| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojaner Mediyes.GenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
| |
31.10.2013, 18:10
| #1 |
 |  Trojaner Mediyes.Gen Hallo an das Team & die Nutzer von Trojaner-Board! Auf meinem Rechner wurde von AntiVir der Virus Mediyes.Gen entlarvt. Dies geschah vor gut einer Woche. Ich sah mich gezwungen den Rechner neu aufzusetzen, um sicher zu gehen, dass der Plagegeist zu 100% verschwunden ist. So spielte ich also Windows 8 auf den Rechner, installierte AntiVir und lies einen erneuten Systemcheck durchlaufen: keine Meldung. Wieder ausgemacht und wieder angemacht spuckte AntiVir plötzlich wieder die Trojaner Meldung aus, was für mich unvorstellbar war. Neuaufgesetztes System, nichts verändert, nichtmal gesurft und trotzdem erhalte ich die Meldung wieder?! Hat jemand Erfahrung mit dem Virus und kann mir sagen, ob AntiVir diesen vermeintlichen Virus falsch identifiziert? MfG, Djorkaeff |
|
31.10.2013, 19:44
| #2 | |
| /// TB-Ausbilder   |  Trojaner Mediyes.Gen Mein Name ist Matthias und ich werde dir bei der Bereinigung deines Computers helfen. Bitte beachte folgende Hinweise:
Zitat:
Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop (falls noch nicht vorhanden).
Code:
ATTFilter activex
netsvcs
msconfig
drivers32
safebootminimal
safebootnetwork
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers
HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Telephony\Providers /64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation /S /64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache /S /64
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost /64
HKEY_LOCAL_MACHINE\SOFTWARE\Joosoft.com
HKEY_LOCAL_MACHINE\SOFTWARE\Joosoft.com /64
%SystemRoot%\system32\*.tsp
%SystemRoot%\system32\*.tsp /64
C:\Windows\system32\*.dll /800
C:\Windows\system32\*.dll /800 /64
CREATERESTOREPOINT
|
|
01.11.2013, 16:36
| #3 |
| | Trojaner Mediyes.Gen Danke für den schnellen Support!
__________________Der Trojaner liegt laut AntiVir auf der Betriebssystem-Festplatte C im Windows Ordner -> WinSxS Ordner unter Temp -> Pending Renames. Angezeigt werden mittlerweile sogar schon 3.  Code:
ATTFilter OTL Extras logfile created on: 01.11.2013 15:59:25 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Plogmaker\Desktop
Professional (Version = 6.2.9200) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16384)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
1,94 Gb Total Physical Memory | 1,44 Gb Available Physical Memory | 74,41% Memory free
3,06 Gb Paging File | 2,23 Gb Available in Paging File | 72,79% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 6,07 Gb Free Space | 31,09% Space Free | Partition Type: NTFS
Drive D: | 53,71 Gb Total Space | 47,41 Gb Free Space | 88,27% Space Free | Partition Type: NTFS
Computer Name: PLOGMAKER-PC | User Name: Plogmaker | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\WINDOWS\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\winhlp32.exe (Microsoft Corporation)
[HKEY_USERS\S-1-5-21-4000362387-2536209437-911832370-1001\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "D:\Programme\Mircosoft Office 2010\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "D:\Programme\Mircosoft Office 2010\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\OpenWith.exe "%1" (Microsoft Corporation)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Upgrade]
"UpgradeTime" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B6AFDC4-34B8-47EA-8E1E-617AB58A6B16}" = protocol=17 | dir=in | app=d:\programme\mircosoft office 2010\office14\groove.exe |
"{11C83D57-98F1-4E59-87E9-E9E8334F52FF}" = dir=out | name=@{microsoft.bingnews_3.0.1.174_x86__8wekyb3d8bbwe?ms-resource://microsoft.bingnews/resources/news} |
"{166ABB59-8373-4D60-9891-DD5C1B5B3D92}" = dir=out | name=@{microsoft.bingweather_3.0.1.174_x86__8wekyb3d8bbwe?ms-resource://microsoft.bingweather/resources/apptitle} |
"{2DF2E2B0-A588-4810-90EB-4C394CAB983F}" = dir=in | name=junipernetworks.junospulsevpn |
"{331D3F10-92E3-4211-9259-CAF9D02FCE86}" = dir=out | name=junipernetworks.junospulsevpn |
"{3B04FFF1-2925-4177-BBC3-FA2F0B5E9D7F}" = dir=out | name=@{microsoft.bingtravel_3.0.1.174_x86__8wekyb3d8bbwe?ms-resource://microsoft.bingtravel/resources/apptitle} |
"{4DEF5975-E288-4512-96DA-8659AA10E693}" = dir=out | name=@{microsoft.bingfinance_3.0.1.174_x86__8wekyb3d8bbwe?ms-resource://microsoft.bingfinance/resources/apptitle} |
"{5E8C5D79-A5AB-4B86-9FBF-6D7C502A7964}" = dir=out | name=@{microsoft.windowsreadinglist_6.3.9600.16384_x86__8wekyb3d8bbwe?ms-resource://microsoft.windowsreadinglist/resources/apppackagename} |
"{823BDBF1-EEC8-44AA-8EA7-48E461359FC9}" = dir=in | name=@{microsoft.windowscommunicationsapps_17.4.9600.16384_x86__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/resources/communicationspackagename} |
"{83041EC6-823F-4C7F-AF33-7667C3BA333B}" = dir=out | name=@{microsoft.bingsports_3.0.1.174_x86__8wekyb3d8bbwe?ms-resource://microsoft.bingsports/resources/bingsports} |
"{835E0E77-65D1-4FAA-AA5E-AC67565A94FB}" = dir=out | name=sonicwall.mobileconnect |
"{86940B63-0BAC-4B00-AF34-F405090DBD85}" = dir=out | name=@{microsoft.windowscommunicationsapps_17.4.9600.16384_x86__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/resources/communicationspackagename} |
"{8ED24AF7-10C4-40DD-A935-EB4E328C3903}" = dir=in | name=@{microsoft.windowsreadinglist_6.3.9600.16384_x86__8wekyb3d8bbwe?ms-resource://microsoft.windowsreadinglist/resources/apppackagename} |
"{93CE3F64-A50A-426A-8AE1-5C2F6E6303BB}" = dir=out | name=@{microsoft.zunemusic_2.2.41.0_x86__8wekyb3d8bbwe?ms-resource://microsoft.zunemusic/resources/ids_manifest_music_app_name} |
"{94CAF971-469E-4786-A8CB-729DC908A8A5}" = dir=out | name=skype |
"{A9080F4C-BE69-49F6-87CD-FAE444526D27}" = dir=out | name=@{c:\windows\winstore\resources.pri?ms-resource://winstore/resources/displayname} |
"{AD22EED2-562C-4011-BE06-0C267663CEDC}" = dir=out | name=@{browserchoice_6.2.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://browserchoice/resources/displayname} |
"{AF4CD98F-A6B6-4B1C-8D65-661A94CE0BDE}" = dir=in | name=@{c:\windows\winstore\resources.pri?ms-resource://winstore/resources/displayname} |
"{AFD39BD9-D48B-4C9B-A747-6B3C6ED22ABA}" = dir=out | name=@{microsoft.bingfoodanddrink_3.0.1.177_x86__8wekyb3d8bbwe?ms-resource://microsoft.bingfoodanddrink/resources/apptitlewithbranding} |
"{C13E76C5-0EBC-4895-B1B2-E549D64BE0B2}" = dir=out | name=@{microsoft.bingmaps_2.0.2009.2356_x86__8wekyb3d8bbwe?ms-resource://microsoft.bingmaps/resources/appdisplayname} |
"{C1E051F7-162B-4B85-AAEF-0A49755A2729}" = dir=in | name=skype |
"{C6182E4B-10FC-4083-A766-458080D68E73}" = dir=in | name=f5.vpn.client |
"{C6F6A92E-65D7-4236-8805-9F27A817E581}" = dir=out | name=@{microsoft.xboxlivegames_2.0.20.0_x86__8wekyb3d8bbwe?ms-resource://microsoft.xboxlivegames/resources/34150} |
"{D26A9000-E866-47F7-A91F-05A451B4DBB3}" = dir=in | name=@{browserchoice_6.2.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://browserchoice/resources/displayname} |
"{D9379575-C6AF-453C-945D-F68C38F3C12D}" = dir=out | name=@{microsoft.binghealthandfitness_3.0.1.176_x86__8wekyb3d8bbwe?ms-resource://microsoft.binghealthandfitness/resources/apptitle} |
"{DA3629B9-5DA4-4B7E-B593-B1F2925315D8}" = protocol=6 | dir=in | app=d:\programme\mircosoft office 2010\office14\groove.exe |
"{E20BB53A-3BDC-460D-BAEE-FFDC117AB485}" = dir=in | name=sonicwall.mobileconnect |
"{E6A4BE21-4183-455E-8C07-84C78011B261}" = dir=out | name=checkpoint.vpn |
"{F00BCC2B-E07C-4056-B096-855E45C1979C}" = dir=out | name=@{microsoft.zunevideo_2.2.41.0_x86__8wekyb3d8bbwe?ms-resource://microsoft.zunevideo/resources/ids_manifest_video_app_name} |
"{FA35BA80-EA4B-48FD-9FEF-74E9E0B3FEC7}" = dir=in | name=checkpoint.vpn |
"{FE5EA256-AD54-4FD8-B211-1263089653FF}" = dir=out | name=f5.vpn.client |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2010
"{90140000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2010
"{90140000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2010
"{90140000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2010
"{90140000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2010
"{90140000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2010
"{90140000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2010
"{90140000-0044-0407-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (German) 2010
"{90140000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2010
"{90140000-00A1-0407-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (German) 2010
"{90140000-00BA-0407-0000-0000000FF1CE}" = Microsoft Office Groove MUI (German) 2010
"{AC76BA86-7AD7-1031-7B44-AB0000000001}" = Adobe Reader XI (11.0.04) - Deutsch
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"AVMWLANCLI" = AVM FRITZ!WLAN
"CCleaner" = CCleaner
"Mozilla Firefox 25.0 (x86 de)" = Mozilla Firefox 25.0 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 29.10.2013 05:23:02 | Computer Name = WIN-J3CT28APSCC | Source = Software Protection Platform Service | ID = 8200
Description = Lizenzerwerb-Fehlerdetails. hr=0x80072EE7
Error - 29.10.2013 05:23:02 | Computer Name = WIN-J3CT28APSCC | Source = Software Protection Platform Service | ID = 1014
Description = Fehler beim Erwerb der Endbenutzerlizenz. hr=0x80072EE7 SKU-ID=8da2dfae-e4f5-4e6a-9272-96f8470e033e
Error - 29.10.2013 05:23:02 | Computer Name = WIN-J3CT28APSCC | Source = Software Protection Platform Service | ID = 8198
Description = Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode: hr=0x80072EE7
Befehlszeilenargumente:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8da2dfae-e4f5-4e6a-9272-96f8470e033e;NotificationInterval=1440;Trigger=UserLogon;SessionId=2
Error - 29.10.2013 05:23:52 | Computer Name = WIN-J3CT28APSCC | Source = Software Protection Platform Service | ID = 8200
Description = Lizenzerwerb-Fehlerdetails. hr=0x80072EE7
Error - 29.10.2013 05:23:52 | Computer Name = WIN-J3CT28APSCC | Source = Software Protection Platform Service | ID = 1014
Description = Fehler beim Erwerb der Endbenutzerlizenz. hr=0x80072EE7 SKU-ID=8da2dfae-e4f5-4e6a-9272-96f8470e033e
Error - 29.10.2013 05:42:44 | Computer Name = WIN-J3CT28APSCC | Source = Software Protection Platform Service | ID = 8198
Description = Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode: hr=0xC004E028
Befehlszeilenargumente:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8da2dfae-e4f5-4e6a-9272-96f8470e033e;NotificationInterval=1440;Trigger=NetworkAvailable
[ System Events ]
Error - 29.10.2013 09:19:04 | Computer Name = Plogmaker-PC | Source = DCOM | ID = 10010
Description =
Error - 31.10.2013 10:23:22 | Computer Name = Plogmaker-PC | Source = Service Control Manager | ID = 7009
Description = Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst
Windows Search erreicht.
Error - 31.10.2013 10:23:22 | Computer Name = Plogmaker-PC | Source = Service Control Manager | ID = 7000
Description = Der Dienst "Windows Search" wurde aufgrund folgenden Fehlers nicht
gestartet: %%1053
Error - 31.10.2013 10:23:22 | Computer Name = Plogmaker-PC | Source = DCOM | ID = 10005
Description =
Error - 31.10.2013 12:25:09 | Computer Name = Plogmaker-PC | Source = DCOM | ID = 10010
Description =
Error - 31.10.2013 12:25:39 | Computer Name = Plogmaker-PC | Source = DCOM | ID = 10010
Description =
Error - 31.10.2013 12:31:48 | Computer Name = Plogmaker-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
Fehler 0x80070005 fehlgeschlagen: Update für Windows 8.1 (KB2883200)
Error - 01.11.2013 10:42:05 | Computer Name = Plogmaker-PC | Source = DCOM | ID = 10010
Description =
Error - 01.11.2013 10:42:36 | Computer Name = Plogmaker-PC | Source = DCOM | ID = 10010
Description =
Error - 01.11.2013 10:45:35 | Computer Name = Plogmaker-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installationsfehler: Die Installation des folgenden Updates ist mit
Fehler 0x80070005 fehlgeschlagen: Update für Windows 8.1 (KB2883200)
< End of report >
|
|
01.11.2013, 17:17
| #4 | |
| /// TB-Ausbilder | Trojaner Mediyes.Gen Servus, Zitat:
|
|
01.11.2013, 17:37
| #5 |
| | Trojaner Mediyes.Gen Da hätte ich auch selbst drauf kommen können  Entschuldige !  |
|
01.11.2013, 17:43
| #6 |
| /// TB-Ausbilder | Trojaner Mediyes.Gen Servus, ich seh da kein Mediyes... könnte ein Fehlalarm von Avira sein. Wir schauen trotzdem mal drüber: Schritt 1 Downloade Dir bitte  Malwarebytes Anti-Malware
Schritt 2 Downloade dir HitmanPro (32 Bit) auf deinen Desktop.
Bitte poste mit deiner nächsten Antwort
|
|
| Themen zu Trojaner Mediyes.Gen |
| 100%, antivir, aufzusetzen, erfahrung, erhalte, erneute, falsch, gesurft, ide, installier, installierte, mediyes, mediyes.gen, neu, nichts, nutzer, plagegeist, plötzlich, rechner, schädling, spiel, systemcheck, troja, trojaner, trojaner mediyes.gen, trojaner meldung, verschwunden, verändert, virus, windows |
Textbox.
Hybrid-Darstellung
