Windows 7 Interpol Virus

gimondi · 28.12.2013, 03:40

Hab mir den Interpol Virus eingehandelt.

BS: Windows 7 64bit Home Premium

starten im abgesicherten Modus nicht möglich da sobald Anmeldebildschirm erscheint sofort herunterfährt.

Über die Computerreperatur Konsole kam mit frst64 an ein log file mit dem man mir hier hoffentlich weiterhelfen kann.

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-12-2013 01
Ran by SYSTEM on MININT-M794EKL on 28-12-2013 02:45:58
Running from M:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [VIRTU MVP] - C:\Program Files\Lucidlogix Technologies\VIRTU MVP\MVPControlPanel.exe [3008288 2012-03-25] ()
HKLM-x32\...\Run: [HDAudDeck] - C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5015040 2012-02-11] (VIA)
HKLM-x32\...\Run: [USB3MON] - C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-28] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [133400 2012-03-07] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [VolPanel] - C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe [184320 2007-04-17] (Creative Technology Ltd)
HKLM-x32\...\Run: [SPIRunE] - C:\Windows\\SysWOW64\SPIRunE.dll [18432 2009-03-05] (Creative Technology Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\kbusl\...\Run: [XBGameingMouse] - C:\Program Files (x86)\ELECOM E-Force Laser Gaming Mouse\GameMouseMonitor.exe [2450432 2010-12-24] ()
HKU\kbusl\...\Run: [Creative MediaSource Go] - C:\Program Files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe [204800 2006-11-09] (Creative Technology Ltd)
HKU\kbusl\...\Run: [CTRegRun] - C:\Windows\Ctregrun.exe [53248 2006-10-06] (Creative Technology Ltd )
HKU\UpdatusUser\...\Run: [XBGameingMouse] - C:\Program Files (x86)\ELECOM E-Force Laser Gaming Mouse\GameMouseMonitor.exe [2450432 2010-12-24] ()
HKU\UpdatusUser\...\Run: [Creative MediaSource Go] - C:\Program Files (x86)\Creative\MediaSource5\Go\CTCMSGoU.exe [204800 2006-11-09] (Creative Technology Ltd)
HKU\UpdatusUser\...\Run: [CTRegRun] - C:\Windows\Ctregrun.exe [53248 2006-10-06] (Creative Technology Ltd )
HKU\UpdatusUser\...\RunOnce: [StartMSu] - C:\Program Files (x86)\Creative\MediaSource5\startMSu.exe [81920 2006-10-02] (Creative Technology Ltd)
HKU\UpdatusUser\...\RunOnce: [InetReg] - "C:\Program Files (x86)\Creative\Produktregistrierung\German\InetReg.exe" /PreProcess=RegFlash.exe /Delay=6
HKU\UpdatusUser\...\RunOnce: [CTAutoUpdate] - C:\Program Files (x86)\Creative\Shared Files\Software Update\AutoUpdate.exe [430968 2009-01-15] (Creative Technology Ltd)
AppInit_DLLs: C:\Windows\System32\appinit_dll.dll [171808 2012-03-25] (Lucidlogix Inc.)
AppInit_DLLs-x32: C:\Windows\SysWOW64\appinit_dll.dll [147744 2012-03-25] (Lucidlogix Inc.)
Startup: C:\Users\kbusl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rwaewl.lnk
ShortcutTarget: rwaewl.lnk -> C:\ProgramData\lweawr.jss (hxxp://tortoisesvn.net)

==================== Services (Whitelisted) =================

S2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.18\atkexComSvc.exe [918448 2011-10-29] ()
S2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-02-03] (ASUSTeK Computer Inc.)
S2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-02-17] (ASUSTeK Computer Inc.)
S2 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.06\AsusFanControlService.exe [1475200 2012-05-03] (ASUSTeK Computer Inc.)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [163608 2012-03-07] (Intel Corporation)
S2 usbglcsservice; C:\Program Files (x86)\ELECOM E-Force Laser Gaming Mouse\UsbglcsSrv.exe [5865289 2010-12-24] ()
S2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2011-11-13] (VIA Technologies, Inc.)
S2 Winmgmt; C:\ProgramData\rwaewl.zvv [62052 2013-12-28] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-25] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
S3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-20] (MCCI Corporation)
S3 FETNDIS; C:\Windows\System32\DRIVERS\fet6x64.sys [47872 2009-06-10] (VIA Technologies, Inc.              )
S3 usbglcs1080101; C:\Windows\System32\DRIVERS\usbglcs1080101.sys [24064 2010-12-24] (Windows (R) Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-12-28 02:35 - 2013-12-28 02:35 - 00000000 ____D C:\FRST
2013-12-28 01:32 - 2013-12-28 01:35 - 95025368 ____T C:\ProgramData\rwaewl.fee
2013-12-28 01:32 - 2013-12-28 01:32 - 00312320 _____ (hxxp://tortoisesvn.net) C:\ProgramData\lweawr.jss
2013-12-28 01:32 - 2013-12-28 01:32 - 00062052 ____T (Microsoft Corporation) C:\ProgramData\rwaewl.zvv
2013-12-28 01:32 - 2013-12-28 01:32 - 00000273 _____ C:\ProgramData\rwaewl.reg
2013-12-28 01:32 - 2013-12-28 01:32 - 00000000 _____ C:\ProgramData\rwaewl.odd
2013-12-27 22:40 - 2013-12-27 22:40 - 00698480 _____ C:\Windows\Minidump\122713-18704-01.dmp
2013-12-23 03:06 - 2013-12-23 03:06 - 00558168 _____ C:\Windows\Minidump\122313-23712-01.dmp
2013-12-22 01:16 - 2013-12-22 01:16 - 00059770 _____ C:\Users\kbusl\Documents\SOM und GM Meeting 21.12.2013.txt
2013-12-18 23:04 - 2013-12-18 23:44 - 3192264704 _____ C:\Users\kbusl\Downloads\X15-65741.iso
2013-12-18 14:06 - 2013-12-18 14:08 - 00000000 ____D C:\Users\kbusl\AppData\Roaming\ImgBurn
2013-12-18 13:57 - 2013-12-18 13:57 - 00000000 ____D C:\Program Files (x86)\ImgBurn
2013-12-18 13:20 - 2013-12-18 13:20 - 00000000 ____D C:\Users\kbusl\AppData\Roaming\WinRAR
2013-12-18 13:19 - 2013-12-18 13:20 - 00000000 ____D C:\Program Files\WinRAR
2013-12-18 13:12 - 2013-12-18 13:12 - 02000000 _____ C:\Users\kbusl\Downloads\bootcd.part1.rar.zip
2013-12-18 13:08 - 2013-12-18 13:57 - 00000000 ____D C:\Users\kbusl\Downloads\Acer recovery help tools
2013-12-13 15:56 - 2013-12-13 15:56 - 07072560 _____ (ParetoLogic            ) C:\Users\kbusl\Downloads\Pareto_DR_Setup_RW.exe
2013-12-13 15:52 - 2013-12-13 15:52 - 05938856 _____ (ParetoLogic, Inc.) C:\Users\kbusl\Downloads\RegCureProSetup.exe
2013-12-13 15:42 - 2013-12-13 15:42 - 00449598 _____ C:\Users\kbusl\Downloads\keyfinder.zip
2013-12-13 15:41 - 2013-12-13 15:41 - 01200440 _____ (Magical Jelly Bean                                          ) C:\Users\kbusl\Downloads\KeyFinderInstaller.exe
2013-12-08 22:01 - 2013-12-08 22:01 - 39178560 _____ (Atomix Productions) C:\Users\kbusl\Downloads\install_virtualdj_home_v7.4.1.exe
2013-12-08 21:59 - 2013-12-08 22:00 - 00000000 ____D C:\Users\kbusl\Documents\VirtualDJ
2013-12-08 21:59 - 2013-12-08 21:59 - 00001053 _____ C:\Users\UpdatusUser\Desktop\Virtual DJ Trial.lnk
2013-12-08 21:59 - 2013-12-08 21:59 - 00001053 _____ C:\Users\kbusl\Desktop\Virtual DJ Trial.lnk
2013-12-08 21:59 - 2013-12-08 21:59 - 00000000 ____D C:\Program Files (x86)\VirtualDJ
2013-12-01 02:43 - 2013-12-01 02:43 - 00095958 _____ C:\Users\kbusl\Documents\SOM Meeting 30.11.2013.txt
2013-11-30 08:37 - 2013-12-01 10:00 - 00028832 _____ C:\Users\kbusl\Documents\dancer service rates nov 2013.txt

==================== One Month Modified Files and Folders =======

2013-12-28 02:35 - 2013-12-28 02:35 - 00000000 ____D C:\FRST
2013-12-28 02:29 - 2012-12-05 21:38 - 00000000 ____D C:\ProgramData\NVIDIA
2013-12-28 02:29 - 2009-07-14 06:08 - 00023058 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-12-28 02:29 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-28 02:29 - 2009-07-14 05:51 - 00032390 _____ C:\Windows\setupact.log
2013-12-28 02:17 - 2009-07-14 05:45 - 00021888 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-28 02:17 - 2009-07-14 05:45 - 00021888 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-28 02:13 - 2012-12-05 20:27 - 01643121 _____ C:\Windows\WindowsUpdate.log
2013-12-28 01:35 - 2013-12-28 01:32 - 95025368 ____T C:\ProgramData\rwaewl.fee
2013-12-28 01:35 - 2013-03-27 16:47 - 00000000 ____D C:\Users\kbusl\AppData\Roaming\TS3Client
2013-12-28 01:32 - 2013-12-28 01:32 - 00312320 _____ (hxxp://tortoisesvn.net) C:\ProgramData\lweawr.jss
2013-12-28 01:32 - 2013-12-28 01:32 - 00062052 ____T (Microsoft Corporation) C:\ProgramData\rwaewl.zvv
2013-12-28 01:32 - 2013-12-28 01:32 - 00000273 _____ C:\ProgramData\rwaewl.reg
2013-12-28 01:32 - 2013-12-28 01:32 - 00000000 _____ C:\ProgramData\rwaewl.odd
2013-12-28 00:43 - 2013-02-15 06:28 - 00000000 ____D C:\Users\kbusl\Desktop\teamspeak3-server_win64
2013-12-28 00:42 - 2013-09-16 16:19 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-27 23:51 - 2012-12-05 23:11 - 00003946 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{6BFDD3F4-299C-492C-B75A-0C5563E78C7C}
2013-12-27 23:07 - 2013-11-09 04:40 - 00001873 _____ C:\Users\kbusl\Desktop\Demon Slayer - Anmeldeclient.lnk
2013-12-27 22:49 - 2011-04-12 08:43 - 00653928 _____ C:\Windows\System32\perfh007.dat
2013-12-27 22:49 - 2011-04-12 08:43 - 00129800 _____ C:\Windows\System32\perfc007.dat
2013-12-27 22:49 - 2009-07-14 06:13 - 01498506 _____ C:\Windows\System32\PerfStringBackup.INI
2013-12-27 22:40 - 2013-12-27 22:40 - 00698480 _____ C:\Windows\Minidump\122713-18704-01.dmp
2013-12-27 22:40 - 2013-04-24 17:32 - 653596780 _____ C:\Windows\MEMORY.DMP
2013-12-27 22:40 - 2013-04-24 17:32 - 00000000 ____D C:\Windows\Minidump
2013-12-27 22:09 - 2013-07-11 09:50 - 00000000 ____D C:\Users\kbusl\AppData\Local\Firestorm
2013-12-26 23:50 - 2013-04-20 18:41 - 00000000 ____D C:\Users\kbusl\AppData\Local\PhoenixViewer
2013-12-25 14:25 - 2012-12-06 06:17 - 00000000 ____D C:\Users\kbusl\AppData\Roaming\SecondLife
2013-12-23 03:06 - 2013-12-23 03:06 - 00558168 _____ C:\Windows\Minidump\122313-23712-01.dmp
2013-12-23 03:06 - 2009-07-14 05:45 - 00269032 _____ C:\Windows\System32\FNTCACHE.DAT
2013-12-22 01:16 - 2013-12-22 01:16 - 00059770 _____ C:\Users\kbusl\Documents\SOM und GM Meeting 21.12.2013.txt
2013-12-22 00:09 - 2013-10-22 04:08 - 00005156 _____ C:\Users\kbusl\Documents\paysafe code.txt
2013-12-18 23:44 - 2013-12-18 23:04 - 3192264704 _____ C:\Users\kbusl\Downloads\X15-65741.iso
2013-12-18 14:08 - 2013-12-18 14:06 - 00000000 ____D C:\Users\kbusl\AppData\Roaming\ImgBurn
2013-12-18 13:57 - 2013-12-18 13:57 - 00000000 ____D C:\Program Files (x86)\ImgBurn
2013-12-18 13:57 - 2013-12-18 13:08 - 00000000 ____D C:\Users\kbusl\Downloads\Acer recovery help tools
2013-12-18 13:20 - 2013-12-18 13:20 - 00000000 ____D C:\Users\kbusl\AppData\Roaming\WinRAR
2013-12-18 13:20 - 2013-12-18 13:19 - 00000000 ____D C:\Program Files\WinRAR
2013-12-18 13:12 - 2013-12-18 13:12 - 02000000 _____ C:\Users\kbusl\Downloads\bootcd.part1.rar.zip
2013-12-13 15:56 - 2013-12-13 15:56 - 07072560 _____ (ParetoLogic            ) C:\Users\kbusl\Downloads\Pareto_DR_Setup_RW.exe
2013-12-13 15:52 - 2013-12-13 15:52 - 05938856 _____ (ParetoLogic, Inc.) C:\Users\kbusl\Downloads\RegCureProSetup.exe
2013-12-13 15:46 - 2012-12-05 21:20 - 00058784 _____ C:\Users\kbusl\AppData\Local\GDIPFONTCACHEV1.DAT
2013-12-13 15:42 - 2013-12-13 15:42 - 00449598 _____ C:\Users\kbusl\Downloads\keyfinder.zip
2013-12-13 15:41 - 2013-12-13 15:41 - 01200440 _____ (Magical Jelly Bean                                          ) C:\Users\kbusl\Downloads\KeyFinderInstaller.exe
2013-12-11 14:44 - 2013-09-16 16:19 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-12-11 14:44 - 2012-12-05 23:12 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-12-11 14:44 - 2012-12-05 23:12 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-12-08 22:01 - 2013-12-08 22:01 - 39178560 _____ (Atomix Productions) C:\Users\kbusl\Downloads\install_virtualdj_home_v7.4.1.exe
2013-12-08 22:00 - 2013-12-08 21:59 - 00000000 ____D C:\Users\kbusl\Documents\VirtualDJ
2013-12-08 21:59 - 2013-12-08 21:59 - 00001053 _____ C:\Users\UpdatusUser\Desktop\Virtual DJ Trial.lnk
2013-12-08 21:59 - 2013-12-08 21:59 - 00001053 _____ C:\Users\kbusl\Desktop\Virtual DJ Trial.lnk
2013-12-08 21:59 - 2013-12-08 21:59 - 00000000 ____D C:\Program Files (x86)\VirtualDJ
2013-12-01 10:00 - 2013-11-30 08:37 - 00028832 _____ C:\Users\kbusl\Documents\dancer service rates nov 2013.txt
2013-12-01 02:43 - 2013-12-01 02:43 - 00095958 _____ C:\Users\kbusl\Documents\SOM Meeting 30.11.2013.txt

Files to move or delete:
====================
C:\ProgramData\rwaewl.reg


Some content of TEMP:
====================
C:\Users\kbusl\AppData\Local\Temp\CTPBSeq.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info =========================== 

Percentage of memory in use: 9%
Total physical RAM: 8131.39 MB
Available physical RAM: 7326.86 MB
Total Pagefile: 8129.59 MB
Available Pagefile: 7322.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:83.01 GB) (Free:28.36 GB) NTFS
Drive e: (Daten 2) (Fixed) (Total:144.62 GB) (Free:17.34 GB) NTFS
Drive f: (Daten/Musik) (Fixed) (Total:144.61 GB) (Free:118.72 GB) NTFS
Drive g: (Downloads) (Fixed) (Total:144.62 GB) (Free:134.07 GB) NTFS
Drive i: (Programme) (Fixed) (Total:200 GB) (Free:180.78 GB) NTFS
Drive j: (Daten) (Fixed) (Total:200 GB) (Free:18.59 GB) NTFS
Drive m: () (Removable) (Total:0.98 GB) (Free:0.92 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:58.59 GB) (Free:17.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 1DBE1DBD)
Partition 1: (Active) - (Size=59 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=83 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 932 GB) (Disk ID: 9A2E9A2E)
Partition 1: (Active) - (Size=49 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=200 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=200 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=434 GB) - (Type=OF Extended)

========================================================
Disk: 2 (Size: 1003 MB) (Disk ID: 4B0FE669)
Partition 1: (Not Active) - (Size=1003 MB) - (Type=06)


LastRegBack: 2013-10-21 06:06

==================== End Of Log ============================

--- --- ---

--- --- ---

MfG

gimondi

schrauber · 28.12.2013, 08:18

hi.

Drücke bitte die

+ R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:

ATTFilter

Startup: C:\Users\kbusl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rwaewl.lnk
ShortcutTarget: rwaewl.lnk -> C:\ProgramData\lweawr.jss (hxxp://tortoisesvn.net)
S2 Winmgmt; C:\ProgramData\rwaewl.zvv [62052 2013-12-28] (Microsoft Corporation)
2013-12-28 01:32 - 2013-12-28 01:32 - 00312320 _____ (hxxp://tortoisesvn.net) C:\ProgramData\lweawr.jss
2013-12-28 01:32 - 2013-12-28 01:32 - 00062052 ____T (Microsoft Corporation) C:\ProgramData\rwaewl.zvv
2013-12-28 01:32 - 2013-12-28 01:32 - 00000273 _____ C:\ProgramData\rwaewl.reg
2013-12-28 01:32 - 2013-12-28 01:32 - 00000000 _____ C:\ProgramData\rwaewl.odd
C:\ProgramData\rwaewl.reg

Speichere diese bitte als Fixlist.txt auf deinem USB Stick.

Starte deinen Rechner erneut in die Reparaturoptionen
Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

Rechner normal starten.

Windows 7 Interpol Virus

Log-Analyse und Auswertung: Windows 7 Interpol Virus

Windows 7 Interpol Virus

Windows 7 Interpol Virus

Ähnliche Themen: Windows 7 Interpol Virus