GVU Trojaner - Windows startet nicht mehr im abgesicherten Modus

Bartho1 · 06.11.2013, 16:37

Hallo liebes Forenteam, ich habe den GVU-Trojaner auf meinem Rechner und bekomme ihn herkömmlich nicht mehr weg, da ich leider nicht mehr im abgesicherten Modus starten kann.

Habe dazu bereits einige Themen gelesen und um Eure Arbeit zu beschleunigen schon mal erfolgreich mit FRST gescannt.

Hier nun der Inhalt meiner FRST.txt

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 31-10-2013
Ran by SYSTEM on MININT-UP6RNH7 on 06-11-2013 16:09:52
Running from G:\
Windows 7 Home Premium (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8060960 2009-08-05] (Realtek Semiconductor)
HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [200704 2008-07-29] ()
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [823840 2009-09-30] (Acer Incorporated)
HKLM-x32\...\runonceex: [] - 
Winlogon\Notify\avldr: C:\Windows\SYSTEM32\avldr64.dll (On-Access Anti-Malware Scanner Sync)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BackupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [261888 2009-09-24] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1094736 2009-11-01] (Dritek System Inc.)
HKLM-x32\...\Run: [My Web Search Bar Search Scope Monitor] - C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SRCHMN.EXE [34336 2012-03-29] (MyWebSearch.com)
HKLM-x32\...\Run: [MyWebSearch Email Plugin] - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE [38408 2012-03-29] (MyWebSearch.com)
HKLM-x32\...\Run: [APVXDWIN] - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\ApVxdWin.exe [1000768 2011-04-13] (Panda Security, S.L.)
HKLM-x32\...\Run: [SCANINICIO] - C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\Inicio.exe [70464 2011-02-02] (Panda Security, S.L.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-02] (Sun Microsystems, Inc.)
HKU\Bayernboni69\...\Run: [jdsfjsdijf.exe] - C:\jdsfjsdijf.exe\jdsfjsdijf.exe
HKU\Bayernboni69\...\Run: [MyWebSearch Email Plugin] - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE [38408 2012-03-29] (MyWebSearch.com)
HKU\Bayernboni69\...\Run: [phonostar-PlayerTimer] - C:\Program Files (x86)\phonostar-Player\phonostarTimer.exe [41472 2012-04-03] ()
HKU\Bayernboni69\...\Run: [msnmsgr] - C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [3883840 2009-07-26] (Microsoft Corporation)
HKU\Bayernboni69\...\Run: [SQLUpdater] - C:\Users\Bayernboni69\AppData\Roaming\SQLUpdater.exe [89128960 2012-08-07] ()
HKU\Bayernboni69\...\Run: [WinDefender] - "C:\Users\Bayernboni69\AppData\Local\Temp\svchost.exe" <===== ATTENTION
HKU\Bayernboni69\...\Run: [{C192292F-1167-5CDB-4134-F0610873CECA}] - C:\Users\Bayernboni69\AppData\Roaming\Piedha\ifort.exe [22892544 2011-01-23] (Home Network International)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [162336 2009-07-08] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [162336 2009-07-08] ()
AppInit_DLLs:    [0 ] ()
AppInit_DLLs-x32:    [0 ] ()
Startup: C:\Users\Bayernboni69\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Users\BAYERN~1\wgsdgsdgdsgsd.exe ()

==================== Services (Whitelisted) =================

S3 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [305448 2009-09-10] (Egis Technology Inc.)
S2 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe [34320 2012-03-29] (MyWebSearch.com)
S2 Panda Software Controller; C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsCtrls.exe [173312 2009-08-10] (Panda Security, S.L.)
S2 PAVFNSVR; C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PavFnSvr.exe [202048 2010-10-20] (Panda Security, S.L.)
S2 PavPrSrv; C:\Program Files (x86)\Common Files\Panda Security\PavShld\pavprsrv.exe [62768 2008-02-04] (Panda Security, S.L.)
S2 PAVSRV; C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\pavsrvx86.exe [314176 2010-06-04] (Panda Security, S.L.)
S2 PSHost; c:\program files (x86)\panda security\panda internet security 2012\firewall\PSHOST.EXE [226560 2009-11-26] (Panda Security International)
S2 PSIMSVC; C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PsImSvc.exe [108288 2008-06-19] (Panda Security S.L.)
S2 PskSvcRetail; C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\PskSvc.exe [28992 2010-08-16] (Panda Security, S.L.)
S2 TPSrv; C:\Program Files (x86)\Panda Security\Panda Internet Security 2012\TPSrvWow.exe [173888 2011-04-14] (Panda Security, S.L.)

==================== Drivers (Whitelisted) ====================

S2 AmFSM; C:\Windows\System32\DRIVERS\amm6460.sys [65608 2010-05-21] (Panda Security, S.L.)
S2 APPFLT; C:\Windows\system32\Drivers\APPFLT64.SYS [129096 2011-01-31] (Panda Security, S.L.)
S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [211456 2009-12-23] ()
S2 ComFiltr; C:\Windows\system32\DRIVERS\COMFiltr.sys [15928 2012-06-05] ()
S2 DSAFLT; C:\Windows\system32\Drivers\DSAFLT64.SYS [82952 2009-09-25] (Panda Security, S.L.)
S2 FNETMON; C:\Windows\system32\Drivers\fnetm64.SYS [31752 2009-09-25] (Panda Security, S.L.)
S2 IDSFLT; C:\Windows\system32\Drivers\IDSFLT64.SYS [78920 2010-09-09] (Panda Security, S.L.)
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [35328 2009-12-23] ()
S2 NETFLTDI; C:\Windows\system32\Drivers\NETTDI64.SYS [170504 2009-09-25] (Panda Security, S.L.)
S3 NETIMFLT01060044; C:\Windows\System32\DRIVERS\n64i1644.sys [216648 2010-09-01] (Panda Security, S.L.)
S0 pavboot; C:\Windows\System32\Drivers\pavboot64.sys [30792 2010-06-22] (Panda Security, S.L.)
S4 sfdrv01; C:\Windows\System32\drivers\sfdrv01.sys [68608 2005-08-10] (Protection Technology)
S4 sfvfs02; C:\Windows\System32\drivers\sfvfs02.sys [89600 2005-11-03] (Protection Technology)
S1 ShldFlt; C:\Windows\System32\DRIVERS\ShldFlt.sys [48136 2009-10-27] (Panda Security, S.L.)
S2 WNMFLT; C:\Windows\system32\Drivers\WNMFLT64.SYS [74760 2009-09-25] (Panda Security, S.L.)
S3 PavTPK.sys; \??\C:\Windows\system32\PavTPK.sys [x]
S3 Prot6Flt; system32\DRIVERS\Prot6Flt.sys [x]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-06 16:09 - 2013-11-06 16:09 - 00000000 ____D C:\FRST

==================== One Month Modified Files and Folders =======

2013-11-06 16:09 - 2013-11-06 16:09 - 00000000 ____D C:\FRST
2013-11-06 06:37 - 2012-10-03 11:28 - 02046556 _____ C:\Windows\WindowsUpdate.log
2013-11-06 06:36 - 2012-06-05 14:20 - 00000252 _____ C:\Windows\System32\Drivers\etc\IdsFlt.cfg.bck
2013-11-06 06:36 - 2012-06-05 14:20 - 00000252 _____ C:\Windows\System32\Drivers\etc\IdsFlt.cfg
2013-11-06 06:36 - 2012-06-05 14:20 - 00000092 _____ C:\Windows\System32\Drivers\etc\NetLoc.wlt.bck
2013-11-06 06:36 - 2012-06-05 14:20 - 00000092 _____ C:\Windows\System32\Drivers\etc\NetLoc.wlt
2013-11-06 06:36 - 2012-06-05 14:20 - 00000068 _____ C:\Windows\System32\Drivers\etc\NetFlt.cfg.bck
2013-11-06 06:36 - 2012-06-05 14:20 - 00000068 _____ C:\Windows\System32\Drivers\etc\NetFlt.cfg
2013-11-06 06:36 - 2012-06-05 14:20 - 00000056 _____ C:\Windows\System32\Drivers\etc\WnmFlt.cfg.bck
2013-11-06 06:36 - 2012-06-05 14:20 - 00000056 _____ C:\Windows\System32\Drivers\etc\WnmFlt.cfg
2013-11-06 06:36 - 2012-06-05 14:20 - 00000056 _____ C:\Windows\System32\Drivers\etc\DsaFlt.cfg.bck
2013-11-06 06:36 - 2012-06-05 14:20 - 00000056 _____ C:\Windows\System32\Drivers\etc\DsaFlt.cfg
2013-11-06 06:36 - 2012-06-05 14:14 - 00326376 _____ C:\Windows\System32\Drivers\APPFCONT.DAT.bck
2013-11-06 06:36 - 2012-06-05 14:14 - 00326376 _____ C:\Windows\System32\Drivers\APPFCONT.DAT
2013-11-06 06:36 - 2012-06-05 14:14 - 00303044 _____ C:\Windows\System32\Drivers\etc\DsaFlt.rls.bck
2013-11-06 06:36 - 2012-06-05 14:14 - 00303044 _____ C:\Windows\System32\Drivers\etc\DsaFlt.rls
2013-11-06 06:36 - 2012-06-05 14:14 - 00001132 _____ C:\Windows\System32\Drivers\APPFLTR.CFG.bck
2013-11-06 06:36 - 2012-06-05 14:14 - 00001132 _____ C:\Windows\System32\Drivers\APPFLTR.CFG
2013-11-06 06:36 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-06 06:36 - 2009-07-13 20:45 - 00017600 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-06 06:33 - 2013-01-10 16:21 - 95023320 ____T C:\ProgramData\dsgsdgdsgdsgw.pad
2013-11-06 06:33 - 2012-07-25 17:00 - 00000000 ____D C:\Users\Bayernboni69\Tracing
2013-11-06 06:29 - 2012-06-05 14:18 - 00000152 _____ C:\Windows\System32\Drivers\etc\NetAdapt.cfg.bck
2013-11-06 06:29 - 2012-06-05 14:18 - 00000152 _____ C:\Windows\System32\Drivers\etc\NetAdapt.cfg
2013-11-06 06:29 - 2012-06-05 14:18 - 00000060 _____ C:\Windows\System32\Drivers\etc\NetAR.wlt.bck
2013-11-06 06:29 - 2012-06-05 14:18 - 00000060 _____ C:\Windows\System32\Drivers\etc\NetAR.wlt
2013-11-06 06:28 - 2013-01-06 17:23 - 00001814 _____ C:\Windows\setupact.log
2013-11-06 06:28 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-06 06:04 - 2009-11-18 01:27 - 00664076 _____ C:\Windows\System32\perfh007.dat
2013-11-06 06:04 - 2009-11-18 01:27 - 00135312 _____ C:\Windows\System32\perfc007.dat
2013-11-06 06:04 - 2009-07-13 21:13 - 01526094 _____ C:\Windows\System32\PerfStringBackup.INI
2013-11-06 06:03 - 2012-06-14 16:32 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

Files to move or delete:
====================
C:\ProgramData\dsgsdgdsgdsgw.bat
C:\ProgramData\dsgsdgdsgdsgw.js
C:\ProgramData\dsgsdgdsgdsgw.pad
C:\ProgramData\dsgsdgdsgdsgw.reg
C:\Users\Bayernboni69\wgsdgsdgdsgsd.exe
C:\Users\Bayernboni69\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk


Some content of TEMP:
====================
C:\Users\Bayernboni69\AppData\Local\Temp\OpenCL.dll


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

4
Restore point made on: 2013-02-08 13:29:21
Restore point made on: 2013-08-07 13:06:59
Restore point made on: 2013-08-07 13:12:00
Restore point made on: 2013-11-06 06:35:04

==================== Memory info =========================== 

Percentage of memory in use: 17%
Total physical RAM: 4090.93 MB
Available physical RAM: 3384.17 MB
Total Pagefile: 4089.07 MB
Available Pagefile: 3383.42 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (ACER) (Fixed) (Total:286.27 GB) (Free:19.92 GB) NTFS
Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:1.58 GB) NTFS
Drive g: (Tom 3) (Fixed) (Total:465.76 GB) (Free:9.11 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 05690569)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=286 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: A72C0B80)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)


LastRegBack: 2013-11-06 15:08

==================== End Of Log ============================

Wie soll ich nun weiter verfahren?

GVU Trojaner - Windows startet nicht mehr im abgesicherten Modus

Plagegeister aller Art und deren Bekämpfung: GVU Trojaner - Windows startet nicht mehr im abgesicherten Modus

GVU Trojaner - Windows startet nicht mehr im abgesicherten Modus

Ähnliche Themen: GVU Trojaner - Windows startet nicht mehr im abgesicherten Modus