lsass.exe
C:\ProgramData\riwido3.dat

Speichere diese bitte als Fixlist.txt auf deinem USB Stick.

Starte deinen Rechner erneut in die Reparaturoptionen
Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

aharonov · 16.09.2013, 17:27

Hi,

ich hab schon länger keine Antwort mehr von dir erhalten. Brauchst du weiterhin noch Hilfe?

Wenn ich in den nächsten 24 Stunden nichts von dir höre, gehe ich davon aus, dass sich das Thema erledigt hat und lösche es aus meinen Abos.

Hinweis: Wir sind noch nicht fertig! Auch wenn die Symptome verschwunden sein sollten, kann dein System weiterhin infiziert sein und über Sicherheitslücken verfügen, welche eine erneute Infektion möglich machen.

aharonov · 22.09.2013, 17:01

Fehlende Rückmeldung
Dieses Thema wurde aus meinen Abos gelöscht. Somit bekomme ich keine Benachrichtigung mehr über neue Antworten.
Schreib mir eine PM, falls du das Thema doch wieder fortsetzen möchtest. Dann machen wir hier weiter.

Hinweis: Das Verschwinden der Symptome bedeutet nicht, dass dein Rechner schon sauber ist.

Jeder andere bitte diese Anleitung lesen und einen eigenen Thread erstellen.

Interpol Virus Farbar Recovery Scan durchgeführt

Log-Analyse und Auswertung: Interpol Virus Farbar Recovery Scan durchgeführt