Windows 8: Trojaner PSW.Generic11.CIZG gefunden, lässt sich nicht entfernen

basilikum96 · 30.09.2014, 18:44

Hallo zusammen,
gestern hat es angefangen, auf meinem Laptop zu spuken. Programme öffneten sich teilweise nicht oder nur fehlerhaft und der Adobe Flash Player stürzte ständig ab.
Daraufhin habe ich meinen Laptop von AVG scannen lassen und es wurde ein laut AVG hoch gefährlicher Trojaner gefunden. Der Trojaner PSW.Generic11.CIZG. Laut AVG wurde er bereinigt, doch nach jedem Systemneustart ist er wieder aufgetaucht.

Heute habe ich mein Laptop auf Werkseinstellungen zurückgesetzt. Nach einem Windows-Update habe ich direkt AVG installiert und wieder scannen lassen. Wieder wurde der gleiche Trojaner gefunden.

Jetzt weiß ich nicht mehr weiter. Bitte helft mir, diesen Schädling loszuwerden.

Hier der AVG-Log:

Code:

ATTFilter

"Gesamten Computer scannen"
"Hoher Schweregrad";"1";"1";"0"
"Mittlerer Schweregrad";"6";"6";"0"
"Gescannte Verzeichnisse:";"Gesamten Computer scannen"
"Gestartet:";"30.09.2014, 17:46:19"
"Beendet:";"30.09.2014, 18:12:31"
"Überprüfte Elemente:";"278947"
"Gestartet von:";"Lukas"

"Name";"Beschreibung";"Status";"Status";"Priorität"
"C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Cookies\Low\5HEVHDN9.txt";"Tracking cookie.Serving-sys gefunden";"Gesichert";"Geheilt";"Mittel"
"C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Cookies\Low\AJEM1ILW.txt";"Tracking cookie.Ru4 gefunden";"Gesichert";"Geheilt";"Mittel"
"C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Cookies\Low\IBEJGEZ0.txt";"Tracking cookie.Revsci gefunden";"Gesichert";"Geheilt";"Mittel"
"C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Cookies\Low\QWR1S61A.txt";"Tracking cookie.Atdmt gefunden";"Gesichert";"Geheilt";"Mittel"
"C:\Program Files (x86)\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\data1.cab";"Trojaner: PSW.Generic11.CIZG";"Gesichert";"Geheilt";"Hoch"
"C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Cookies\Low\YLDQUYET.txt";"Tracking cookie.Mediaplex gefunden";"Gesichert";"Geheilt";"Mittel"
"C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Cookies\Low\0LGU00XP.txt";"Tracking cookie.Tradedoubler gefunden";"Gesichert";"Geheilt";"Mittel"

Dann habe ich noch die Scans durchgeführt, die hier im Newbie-Post aufgeführt waren:

Code:

ATTFilter

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 19:24 on 30/09/2014 (Lukas)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-09-2014
Ran by Lukas (administrator) on LUKASLAPTOP on 30-09-2014 19:26:06
Running from C:\Users\Lukas\Desktop
Loaded Profile: Lukas (Available profiles: Lukas)
Platform: Windows 8 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Atheros Commnucations) C:\Windows\System32\AdminService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4206.722_x64__8wekyb3d8bbwe\LiveComm.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Samsung Electronics CO., LTD.) C:\Program Files\Samsung\S Agent\CommonAgent.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3593744 2014-09-05] (AVG Technologies CZ, s.r.o.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://mysearch.avg.com?cid={1487A198-1FD3-458E-B55A-236A3C1AE66C}&mid=132bef4825b047d39d31c92ef694f2ed-49362cc87c55bdcaf775ab10b41505d2e4c3111d&lang=de&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-06 00:22:31&v=17.3.1.204&pid=safeguard&sg=0&sap=hp
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung13.msn.com
SearchScopes: HKLM - DefaultScope {38B7222B-4B2A-4275-BD2A-70DC0BE165A6} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MASMJS
SearchScopes: HKLM - {38B7222B-4B2A-4275-BD2A-70DC0BE165A6} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MASMJS
SearchScopes: HKLM-x32 - DefaultScope {38B7222B-4B2A-4275-BD2A-70DC0BE165A6} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MASMJS
SearchScopes: HKLM-x32 - {38B7222B-4B2A-4275-BD2A-70DC0BE165A6} URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MASMJS
SearchScopes: HKCU - DefaultScope {38B7222B-4B2A-4275-BD2A-70DC0BE165A6} URL = 
SearchScopes: HKCU - {38B7222B-4B2A-4275-BD2A-70DC0BE165A6} URL = 
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========

Chrome: 
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Windows\system32\AdminService.exe [208384 2012-08-29] (Atheros Commnucations)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3364368 2014-09-05] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [293448 2014-09-05] (AVG Technologies CZ, s.r.o.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [314696 2014-05-21] (Intel Corporation)
R3 KeyIso; C:\Windows\SysWOW64\keyiso.dll [43520 2012-07-26] (Microsoft Corporation)
S3 Netlogon; C:\Windows\SysWOW64\netlogon.dll [634368 2012-07-26] (Microsoft Corporation)
S3 StorSvc; C:\Windows\SysWOW64\storsvc.dll [18432 2012-07-26] (Microsoft Corporation)
R2 SWUpdateService; C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe [2878152 2012-12-21] (Samsung Electronics CO., LTD.)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [15440 2012-07-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [20496 2013-09-04] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [247576 2014-07-24] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-20] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-08-06] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [273176 2014-07-18] (AVG Technologies CZ, s.r.o.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-30 19:27 - 2014-09-30 19:27 - 00380416 _____ () C:\Users\Lukas\Desktop\Gmer-19357.exe
2014-09-30 19:26 - 2014-09-30 19:27 - 00006529 _____ () C:\Users\Lukas\Desktop\FRST.txt
2014-09-30 19:26 - 2014-09-30 19:26 - 00000000 ____D () C:\FRST
2014-09-30 19:25 - 2014-09-30 19:25 - 02108928 _____ (Farbar) C:\Users\Lukas\Desktop\FRST64.exe
2014-09-30 19:24 - 2014-09-30 19:24 - 00000472 _____ () C:\Users\Lukas\Desktop\defogger_disable.log
2014-09-30 19:24 - 2014-09-30 19:24 - 00000000 _____ () C:\Users\Lukas\defogger_reenable
2014-09-30 19:23 - 2014-09-30 19:23 - 00050477 _____ () C:\Users\Lukas\Desktop\Defogger.exe
2014-09-30 19:19 - 2014-09-30 19:19 - 00000144 _____ () C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2014-09-30 19:09 - 2014-09-30 19:09 - 00000451 _____ () C:\WINDOWS\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat
2014-09-30 18:51 - 2014-09-30 18:56 - 00005200 _____ () C:\Users\Lukas\Desktop\avgrep.txt
2014-09-30 17:45 - 2014-09-30 17:45 - 00000000 ____D () C:\Program Files (x86)\Intel
2014-09-30 17:45 - 2014-09-30 17:45 - 00000000 ____D () C:\Intel
2014-09-30 17:45 - 2014-05-21 00:33 - 00064000 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.DLL
2014-09-30 17:45 - 2014-05-21 00:33 - 00060416 _____ (Khronos Group) C:\WINDOWS\SysWOW64\OpenCL.DLL
2014-09-30 17:44 - 2014-09-30 17:44 - 00000000 ____D () C:\Program Files\Intel
2014-09-30 17:43 - 2014-09-30 17:43 - 00000000 ____D () C:\Users\Lukas\AppData\Roaming\AVG2015
2014-09-30 17:42 - 2014-09-30 17:43 - 00000000 ____D () C:\ProgramData\AVG2015
2014-09-30 17:42 - 2014-09-30 17:42 - 00000991 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-09-30 17:42 - 2014-09-30 17:42 - 00000000 ___HD () C:\$AVG
2014-09-30 17:42 - 2014-09-30 17:42 - 00000000 ____D () C:\Users\Lukas\AppData\Roaming\TuneUp Software
2014-09-30 17:42 - 2014-09-30 17:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-09-30 17:42 - 2014-09-30 17:42 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-09-30 17:41 - 2014-09-30 17:46 - 00000000 ____D () C:\Users\Lukas\AppData\Local\Avg2015
2014-09-30 17:41 - 2014-09-30 17:44 - 00000000 ____D () C:\ProgramData\MFAData
2014-09-30 17:41 - 2014-09-30 17:41 - 00000000 ____D () C:\Users\Lukas\AppData\Local\MFAData
2014-09-30 17:37 - 2014-09-30 19:24 - 00003594 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2669165515-361187302-876288576-1001
2014-09-30 17:34 - 2014-09-30 17:34 - 00000000 ____D () C:\Users\Lukas\AppData\Roaming\Macromedia
2014-09-30 17:28 - 2014-05-20 04:33 - 00059416 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2014-09-30 17:28 - 2014-05-20 01:45 - 00629248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2014-09-30 17:28 - 2014-05-20 01:45 - 00086528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2014-09-30 17:28 - 2014-05-20 01:24 - 03286528 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2014-09-30 17:28 - 2014-05-20 01:24 - 01623040 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2014-09-30 17:28 - 2014-05-20 01:24 - 00773632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2014-09-30 17:28 - 2014-05-20 01:24 - 00253440 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2014-09-30 17:28 - 2014-05-20 01:24 - 00176640 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2014-09-30 17:28 - 2014-05-20 01:24 - 00100352 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2014-09-30 17:28 - 2014-05-15 00:43 - 00144384 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2014-09-30 17:28 - 2014-05-15 00:43 - 00040448 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2014-09-30 17:28 - 2014-05-15 00:42 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2014-09-30 17:28 - 2014-05-15 00:42 - 00035328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2014-09-30 17:28 - 2013-08-16 07:21 - 00049664 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2014-09-30 17:28 - 2013-08-16 07:21 - 00049152 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
2014-09-30 17:28 - 2013-08-16 00:43 - 00020992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
2014-09-30 17:28 - 2012-11-06 06:20 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaext.dll
2014-09-30 17:28 - 2012-11-06 06:00 - 00099328 _____ (Microsoft Corporation) C:\WINDOWS\system32\wushareduxresources.dll
2014-09-30 17:23 - 2014-09-30 17:23 - 00001450 _____ () C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-09-30 17:23 - 2014-09-30 17:23 - 00000000 ____D () C:\Users\Lukas\AppData\Roaming\Adobe
2014-09-30 17:22 - 2014-09-30 19:24 - 00000000 ____D () C:\Users\Lukas
2014-09-30 17:22 - 2014-09-30 18:42 - 00000000 ____D () C:\Users\Lukas\AppData\Local\Packages
2014-09-30 17:22 - 2014-09-30 17:22 - 00000020 ___SH () C:\Users\Lukas\ntuser.ini
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Vorlagen
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Startmenü
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Netzwerkumgebung
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Lokale Einstellungen
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Eigene Dateien
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Druckumgebung
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Documents\Eigene Musik
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Documents\Eigene Bilder
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\AppData\Local\Verlauf
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\AppData\Local\Anwendungsdaten
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 _SHDL () C:\Users\Lukas\Anwendungsdaten
2014-09-30 17:22 - 2014-09-30 17:22 - 00000000 ____D () C:\Users\Lukas\AppData\Local\VirtualStore
2014-09-30 17:22 - 2012-07-26 10:13 - 00000000 ___RD () C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-09-30 17:22 - 2012-07-26 10:13 - 00000000 ___RD () C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-09-30 17:22 - 2012-07-26 10:13 - 00000000 ___RD () C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2014-09-30 17:22 - 2012-07-26 10:13 - 00000000 ____D () C:\Users\Lukas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-09-30 15:46 - 2014-09-30 15:46 - 00000000 _____ () C:\Recovery.txt
2014-09-30 07:46 - 2014-09-30 07:47 - 00281088 _____ () C:\WINDOWS\system32\FNTCACHE.DAT

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-30 19:23 - 2013-01-25 21:05 - 00790022 _____ () C:\WINDOWS\system32\perfh00C.dat
2014-09-30 19:23 - 2013-01-25 21:05 - 00155084 _____ () C:\WINDOWS\system32\perfc00C.dat
2014-09-30 19:23 - 2013-01-25 20:59 - 00780976 _____ () C:\WINDOWS\system32\perfh010.dat
2014-09-30 19:23 - 2013-01-25 20:59 - 00152608 _____ () C:\WINDOWS\system32\perfc010.dat
2014-09-30 19:23 - 2013-01-25 20:54 - 00753134 _____ () C:\WINDOWS\system32\perfh007.dat
2014-09-30 19:23 - 2013-01-25 20:54 - 00155826 _____ () C:\WINDOWS\system32\perfc007.dat
2014-09-30 19:23 - 2012-07-26 09:28 - 03624158 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-09-30 19:18 - 2012-07-26 09:22 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-30 19:06 - 2012-07-26 07:26 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2014-09-30 18:44 - 2013-01-25 03:52 - 01450187 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-30 18:44 - 2012-07-26 10:12 - 00000000 ____D () C:\WINDOWS\AUInstallAgent
2014-09-30 18:37 - 2012-07-26 09:21 - 00022226 _____ () C:\WINDOWS\setupact.log
2014-09-30 18:16 - 2012-07-26 09:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2014-09-30 18:02 - 2012-07-26 10:12 - 00000000 ____D () C:\WINDOWS\system32\sru
2014-09-30 17:45 - 2012-07-26 07:26 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2014-09-30 17:42 - 2012-07-26 10:12 - 00000000 ___HD () C:\WINDOWS\ELAMBKUP
2014-09-30 17:30 - 2012-08-05 23:07 - 00001846 _____ () C:\WINDOWS\PFRO.log
2014-09-30 17:30 - 2012-07-26 10:12 - 00000000 ____D () C:\WINDOWS\SysWOW64\en-GB
2014-09-30 17:30 - 2012-07-26 10:12 - 00000000 ____D () C:\WINDOWS\system32\en-GB
2014-09-30 17:22 - 2012-07-26 10:12 - 00000000 ___RD () C:\WINDOWS\ImmersiveControlPanel
2014-09-30 17:22 - 2012-07-26 10:12 - 00000000 ____D () C:\WINDOWS\WinStore
2014-09-30 17:21 - 2012-07-26 10:12 - 00000000 ____D () C:\WINDOWS\rescache
2014-09-30 15:46 - 2012-07-26 10:13 - 00262144 _____ () C:\WINDOWS\system32\config\BCD-Template

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2012-08-05 23:07

==================== End Of Log ============================

Code:

ATTFilter

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 29-09-2014
Ran by Lukas at 2014-09-30 19:28:06
Running from C:\Users\Lukas\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5315 - AVG Technologies)
AVG 2015 (Version: 15.0.4158 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5315 - AVG Technologies) Hidden
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3621 - Intel Corporation)
Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
S Agent (Version: 1.0.9 - Samsung Electronics CO., LTD.) Hidden
SW Update (HKLM-x32\...\{F5B5BA56-8FEB-494B-84E6-C8DA9C2BEE50}) (Version: 2.1.6 - Samsung Electronics CO., LTD.)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2669165515-361187302-876288576-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)

==================== Restore Points  =========================

30-09-2014 15:28:01 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 07:26 - 2012-07-26 07:26 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {1AAFF332-5C62-4558-9991-DAA649C4C9C5} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: {23A5D8BE-9196-40EB-BD89-794398B2B073} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {59ED68AC-CE6F-4B61-BE58-F596EDEDC4DE} - System32\Tasks\SAgent => C:\Program Files\Samsung\S Agent\CommonAgent.exe [2012-10-25] (Samsung Electronics CO., LTD.)
Task: {A72208BF-7A49-4FB8-B684-252375F3443A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {AB96B97B-39C2-46A2-876A-EEB6AE199033} - System32\Tasks\Microsoft\Windows\Servicing\StartComponentCleanup => C:\WINDOWS\system32\dism.exe [2012-07-26] (Microsoft Corporation)
Task: {C6A88F2D-53D2-4805-9D69-443738A1847C} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {EBF06DEC-4228-4813-AC0C-62821AE4E330} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {F8E9F306-F34A-402E-A5B7-FB560F72E779} - System32\Tasks\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup => Rundll32.exe %windir%\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask

==================== Loaded Modules (whitelisted) =============

2012-07-26 09:55 - 2012-07-26 09:53 - 00170864 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4206.722_x64__8wekyb3d8bbwe\ModernShared\ErrorReporting\ErrorReporting.dll

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-2669165515-361187302-876288576-500 - Administrator - Disabled)
Gast (S-1-5-21-2669165515-361187302-876288576-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2669165515-361187302-876288576-1003 - Limited - Enabled)
Lukas (S-1-5-21-2669165515-361187302-876288576-1001 - Administrator - Enabled) => C:\Users\Lukas

==================== Faulty Device Manager Devices =============

Name: AMD Radeon HD 7600M Series (Microsoft Corporation - WDDM v1.20)
Description: AMD Radeon HD 7600M Series (Microsoft Corporation - WDDM v1.20)
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: Advanced Micro Devices, Inc.
Service: amdkmdap
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation. 

Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/30/2014 05:46:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm Explorer.EXE, Version 6.2.9200.16426 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: bc4

Startzeit: 01cfdcc3b20c3bdf

Endzeit: 31

Anwendungspfad: C:\WINDOWS\Explorer.EXE

Berichts-ID: daff954e-48b8-11e4-be6d-1867b0701b1e

Vollständiger Name des fehlerhaften Pakets: 

Anwendungs-ID, die relativ zum fehlerhaften Paket ist:


System errors:
=============
Error: (09/30/2014 07:17:44 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (09/30/2014 07:15:14 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (09/30/2014 07:15:09 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1084WSearchNicht verfügbar{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (09/30/2014 07:15:09 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1084WSearchNicht verfügbar{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (09/30/2014 07:15:09 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1084WSearchNicht verfügbar{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (09/30/2014 07:15:09 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1084WSearchNicht verfügbar{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (09/30/2014 07:15:07 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1084ShellHWDetectionNicht verfügbar{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (09/30/2014 07:15:07 PM) (Source: DCOM) (EventID: 10005) (User: LUKASLAPTOP)
Description: 1068netprofmNicht verfügbar{A47979D2-C419-11D9-A5B4-001185AD2B89}

Error: (09/30/2014 07:15:07 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "Netzwerklistendienst" ist vom Dienst "NLA (Network Location Awareness)" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1068

Error: (09/30/2014 07:15:07 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "NLA (Network Location Awareness)" ist vom Dienst "DHCP-Client" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde: 
%%1068


Microsoft Office Sessions:
=========================
Error: (09/30/2014 05:46:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Explorer.EXE6.2.9200.16426bc401cfdcc3b20c3bdf31C:\WINDOWS\Explorer.EXEdaff954e-48b8-11e4-be6d-1867b0701b1e


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
Percentage of memory in use: 19%
Total physical RAM: 8083.39 MB
Available physical RAM: 6544.55 MB
Total Pagefile: 12691.4 MB
Available Pagefile: 11104.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.78 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:901.91 GB) (Free:868.93 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: C774ED6C)

Partition: GPT Partition Type.

==================== End Of Log ============================

Code:

ATTFilter

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-09-30 19:31:52
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000003a ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB
Running: Gmer-19357.exe; Driver: C:\Users\Lukas\AppData\Local\Temp\kwlyrpow.sys


---- Threads - GMER 2.1 ----

Thread  C:\WINDOWS\system32\csrss.exe [516:660]  fffff9600062e5e8

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                    unknown MBR code

---- EOF - GMER 2.1 ----

Ich hoffe dies sind alle Infortmationen, die ihr braucht. Falls ihr noch Fragen habt, immer her damit!

Danke für eure Hilfe!

schrauber · 30.09.2014, 19:10

Hi,

da werden nur Cookies gefunden. Einfach mal die Temps leeren mit CCleaner oder so.

basilikum96 · 30.09.2014, 20:17

Hi schrauber,

ich spreche von folgender Zeile im AVG log:

Code:

ATTFilter

"C:\Program Files (x86)\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\data1.cab";"Trojaner: PSW.Generic11.CIZG";"Gesichert";"Geheilt";"Hoch"

Oder handelt es sich hierbei auch um einen Cookie?

schrauber · 01.10.2014, 12:34

Nö.Das ding mal bitte bei www.virustotal.com scannen lassen.

basilikum96 · 01.10.2014, 17:54

Die Datei data1.cab existiert nicht mehr. Allerdings gibt es noch eine Datei data2.cab in dem Ordner.
Mit AVG habe ich nochmal das komplette System gescannt, aber keine Funde mehr entdeckt.

Ist mein Laptop damit sauber? Oder sollte ich lieber noch Scans mit anderer Software durchführen, um sicher zu gehen?

schrauber · 02.10.2014, 11:25

Kontrollscan, aber ich denke das waren Fehlalarme.

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

basilikum96 · 02.10.2014, 15:34

Super, da scheint ja nichts mehr da zu sein. Merkwürdig.

Hier der Log:

Code:

ATTFilter

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=4cb66bfad8ad004e9731fb32399f46ce
# engine=20403
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-10-02 01:55:20
# local_time=2014-10-02 03:55:20 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.2.9200 NT 
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 22113 37139413 0 0
# scanned=395823
# found=0
# cleaned=0
# scan_time=4650

Vielen Dank für deine Hilfe, schrauber!

schrauber · 03.10.2014, 11:19

Gern Geschehen

30.09.2014, 19:10	#2
schrauber /// the machine /// TB-Ausbilder	Windows 8: Trojaner PSW.Generic11.CIZG gefunden, lässt sich nicht entfernen Hi, da werden nur Cookies gefunden. Einfach mal die Temps leeren mit CCleaner oder so. __________________ __________________

01.10.2014, 12:34	#4
schrauber /// the machine /// TB-Ausbilder	Windows 8: Trojaner PSW.Generic11.CIZG gefunden, lässt sich nicht entfernen Nö.Das ding mal bitte bei www.virustotal.com scannen lassen. __________________ gruß, schrauber *Proud Member of UNITE and ASAP since 2009* Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM!

03.10.2014, 11:19	#8
schrauber /// the machine /// TB-Ausbilder	Windows 8: Trojaner PSW.Generic11.CIZG gefunden, lässt sich nicht entfernen Gern Geschehen __________________ gruß, schrauber *Proud Member of UNITE and ASAP since 2009* Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM!

Windows 8: Trojaner PSW.Generic11.CIZG gefunden, lässt sich nicht entfernen

Log-Analyse und Auswertung: Windows 8: Trojaner PSW.Generic11.CIZG gefunden, lässt sich nicht entfernen