| |
| |||||||
Log-Analyse und Auswertung: Windows Vista -64 Bit - Verdacht auf VirenbefallWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
12.08.2014, 14:52
| #1 |
 |  Windows Vista -64 Bit - Verdacht auf Virenbefall Hallo M-K-D-B, wie schon kurz per PN angesprochen hab ich erneut den Verdacht eines Befalls. Für manche Menschen war der Rechenschieber wohl doch die bessere Erfindung... Rechner ist deutlich langsamer geworden, häufige Fehlermeldungen und auch häufig Werbung in Foren und Blogs. Vielen lieben Dank schonmal! Nachfolgend die bisherigen Infos: defogger: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 15:00 on 12/08/2014 (David)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-08-2014 01
Ran by David (administrator) on DAVID-PC on 12-08-2014 15:02:51
Running from C:\Users\David\Downloads
Platform: Windows Vista (TM) Home Premium Service Pack 2 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Normal
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_IATIGGE.EXE
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\sua.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Microsoft Corporation) C:\Windows\SysWOW64\conime.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11465832 2010-09-14] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-03-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-2918414357-155064948-848676807-1000\...\Run: [EPSON SX125 Series] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGGE.EXE [224768 2009-09-14] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2918414357-155064948-848676807-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-2918414357-155064948-848676807-1000\...\Run: [WMPNSCFG] => C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.uwz.de/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 - DefaultScope value is missing.
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
FireFox:
========
FF ProfilePath: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\rr55d08t.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: ProxTube - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\rr55d08t.default\Extensions\{2541D29A-DB9E-4c1e-949A-31EFB4AEF4E7}.xpi [2014-07-28]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-11-06]
Chrome:
=======
CHR HomePage:
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S3 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1229528 2013-12-06] (Secunia)
R2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [662232 2013-12-06] (Secunia)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2013-12-06] (Secunia)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-12 15:02 - 2014-08-12 15:02 - 00007793 _____ () C:\Users\David\Downloads\FRST.txt
2014-08-12 15:01 - 2014-08-12 15:01 - 02099712 _____ (Farbar) C:\Users\David\Downloads\FRST64.exe
2014-08-12 15:00 - 2014-08-12 15:00 - 00000472 _____ () C:\Users\David\Desktop\defogger_disable.log
2014-08-12 14:58 - 2014-08-12 14:58 - 00000000 _____ () C:\Users\David\defogger_reenable
2014-08-12 14:55 - 2014-08-12 14:55 - 00050477 _____ () C:\Users\David\Downloads\Defogger.exe
2014-08-01 18:30 - 2014-08-10 17:25 - 00042481 _____ () C:\Users\David\Desktop\PlanspielTauberExtrem.ods
2014-07-30 00:34 - 2014-07-30 00:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-07-28 13:58 - 2014-07-28 13:58 - 00028931 _____ () C:\Users\David\Documents\alex2.odt
2014-07-26 15:09 - 2014-07-28 10:30 - 00033505 _____ () C:\Users\David\Documents\alex 1.odt
2014-07-22 15:47 - 2014-07-22 15:47 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-07-20 14:57 - 2014-07-20 14:57 - 00013655 _____ () C:\Users\David\Documents\Scanner.odt
2014-07-17 15:18 - 2014-07-17 15:18 - 00013376 _____ () C:\Users\David\Documents\Unbenannt 1.odt
2014-07-15 11:16 - 2014-08-11 18:44 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-15 11:15 - 2014-07-15 11:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-15 11:15 - 2014-07-15 11:15 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-15 11:15 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-07-15 11:15 - 2014-05-12 07:26 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-08-12 15:03 - 2014-08-12 15:02 - 00007793 _____ () C:\Users\David\Downloads\FRST.txt
2014-08-12 15:02 - 2014-05-04 09:52 - 00000000 ____D () C:\FRST
2014-08-12 15:02 - 2013-11-06 21:36 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-12 15:01 - 2014-08-12 15:01 - 02099712 _____ (Farbar) C:\Users\David\Downloads\FRST64.exe
2014-08-12 15:01 - 2006-11-02 17:22 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-12 15:01 - 2006-11-02 17:22 - 00003712 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-12 15:00 - 2014-08-12 15:00 - 00000472 _____ () C:\Users\David\Desktop\defogger_disable.log
2014-08-12 14:58 - 2014-08-12 14:58 - 00000000 _____ () C:\Users\David\defogger_reenable
2014-08-12 14:58 - 2008-01-01 15:24 - 00000000 ____D () C:\Users\David
2014-08-12 14:55 - 2014-08-12 14:55 - 00050477 _____ () C:\Users\David\Downloads\Defogger.exe
2014-08-12 13:27 - 2008-01-21 03:53 - 01664428 _____ () C:\Windows\WindowsUpdate.log
2014-08-12 13:22 - 2006-11-02 17:42 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-12 10:40 - 2006-11-02 17:42 - 00032554 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-08-11 18:44 - 2014-07-15 11:16 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-10 20:29 - 2013-12-09 21:16 - 00000000 ____D () C:\Users\David\AppData\Local\Paint.NET
2014-08-10 17:25 - 2014-08-01 18:30 - 00042481 _____ () C:\Users\David\Desktop\PlanspielTauberExtrem.ods
2014-08-09 21:45 - 2013-11-11 20:37 - 00000000 ____D () C:\Users\David\AppData\Roaming\vlc
2014-08-08 11:19 - 2008-01-21 13:10 - 01661466 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-08 11:19 - 2008-01-21 13:09 - 00709380 _____ () C:\Windows\system32\perfh007.dat
2014-08-08 11:19 - 2008-01-21 13:09 - 00161112 _____ () C:\Windows\system32\perfc007.dat
2014-08-07 15:00 - 2014-01-02 15:21 - 00034688 _____ () C:\Users\David\Desktop\ÜFD.ods
2014-07-31 22:22 - 2014-07-10 00:22 - 00059960 _____ () C:\Users\David\Desktop\planspielfneu.ods
2014-07-31 17:23 - 2013-11-08 18:13 - 00087552 _____ () C:\Users\David\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-30 19:52 - 2013-11-06 21:22 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-07-30 00:34 - 2014-07-30 00:34 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-07-28 13:58 - 2014-07-28 13:58 - 00028931 _____ () C:\Users\David\Documents\alex2.odt
2014-07-28 10:30 - 2014-07-26 15:09 - 00033505 _____ () C:\Users\David\Documents\alex 1.odt
2014-07-22 15:47 - 2014-07-22 15:47 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-07-20 14:57 - 2014-07-20 14:57 - 00013655 _____ () C:\Users\David\Documents\Scanner.odt
2014-07-19 19:12 - 2014-06-08 19:25 - 00015390 _____ () C:\Users\David\Desktop\Höchste gemessene Temperaturen seit 2007.odt
2014-07-17 15:18 - 2014-07-17 15:18 - 00013376 _____ () C:\Users\David\Documents\Unbenannt 1.odt
2014-07-15 23:00 - 2014-05-07 12:13 - 00000000 ____D () C:\ProgramData\Origin
2014-07-15 20:39 - 2014-05-07 12:13 - 00000000 ____D () C:\Program Files (x86)\Origin
2014-07-15 13:54 - 2013-10-30 14:05 - 00000000 ____D () C:\Users\David\Documents\Lesestoff
2014-07-15 11:16 - 2013-11-08 17:05 - 00000000 ____D () C:\Users\David\AppData\Roaming\Malwarebytes
2014-07-15 11:15 - 2014-07-15 11:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-07-15 11:15 - 2014-07-15 11:15 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-07-15 11:15 - 2013-11-08 17:05 - 00000941 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-07-15 11:15 - 2013-11-08 17:05 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-15 11:15 - 2013-11-08 17:05 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
Some content of TEMP:
====================
C:\Users\David\AppData\Local\Temp\78335uninstall.exe
C:\Users\David\AppData\Local\Temp\avgnt.exe
C:\Users\David\AppData\Local\Temp\ose00000.exe
C:\Users\David\AppData\Local\Temp\ose00001.exe
C:\Users\David\AppData\Local\Temp\Quarantine.exe
C:\Users\David\AppData\Local\Temp\Sqlite3.dll
C:\Users\David\AppData\Local\Temp\VIS_DE-2013-12-13.exe
C:\Users\David\AppData\Local\Temp\vlc-2.1.1-win64.exe
C:\Users\David\AppData\Local\Temp\vlc-2.1.2-win64.exe
C:\Users\David\AppData\Local\Temp\vlc-2.1.3-win64.exe
C:\Users\David\AppData\Local\Temp\vlc-2.1.4-win64.exe
C:\Users\David\AppData\Local\Temp\_is6E59.exe
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-08-12 13:28
==================== End Of Log ============================
Fehlermeldung, läuft nicht! Maleware: Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 12.08.2014 Suchlauf-Zeit: 15:20:10 Logdatei: maleware.txt Administrator: Ja Version: 2.00.2.1012 Malware Datenbank: v2014.08.12.04 Rootkit Datenbank: v2014.08.04.01 Lizenz: Kostenlos Malware Schutz: Deaktiviert Bösartiger Webseiten Schutz: Deaktiviert Self-protection: Deaktiviert Betriebssystem: Windows Vista Service Pack 2 CPU: x64 Dateisystem: NTFS Benutzer: David Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 285291 Verstrichene Zeit: 10 Min, 24 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Deaktiviert Heuristics: Aktiviert PUP: Warnen PUM: Aktiviert Prozesse: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registrierungsschlüssel: 0 (No malicious items detected) Registrierungswerte: 0 (No malicious items detected) Registrierungsdaten: 0 (No malicious items detected) Ordner: 0 (No malicious items detected) Dateien: 0 (No malicious items detected) Physische Sektoren: 0 (No malicious items detected) (end) |
| Themen zu Windows Vista -64 Bit - Verdacht auf Virenbefall |
| android/mobserv.a, avg, defender, desktop, flash player, homepage, iexplore.exe, mobogenie, mobogenie entfernen, registry, schutz, security, services.exe, software, svchost.exe, virenbefal, werbung, win32/downloadsponsor.a, win32/installcore.a, win32/mobogenie.a, win32/toolbar.conduit, win32/toolbar.conduit.b |
Baum-Darstellung