| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Win 7: Software Updater Malware ?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
02.02.2014, 18:24
| #1 |
| |  Win 7: Software Updater Malware ? Hi bei einem Routine-Check mit TuneUp 2013 habe ich in der Autostart-Gruppe ein Programm namens "Software Updater" entdeckt, dessen Herkunft "unbekannt" ist. Versuche, mit "Deaktivieren" oder "Löschen" den Eintrag zu eliminieren, waren erfolglos, nach einigen Neustarts war der Eintrag wieder da. Ich bin unsicher, ob es sich hier um eine Malware handelt und bin für Eure Einschätzung und Hilfe dankbar. Alex Hier kommen die Logfiles, zuerst FRST Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2014 04
Ran by Alex (administrator) on ALEX-NOTEBOOK on 02-02-2014 15:55:56
Running from C:\Users\Alex\Downloads\Software\malware suchen 2014
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe
(Acer) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesApp64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Windows\PLFSetI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Acer Incorporated) C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(TuneUp Software) C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_11_9_900_170_ActiveX.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10081312 2010-02-22] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [877600 2010-02-22] (Realtek Semiconductor)
HKLM\...\Run: [AmIcoSinglun64] - C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [320000 2009-04-09] (AlcorMicro Co., Ltd.)
HKLM\...\Run: [ODDPwr] - C:\Program Files\Acer\Optical Drive Power Management\ODDPwr.exe [222240 2010-02-05] (Acer Incorporated)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1842472 2009-09-17] (Synaptics Incorporated)
HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [206208 2010-01-13] ()
HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe [496160 2010-01-20] (Acer Incorporated)
HKLM\...\Run: [Windows Mobile Device Center] - C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2009-12-23] (Intel Corporation)
HKLM-x32\...\Run: [BackupManagerTray] - C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [265984 2010-01-13] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-01-22] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LManager] - C:\Program Files (x86)\Launch Manager\LManager.exe [1289296 2010-02-25] (Dritek System Inc.)
HKLM-x32\...\Run: [MDS_Menu] - C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-01-20] (Apple Inc.)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [684600 2013-12-17] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2078916967-566625646-1997975735-1001\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_11_9_900_170_ActiveX.exe [531336 2013-12-10] (Adobe Systems Incorporated)
IFEO\acer arcade deluxe.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\acervcm.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\bttray.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\decryption.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\itunes.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\mindmanager.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\minilauncher.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\onlinehelp.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
IFEO\wmdc.exe: [Debugger] "C:\Program Files (x86)\TuneUp Utilities 2013\TUAutoReactivator64.exe"
Startup: C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&m=aspire_5820tg&r=27360510t206l0473z1j5t5561k355
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://feed.snap.do/?publisher=TubeBoxYB&dpid=TubeBoxYB&co=DE&userid=e887dc8d-e866-4afc-8b34-c0f3201e1457&searchtype=ds&q={searchTerms}&installDate=25/02/2013
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://ixquick.de/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://feed.snap.do/?publisher=TubeBoxYB&dpid=TubeBoxYB&co=DE&userid=e887dc8d-e866-4afc-8b34-c0f3201e1457&searchtype=ds&q={searchTerms}&installDate=25/02/2013
SearchScopes: HKLM-x32 - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://feed.snap.do/?publisher=TubeBoxYB&dpid=TubeBoxYB&co=DE&userid=e887dc8d-e866-4afc-8b34-c0f3201e1457&searchtype=ds&q={searchTerms}&installDate=25/02/2013
SearchScopes: HKLM-x32 - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://feed.snap.do/?publisher=TubeBoxYB&dpid=TubeBoxYB&co=DE&userid=e887dc8d-e866-4afc-8b34-c0f3201e1457&searchtype=ds&q={searchTerms}&installDate=25/02/2013
SearchScopes: HKCU - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=vc_trans_8140&type=horus
SearchScopes: HKCU - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=vc_trans_8140&type=horus
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {E7FDCA8E-4F91-4CB3-818C-92AE7507B30D} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=676b051f-58a8-4a96-9ded-71c877b3b9a8&apn_sauid=B057A5DF-E729-4285-B066-0E474762DE0F
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files (x86)\Mindjet\MindManager 6\Mm6InternetExplorer.dll (Mindjet)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File
Toolbar: HKLM-x32 - No Name - {DFEFCDEE-CF1A-4FC8-88AD-48514E463B27} - No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKCU - No Name - {DFEFCDEE-CF1A-4FC8-88AD-48514E463B27} - No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: HKLM-x32 {3D3B42C2-11BF-4732-A304-A01384B70D68} hxxp://picasaweb.google.com/s/v/63.27/uploader2.cab
DPF: HKLM-x32 {67DABFBF-D0AB-41FA-9C46-CC0F21721616} hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
==================== Services (Whitelisted) =================
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440376 2013-12-17] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440376 2013-11-28] (Avira Operations GmbH & Co. KG)
R2 ePowerSvc; C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [819232 2010-01-20] (Acer Incorporated)
S4 MWLService; C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe [305448 2009-09-10] (Egis Technology Inc.)
S4 ODDPwrSvc; C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [171040 2010-02-05] (Acer Incorporated)
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [244904 2010-02-03] ()
S4 RS_Service; C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [253952 2009-07-10] (Acer Incorporated)
S2 SystemStoreService; C:\Program Files (x86)\SoftwareUpdater\SystemStore.exe [297984 2014-02-02] ()
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesService64.exe [2412344 2014-01-28] (TuneUp Software)
==================== Drivers (Whitelisted) ====================
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-17] (Avira Operations GmbH & Co. KG)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [39768 2013-02-20] (AVG Technologies)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-17] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-11-28] (Avira Operations GmbH & Co. KG)
S3 RRNetCap; C:\Windows\System32\DRIVERS\rrnetcap.sys [37480 2011-12-20] (RapidSolution Software AG)
R3 RRNetCapMP; C:\Windows\System32\DRIVERS\rrnetcap.sys [37480 2011-12-20] (RapidSolution Software AG)
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\TuneUp Utilities 2013\TuneUpUtilitiesDriver64.sys [11880 2012-09-19] (TuneUp Software)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-02-02 15:55 - 2014-02-02 15:55 - 00000000 ____D () C:\FRST
2014-02-01 18:46 - 2014-02-01 18:46 - 02984854 _____ () C:\Users\Alex\Desktop\Autostart-Gruppe.bmp
2014-02-01 10:42 - 2014-01-28 09:35 - 00038200 _____ (TuneUp Software) C:\Windows\system32\uxtuneup.dll
2014-02-01 10:42 - 2014-01-28 09:35 - 00030520 _____ (TuneUp Software) C:\Windows\SysWOW64\uxtuneup.dll
2014-02-01 10:42 - 2014-01-28 09:35 - 00026936 _____ (TuneUp Software) C:\Windows\system32\authuitu.dll
2014-02-01 10:42 - 2014-01-28 09:35 - 00022328 _____ (TuneUp Software) C:\Windows\SysWOW64\authuitu.dll
2014-02-01 10:38 - 2014-02-01 10:38 - 00000000 ____D () C:\Intel
2014-01-25 14:59 - 2014-01-25 14:59 - 01587612 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-25 14:50 - 2014-01-25 14:52 - 183244764 _____ () C:\Users\Alex\Downloads\Windows6.1-KB947821-v31-x86.msu
2014-01-25 14:21 - 2014-01-25 14:57 - 00007607 _____ () C:\Users\Alex\AppData\Local\resmon.resmoncfg
2014-01-25 14:21 - 2014-01-25 14:21 - 00001787 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-01-25 14:19 - 2014-01-25 14:21 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-01-25 14:19 - 2014-01-25 14:21 - 00000000 ____D () C:\Program Files\iTunes
2014-01-25 14:19 - 2014-01-25 14:21 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-01-25 14:19 - 2014-01-25 14:19 - 00000000 ____D () C:\Program Files\iPod
2014-01-25 14:17 - 2014-01-25 14:17 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-01-25 12:45 - 2014-01-25 12:47 - 148904784 _____ (Apple Inc.) C:\Users\Alex\Downloads\iTunes64Setup.exe
2014-01-17 18:50 - 2013-11-27 02:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-17 18:50 - 2013-11-27 02:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-17 18:50 - 2013-11-27 02:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-17 18:50 - 2013-11-27 02:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-17 18:50 - 2013-11-27 02:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-17 18:50 - 2013-11-27 02:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-17 18:50 - 2013-11-27 02:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-17 18:50 - 2013-11-26 11:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-17 18:49 - 2013-11-26 12:40 - 00376768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-07 15:52 - 2014-01-07 15:52 - 00460403 _____ () C:\Users\Alex\Downloads\NAC_Knopfdruck.pptx
==================== One Month Modified Files and Folders =======
2014-02-02 15:55 - 2014-02-02 15:55 - 00000000 ____D () C:\FRST
2014-02-02 15:54 - 2010-05-08 08:54 - 00000000 ____D () C:\Users\Alex\Downloads\Software
2014-02-02 15:50 - 2009-07-14 05:45 - 00009696 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-02 15:50 - 2009-07-14 05:45 - 00009696 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-02 15:48 - 2010-03-31 23:23 - 01507880 _____ () C:\Windows\WindowsUpdate.log
2014-02-02 15:37 - 2012-04-03 18:18 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-02 09:39 - 2012-12-10 17:40 - 00004208 _____ () C:\Windows\System32\Tasks\Software Updater
2014-02-02 09:35 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-02 09:35 - 2009-07-14 05:51 - 00114834 _____ () C:\Windows\setupact.log
2014-02-01 21:21 - 2011-06-19 17:15 - 00003946 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{99CA0BA2-A106-457C-AB46-2D632D0C6B1D}
2014-02-01 20:54 - 2010-04-01 09:15 - 00699682 _____ () C:\Windows\system32\perfh007.dat
2014-02-01 20:54 - 2010-04-01 09:15 - 00149790 _____ () C:\Windows\system32\perfc007.dat
2014-02-01 20:54 - 2009-07-14 06:13 - 01620684 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-01 18:46 - 2014-02-01 18:46 - 02984854 _____ () C:\Users\Alex\Desktop\Autostart-Gruppe.bmp
2014-02-01 14:37 - 2010-03-03 08:12 - 01709628 _____ () C:\Windows\PFRO.log
2014-02-01 10:41 - 2012-09-30 18:16 - 00000000 ____D () C:\Program Files (x86)\TuneUp Utilities 2013
2014-02-01 10:38 - 2014-02-01 10:38 - 00000000 ____D () C:\Intel
2014-01-28 09:35 - 2014-02-01 10:42 - 00038200 _____ (TuneUp Software) C:\Windows\system32\uxtuneup.dll
2014-01-28 09:35 - 2014-02-01 10:42 - 00030520 _____ (TuneUp Software) C:\Windows\SysWOW64\uxtuneup.dll
2014-01-28 09:35 - 2014-02-01 10:42 - 00026936 _____ (TuneUp Software) C:\Windows\system32\authuitu.dll
2014-01-28 09:35 - 2014-02-01 10:42 - 00022328 _____ (TuneUp Software) C:\Windows\SysWOW64\authuitu.dll
2014-01-28 09:35 - 2012-09-30 18:18 - 00035640 _____ (TuneUp Software) C:\Windows\system32\TURegOpt.exe
2014-01-25 18:32 - 2010-05-08 15:30 - 00000000 ____D () C:\iTunes
2014-01-25 18:23 - 2010-07-26 19:29 - 00000000 ____D () C:\Windows\Minidump
2014-01-25 18:23 - 2010-05-08 12:31 - 00000000 ____D () C:\Users\Alex\AppData\Local\Microsoft Help
2014-01-25 18:16 - 2012-10-02 18:27 - 00003708 _____ () C:\Windows\System32\Tasks\Egis technology-Online-Aktualisierungsprogramm
2014-01-25 17:59 - 2010-05-08 08:44 - 00000000 ____D () C:\Users\Alex
2014-01-25 17:58 - 2009-07-14 03:34 - 82051072 _____ () C:\Windows\system32\config\SOFTWARE_tureg_old
2014-01-25 17:58 - 2009-07-14 03:34 - 19660800 _____ () C:\Windows\system32\config\SYSTEM_tureg_old
2014-01-25 17:58 - 2009-07-14 03:34 - 00262144 _____ () C:\Windows\system32\config\SECURITY_tureg_old
2014-01-25 17:51 - 2009-07-14 03:34 - 00262144 _____ () C:\Windows\system32\config\SAM_tureg_old
2014-01-25 17:51 - 2009-07-14 03:34 - 00262144 _____ () C:\Windows\system32\config\DEFAULT_tureg_old
2014-01-25 15:24 - 2010-03-03 08:03 - 00000000 ____D () C:\Program Files (x86)\Google
2014-01-25 14:59 - 2014-01-25 14:59 - 01587612 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-25 14:57 - 2014-01-25 14:21 - 00007607 _____ () C:\Users\Alex\AppData\Local\resmon.resmoncfg
2014-01-25 14:52 - 2014-01-25 14:50 - 183244764 _____ () C:\Users\Alex\Downloads\Windows6.1-KB947821-v31-x86.msu
2014-01-25 14:44 - 2010-03-03 08:03 - 00000000 ____D () C:\Program Files\Google
2014-01-25 14:37 - 2010-05-08 08:53 - 00000000 ____D () C:\Users\Alex\AppData\Local\Google
2014-01-25 14:37 - 2010-03-03 08:03 - 00000000 ____D () C:\ProgramData\Google
2014-01-25 14:21 - 2014-01-25 14:21 - 00001787 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-01-25 14:21 - 2014-01-25 14:19 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-01-25 14:21 - 2014-01-25 14:19 - 00000000 ____D () C:\Program Files\iTunes
2014-01-25 14:21 - 2014-01-25 14:19 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-01-25 14:19 - 2014-01-25 14:19 - 00000000 ____D () C:\Program Files\iPod
2014-01-25 14:17 - 2014-01-25 14:17 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-01-25 14:16 - 2010-05-09 07:41 - 00000000 ____D () C:\ProgramData\Apple
2014-01-25 12:47 - 2014-01-25 12:45 - 148904784 _____ (Apple Inc.) C:\Users\Alex\Downloads\iTunes64Setup.exe
2014-01-25 11:06 - 2012-02-12 18:34 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-01-25 11:06 - 2012-02-12 18:34 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Skype
2014-01-25 11:06 - 2012-02-12 18:33 - 00000000 ____D () C:\ProgramData\Skype
2014-01-25 10:19 - 2011-04-03 13:36 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TubeBox!
2014-01-25 10:14 - 2012-10-03 16:11 - 00000000 ____D () C:\Program Files (x86)\Freetec
2014-01-18 08:10 - 2009-07-14 05:45 - 00349880 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-01-18 07:52 - 2010-03-03 07:55 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-01-18 07:51 - 2013-08-17 18:02 - 00000000 ____D () C:\Windows\system32\MRT
2014-01-18 07:43 - 2010-05-09 06:45 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-07 15:52 - 2014-01-07 15:52 - 00460403 _____ () C:\Users\Alex\Downloads\NAC_Knopfdruck.pptx
2014-01-03 13:52 - 2010-05-24 15:46 - 00005632 _____ () C:\Users\Alex\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
Some content of TEMP:
====================
C:\Users\Alex\AppData\Local\Temp\avgnt.exe
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-01-31 18:55
==================== End Of Log ============================
und jetzt GMER - hat übrigens erst im zweiten Durchgang geklappt, der erste Versuch führte zu einem Neustart des Rechners ...: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-02-02 17:10:50
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD64 rev.01.0 596,17GB
Running: 1p8v58ro.exe; Driver: C:\Users\Alex\AppData\Local\Temp\kgtoapoc.sys
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4
.text ... * 9
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c
.text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[1772] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737
---- Threads - GMER 2.1 ----
Thread C:\Windows\System32\svchost.exe [1092:2928] 000007fef91e9688
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313ce5881
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313ce5881 (not active ControlSet)
---- EOF - GMER 2.1 ----
|
| Themen zu Win 7: Software Updater Malware ? |
| administrator, adobe flash player, adware.linkular, desktop, flash player, harddisk, malware, pdf, pup.optional.conduit.a, pup.optional.iminent.a, pup.optional.opencandy, pup.optional.optimizepro.a, pup.optional.snapdo, pup.optional.sweetim.a, pup.optional.wajam, registry, security.hijack, services.exe, software, svchost.exe, temp, winlogon.exe |
Baum-Darstellung