Hallo,
auf dem Notebook meines Schwagers ist/war der Interpol/Paysafe Trojaner. Der, der sich immer nach dem Start über alles drüber gelegt hat, der den abgesicherten Modus sofort wieder heruntergefahren hat.
Anbei einmal die FRST-log:
PHP-Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-05-2014 02
Ran by SYSTEM on MININT-PBQUULO on 29-05-2014 18:11:04
Running from K:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
[b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b]
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [IntelPAN] => "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [PSQLLauncher] => "C:\Program Files\Protector Suite\launcher.exe" /startup
HKLM\...\Run: [SynTPEnh] => %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-04-14] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [Dolby Home Theater v4] => "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart
HKLM-x32\...\Run: [CLMLServer] => "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
HKLM-x32\...\Run: [Adobe ARM] => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
HKLM-x32\...\Run: [Nike+ Connect] => C:\Program Files (x86)\Nike\Nike+ Connect\Nike+ Connect daemon.exe [70656 2013-05-03] (Nike)
HKLM-x32\...\Run: [Memeo Instant Backup] => C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui
HKLM-x32\...\Run: [avgnt] => "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
HKLM-x32\...\Run: [APSDaemon] => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
HKLM-x32\...\Run: [iTunesHelper] => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\psfus: C:\Program Files\Protector Suite\psqlpwd.dll [X]
HKU\Default\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Default\...\RunOnce: [Screensaver] - C:\Windows\Web\Wallpaper\MEDION\start.vbs
HKU\Default User\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Default User\...\RunOnce: [Screensaver] - C:\Windows\Web\Wallpaper\MEDION\start.vbs
HKU\raffi\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
HKU\raffi\...\Run: [AmazonMP3DownloaderHelper] => C:\Users\raffi\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe [397632 2013-05-02] ()
HKU\raffi\...\Run: [Spotify Web Helper] => C:\Users\raffi\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1105408 2013-06-02] (Spotify Ltd)
HKU\raffi\...\Run: [MyTomTomSA.exe] => C:\Program Files (x86)\MyTomTom 3\MyTomTomSA.exe [455608 2013-05-23] (TomTom)
HKU\raffi\...\Run: [Nike+ Connect] => C:\Users\raffi\AppData\Local\Nike\Nike+ Connect\Nike+ Connect daemon.exe [70656 2013-11-01] (Nike)
HKU\UpdatusUser\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\UpdatusUser\...\RunOnce: [Screensaver] - C:\Windows\Web\Wallpaper\MEDION\start.vbs
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [247144 2012-10-08] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [202600 2012-10-08] (NVIDIA Corporation)
Lsa: [Notification Packages] scecli C:\Program Files\Protector Suite\psqlpwd.dll
==================== Services (Whitelisted) =================
S2 ASLDRService; C:\Program Files (x86)\PHotkey\ASLDRSrv.exe [104968 2009-12-18] ()
S2 GFNEXSrv; C:\Program Files (x86)\PHotkey\GFNEXSrv.exe [159752 2010-10-06] ()
S2 watchmi; C:\Program Files (x86)\watchmi\TvdService.exe [62464 2010-12-06] ()
S2 Winmgmt; C:\ProgramData\jlolf2x.zvv [331504 2014-03-04] (Microsoft Corporation)
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]
S2 AMPPALR3; C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [X]
S4 AntiVirWebService; "C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE" [X]
S2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [X]
S2 Bluetooth Device Monitor; "C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe" [X]
S3 Bluetooth Media Service; "C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe" [X]
S2 Bluetooth OBEX Service; "C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe" [X]
S2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [X]
S2 BTHSSecurityMgr; "C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe" [X]
S2 cvhsvc; "C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE" [X]
S2 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [X]
S3 FLEXnet Licensing Service 64; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe" [X]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
S2 IAStorDataMgrSvc; "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe" [X]
S3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [X]
S2 LMS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [X]
S2 MemeoBackgroundService; C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [X]
S2 mitsijm2012; "C:\Program Files\Autodesk\Inventor 2012\Moldflow\bin\mitsijm.exe" [X]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [X]
S3 ose; "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [X]
S3 osppsvc; "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [X]
S2 PSI_SVC_2; "c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe" [X]
S2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [X]
S2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [X]
S2 sftlist; "C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe" [X]
S3 sftvsa; "C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe" [X]
S2 UNS; "C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe" [X]
S2 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [X]
S4 wlcrasvc; "C:\Program Files\Windows Live\Mesh\wlcrasvc.exe" [X]
S2 wlidsvc; "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE" [X]
S2 WMPNetworkSvc; "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" [X]
==================== Drivers (Whitelisted) ====================
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-19] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-19] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-19] (Avira Operations GmbH & Co. KG)
S2 PEGAGFN; C:\Program Files (x86)\PHotkey\PEGAGFN.sys [14344 2009-09-11] (PEGATRON)
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [19936 2011-05-06] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [13280 2011-05-06] ()
S3 RSUSBVSTOR; System32\Drivers\RTSUVSTOR.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-05-29 17:31 - 2014-05-29 18:11 - 00000000 ____D () C:\FRST
2014-05-29 07:52 - 2014-05-29 07:49 - 01327971 _____ () C:\Users\raffi\Desktop\adwcleaner_3.211.exe
2014-05-29 07:52 - 2014-04-05 22:36 - 01016261 _____ (Thisisu) C:\Users\raffi\Desktop\JRT.exe
2014-05-29 07:03 - 2014-05-29 07:03 - 00000000 ____D () C:\Users\raffi\AppData\Local\{0E0A91CC-3820-4982-923B-BC4A07CEA82D}
2014-05-29 06:42 - 2014-05-29 06:42 - 00000000 ____D () C:\Users\raffi\AppData\Local\{91CCD8B4-B6F9-4276-8637-ED12C845BC73}
==================== One Month Modified Files and Folders =======
2014-05-29 18:11 - 2014-05-29 17:31 - 00000000 ____D () C:\FRST
2014-05-29 08:08 - 2009-07-13 20:45 - 00016752 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-29 08:08 - 2009-07-13 20:45 - 00016752 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-29 08:04 - 2011-07-18 07:35 - 01368774 _____ () C:\Windows\WindowsUpdate.log
2014-05-29 08:00 - 2011-06-24 06:55 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-05-29 08:00 - 2009-07-13 21:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-05-29 08:00 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-29 08:00 - 2009-07-13 20:51 - 00096999 _____ () C:\Windows\setupact.log
2014-05-29 07:49 - 2014-05-29 07:52 - 01327971 _____ () C:\Users\raffi\Desktop\adwcleaner_3.211.exe
2014-05-29 07:13 - 2014-02-28 01:05 - 95027928 ____T () C:\ProgramData\jlolf2x.fee
2014-05-29 07:03 - 2014-05-29 07:03 - 00000000 ____D () C:\Users\raffi\AppData\Local\{0E0A91CC-3820-4982-923B-BC4A07CEA82D}
2014-05-29 06:58 - 2011-07-18 07:38 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-29 06:42 - 2014-05-29 06:42 - 00000000 ____D () C:\Users\raffi\AppData\Local\{91CCD8B4-B6F9-4276-8637-ED12C845BC73}
2014-05-29 06:29 - 2013-08-11 12:07 - 00000000 ____D () C:\Windows\System32\MRT
2014-05-29 06:28 - 2011-06-19 04:08 - 90655440 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-05-29 06:16 - 2011-07-18 07:38 - 00004106 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-05-29 06:16 - 2011-07-18 07:38 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-29 06:11 - 2011-07-18 07:38 - 00003854 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-05-29 06:08 - 2014-01-07 14:32 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
Files to move or delete:
====================
C:\ProgramData\jlolf2x.fee
C:\ProgramData\jlolf2x.zvv
Some content of TEMP:
====================
C:\Users\raffi\AppData\Local\Temp\AcDeltree.exe
C:\Users\raffi\AppData\Local\Temp\AskSLib.dll
C:\Users\raffi\AppData\Local\Temp\avgnt.exe
C:\Users\raffi\AppData\Local\Temp\FileSystemView.dll
C:\Users\raffi\AppData\Local\Temp\temp0NikeConnectconnect5pcupdate.exe
C:\Users\raffi\AppData\Local\Temp\temp1NikeConnectconnect5pcupdate.exe
C:\Users\raffi\AppData\Local\Temp\temp2NikeConnectconnect5pcupdate.exe
C:\Users\raffi\AppData\Local\Temp\temp3NikeConnectconnect5pcupdate.exe
C:\Users\raffi\AppData\Local\Temp\temp4NikeConnectconnect5pcupdate.exe
C:\Users\raffi\AppData\Local\Temp\temp5NikeConnectconnect5pcupdate.exe
C:\Users\raffi\AppData\Local\Temp\~+JF9895112564184488.dll
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2014-02-15 01:52:03
Restore point made on: 2014-02-18 01:37:56
Restore point made on: 2014-02-28 01:12:16
Restore point made on: 2014-03-02 10:53:50
Restore point made on: 2014-03-02 22:38:05
Restore point made on: 2014-03-03 07:32:27
Restore point made on: 2014-03-04 13:52:14
Restore point made on: 2014-03-09 12:28:58
Restore point made on: 2014-03-15 22:17:48
Restore point made on: 2014-03-19 22:20:50
Restore point made on: 2014-03-20 23:40:25
Restore point made on: 2014-03-29 03:30:33
Restore point made on: 2014-04-07 23:37:51
Restore point made on: 2014-04-12 04:57:06
Restore point made on: 2014-05-29 06:28:12
==================== Memory info ===========================
Percentage of memory in use: 12%
Total physical RAM: 6055.05 MB
Available physical RAM: 5314.72 MB
Total Pagefile: 6053.25 MB
Available Pagefile: 5294.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
==================== Drives ================================
Drive c: (Boot) (Fixed) (Total:559.88 GB) (Free:483.07 GB) NTFS
Drive d: (XP) (Fixed) (Total:97.65 GB) (Free:81.17 GB) NTFS
Drive e: (Recover) (Fixed) (Total:37.99 GB) (Free:14.75 GB) NTFS
Drive k: (MUEHLE_02) (Removable) (Total:3.73 GB) (Free:3.58 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 699 GB) (Disk ID: 2BD2C32A)
Partition 1: (Active) - (Size=101 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=560 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=138 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=1 GB) - (Type=02)
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 00000000)
Partition: GPT Partition Type.
LastRegBack: 2014-01-05 09:57
==================== End Of Log ============================
Ich habe bereits diese Fixlist.txt geschrieben und ausgeführt:
PHP-Code:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-05-2014 02
Ran by SYSTEM at 2014-05-29 17:39:48 Run:1
Running from L:\
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
C:\Users\raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jlolf2x.lnk
C:\ProgramData\x2flolj.cpp
*****************
C:\Users\raffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jlolf2x.lnk => Moved successfully.
C:\ProgramData\x2flolj.cpp => Moved successfully.
==== End of Fixlog ====
sowie
PHP-Code:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-05-2014 02
Ran by SYSTEM at 2014-05-29 18:17:44 Run:2
Running from K:\
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
Start
C:\ProgramData\jlolf2x.fee
C:\ProgramData\jlolf2x.zvv
End
*****************
C:\ProgramData\jlolf2x.fee => Moved successfully.
C:\ProgramData\jlolf2x.zvv => Moved successfully.
==== End of Fixlog ====
Danach lies sich das Notebook zwar starten, ohne das der Interpol-Screen kommt, allerdings lassen sich nun keine Programme starten. Diese werden unter den bisherigen Verknüpfungen nicht gefunden.
Ich habe bereits
- adwcleaner_3.211.exe
- JRT.exe
auf den Desktop des Notebooks kopiert, diese starten aber nicht.
Wenn ich mit Rechtsklick "Als Admin ausführen" ausprobiere, kommt die Fehlermeldung, die Exe wäre an dem Ort nicht gefunden worden.
HIIIIIIIILLLLLFEE
29.05.2014, 17:42
Baum-Darstellung