| |
| |||||||
Log-Analyse und Auswertung: GVU Trojaner mit Webcam und gesperrten abgesicherten ModusWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
01.11.2014, 09:56
| #1 |
 |  GVU Trojaner mit Webcam und gesperrten abgesicherten Modus Hallo, ich habe hier den Rechner des Schwiegervaters. Dieser hat sich leider den GVU Trojaner mit der Webcam und einem gesperrten abgesicherten Modus eingebrockt. Nachdem ich hier in dem Forum schon nachgelesen habe, ich schon einmal den Scan von frst.exe laufen lassen. Nun würde es an das Eingemachte gehen, und ich weiß natürlich nicht, was wie wo entfernt werden sollte. Anbei die FRST.txt Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2014 01
Ran by SYSTEM on MININT-T5HHOS8 on 01-11-2014 09:38:59
Running from I:\
Platform: Windows 7 Home Premium (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-22] (IDT, Inc.)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-10-21] (Hewlett-Packard)
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\Ralf\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-08-20] (Hewlett-Packard Company)
HKU\Ralf\...\Run: [] => [X]
HKU\Ralf\...\Run: [NokiaOviSuite2] => C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe [385928 2010-02-24] (Nokia)
HKU\Ralf\...\Run: [KB0522070] => C:\Users\Ralf\AppData\Local\Microsoft\KB0522070\KB0522070.exe [87081 2014-03-23] ()
HKU\Ralf\...\Run: [Google Update] => C:\Users\Ralf\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-05-25] (Google Inc.)
HKU\Ralf\...\Run: [GoogleChromeAutoLaunch_41A14711F994142C0CBF0BA254561EA4] => C:\Users\Ralf\AppData\Local\Google\Chrome\Application\chrome.exe [854344 2014-10-22] (Google Inc.)
HKU\Ralf\...\Policies\system: [DisableLockWorkstation] 0
HKU\Ralf\...\Policies\system: [DisableChangePassword] 0
HKU\Ralf\...\Policies\Explorer: [NoLogoff] 0
Startup: C:\Users\Ralf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Ralf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Other.exe ()
Startup: C:\Users\Ralf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\892A6F33.cpp ()
========================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [267440 2014-09-24] (Adobe Systems Incorporated)
S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [166296 2014-09-19] (APN LLC.)
S4 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [138576 2010-03-18] (Microsoft Corporation)
S3 Com4QLBEx; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [227896 2010-02-25] (Hewlett-Packard Development Company, L.P.)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [42840 2009-06-10] (Microsoft Corporation)
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [255040 2014-08-25] (WildTangent)
S3 GamesAppService; C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [203344 2014-04-24] (WildTangent, Inc.)
S2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company)
S3 hpqwmiex; C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe [1129760 2013-05-13] (Hewlett-Packard Company)
S3 idsvc; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [856384 2009-06-10] (Microsoft Corporation)
S2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-08-20] (Hewlett-Packard Company)
S3 Microsoft SharePoint Workspace Audit Service; C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [30814400 2013-12-19] (Microsoft Corporation)
S3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [114144 2012-09-06] (Mozilla Foundation)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe [116560 2009-06-10] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [149352 2010-01-09] (Microsoft Corporation)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
S3 ServiceLayer; C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe [652800 2010-01-26] (Nokia)
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe [240128 2009-07-22] (IDT, Inc.)
S2 Winmgmt; C:\ProgramData\33F6A298.dot [330752 2014-10-29] ()
S2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1146880 2009-06-10] (LSI Corp)
S0 amd_sata; C:\Windows\System32\DRIVERS\amd_sata.sys [73856 2010-05-14] (Advanced Micro Devices)
S0 amd_xata; C:\Windows\System32\DRIVERS\amd_xata.sys [28800 2010-05-14] (Advanced Micro Devices)
S3 athr; C:\Windows\System32\DRIVERS\athrx.sys [3678720 2012-06-20] (Qualcomm Atheros Communications, Inc.)
S3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbda.sys [468480 2009-06-10] (Broadcom Corporation)
S3 b57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [270848 2009-06-10] (Broadcom Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [6108416 2009-06-10] (Intel Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-14] (Microsoft Corporation)
S3 netw5v64; C:\Windows\System32\DRIVERS\netw5v64.sys [5434368 2009-06-10] (Intel Corporation)
S3 nmwcdcx64; C:\Windows\System32\drivers\ccdcmbox64.sys [25088 2009-12-30] (Nokia)
S3 nmwcdx64; C:\Windows\System32\drivers\ccdcmbx64.sys [18944 2010-01-21] (Nokia)
S3 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfdx64.sys [25600 2008-08-28] (Nokia)
S3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIVX.sys [253728 2010-05-24] (Realtek Semiconductor Corp.)
S3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [406120 2010-10-07] (Realtek )
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [868848 2010-12-03] (Duplex Secure Ltd.)
S3 SrvHsfHDA; C:\Windows\System32\DRIVERS\VSTAZL6.SYS [292864 2009-06-10] (Conexant Systems, Inc.)
S3 SrvHsfV92; C:\Windows\System32\DRIVERS\VSTDPV6.SYS [1485312 2009-06-10] (Conexant Systems, Inc.)
S3 SrvHsfWinac; C:\Windows\System32\DRIVERS\VSTCNXT6.SYS [740864 2009-06-10] (Conexant Systems, Inc.)
S3 STHDA; C:\Windows\System32\DRIVERS\stwrt64.sys [487936 2009-07-22] (IDT, Inc.)
S3 TuneUpUtilitiesDrv; C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesDriver64.sys [14112 2013-08-21] (TuneUp Software)
S3 upperdev; C:\Windows\System32\DRIVERS\usbser_lowerfltx64.sys [8704 2009-12-30] (Nokia)
S3 UsbserFilt; C:\Windows\System32\DRIVERS\usbser_lowerfltx64j.sys [8704 2009-12-30] (Nokia)
S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [389120 2009-06-10] (Marvell)
S4 eabfiltr; No ImagePath
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-11-01 09:38 - 2014-11-01 09:38 - 00000000 ____D () C:\FRST
2014-10-29 19:34 - 2014-10-29 19:34 - 00513536 _____ () C:\ProgramData\892A6F33.cpp
2014-10-29 19:34 - 2014-10-29 19:34 - 00330752 ____T () C:\ProgramData\33F6A298.dot
2014-10-16 20:20 - 2014-10-10 02:53 - 00504320 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2014-10-16 20:20 - 2014-10-10 02:53 - 00276480 _____ (Microsoft Corporation) C:\Windows\System32\generaltel.dll
2014-10-16 20:20 - 2014-10-10 02:47 - 00424448 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2014-10-16 20:19 - 2014-09-15 01:44 - 03195392 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-10-02 15:00 - 2014-10-02 15:00 - 00000000 ____D () C:\ProgramData\BlueStacks
2014-10-02 14:59 - 2014-10-02 14:59 - 00002460 ____N () C:\Users\Public\Desktop\WildTangent Games App - wildgames.lnk
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-11-01 08:44 - 2010-02-22 01:36 - 01475631 _____ () C:\Windows\WindowsUpdate.log
2014-11-01 08:44 - 2009-07-14 05:45 - 00023024 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-01 08:44 - 2009-07-14 05:45 - 00023024 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-01 08:38 - 2013-10-13 09:37 - 00000000 ___RD () C:\Users\Ralf\Dropbox
2014-11-01 08:38 - 2013-10-13 09:34 - 00000000 ____D () C:\Users\Ralf\AppData\Roaming\Dropbox
2014-11-01 08:35 - 2010-12-04 11:15 - 00116068 _____ () C:\Windows\setupact.log
2014-10-29 19:29 - 2009-07-14 06:13 - 01512418 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-27 20:31 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-10-27 19:04 - 2012-07-13 18:26 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-10-17 11:54 - 2009-07-14 05:45 - 00438528 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-10-17 11:53 - 2014-07-09 09:35 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-10-16 21:11 - 2009-11-14 17:25 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-16 20:39 - 2013-08-15 12:31 - 00000000 ____D () C:\Windows\System32\MRT
2014-10-16 20:39 - 2010-04-18 09:52 - 103265616 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-10-02 14:59 - 2010-06-20 16:11 - 00000000 ____D () C:\Users\Ralf\AppData\Local\CrashDumps
2014-10-02 14:53 - 2010-04-12 14:36 - 00278152 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3782227498-3432252520-3792568420-1001\$ae0a85b15068a0722aa050324de7d390
Files to move or delete:
====================
C:\ProgramData\7962224.bat
C:\ProgramData\7962224.pad
C:\ProgramData\7962224.reg
C:\ProgramData\go_0molg.pad
C:\Users\Ralf\AppData\Roaming\skype.ini
Some content of TEMP:
====================
C:\Users\Ralf\AppData\Local\Temp\2SKKKKKKK.exe
C:\Users\Ralf\AppData\Local\Temp\avgnt.exe
C:\Users\Ralf\AppData\Local\Temp\BackupSetup.exe
C:\Users\Ralf\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppu4nvg.dll
C:\Users\Ralf\AppData\Local\Temp\NOSEventMessages.dll
C:\Users\Ralf\AppData\Local\Temp\sp62291.exe
C:\Users\Ralf\AppData\Local\Temp\sp64126.exe
C:\Users\Ralf\AppData\Local\Temp\TUUUninstallHelper.exe
C:\Users\Ralf\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Ralf\AppData\Local\Temp\uxx.dll
==================== Known DLLs (Whitelisted) ============
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe
[2011-04-28 18:59] - [2011-02-26 07:23] - 2870272 ____A (Microsoft Corporation) 0862495E0C825893DB75EF44FAEA8E93
C:\Windows\System32\winlogon.exe
[2010-04-13 17:20] - [2009-10-28 07:24] - 0389632 ____A (Microsoft Corporation) DA3E2A6FA9660CC75B471530CE88453A
C:\Windows\System32\wininit.exe
[2009-07-14 00:52] - [2009-07-14 02:39] - 0129024 ____A (Microsoft Corporation) 94355C28C1970635A31B3FE52EB7CEBA
C:\Windows\System32\svchost.exe
[2009-07-14 00:31] - [2009-07-14 02:39] - 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D
C:\Windows\System32\services.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\User32.dll
[2009-07-14 00:38] - [2009-07-14 02:41] - 1008640 ____A (Microsoft Corporation) 72D7B3EA16946E8F0CF7458150031CC6
C:\Windows\System32\userinit.exe
[2009-07-14 00:50] - [2009-07-14 02:39] - 0030208 ____A (Microsoft Corporation) 6F8F1376A13114CC10C0E69274F5A4DE
C:\Windows\System32\rpcss.dll
[2009-07-14 01:00] - [2009-07-14 02:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-14 19:34] - [2012-09-06 18:38] - 0295792 ____A (Microsoft Corporation) 9E425AC5C9A5A973273D169F43B4F5E1
==================== Restore Points =========================
Restore point made on: 2014-09-22 15:58:48
Restore point made on: 2014-09-24 08:26:27
Restore point made on: 2014-10-02 07:53:36
Restore point made on: 2014-10-02 07:56:14
Restore point made on: 2014-10-06 18:53:12
Restore point made on: 2014-10-07 17:07:50
Restore point made on: 2014-10-11 08:14:01
Restore point made on: 2014-10-13 18:07:56
Restore point made on: 2014-10-14 17:26:03
Restore point made on: 2014-10-16 20:39:41
Restore point made on: 2014-10-19 18:00:25
Restore point made on: 2014-10-22 10:29:51
Restore point made on: 2014-10-27 18:30:11
Restore point made on: 2014-10-29 13:31:44
==================== Memory info ===========================
Percentage of memory in use: 13%
Total physical RAM: 4092.2 MB
Available physical RAM: 3521.61 MB
Total Pagefile: 4090.48 MB
Available Pagefile: 3537.28 MB
Total Virtual: 2047.88 MB
Available Virtual: 1943.66 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:238.99 GB) (Free:168.61 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:13.46 GB) (Free:1.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
Drive f: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (Daten) (Fixed) (Total:213.01 GB) (Free:147.39 GB) NTFS
Drive h: (GRMCHPFRER_DE_DVD) (CDROM) (Total:2.29 GB) (Free:0 GB) UDF
Drive i: () (Removable) (Total:1.87 GB) (Free:1.62 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 041DF713)
Partition 1: (Not Active) - (Size=993 KB) - (Type=42)
Partition 2: (Active) - (Size=199 MB) - (Type=42)
Partition 3: (Not Active) - (Size=239 GB) - (Type=42)
Partition 4: (Not Active) - (Size=226.6 GB) - (Type=42)
========================================================
Disk: 1 (Size: 1.9 GB) (Disk ID: 9FA41C1E)
Partition 1: (Not Active) - (Size=1.9 GB) - (Type=06)
LastRegBack: 2014-10-26 12:46
==================== End Of Log ============================
|
| Themen zu GVU Trojaner mit Webcam und gesperrten abgesicherten Modus |
| .dll, adware, avg, cdrom, desktop, explorer, file, forum, google, home, ics, microsoft, neu, opera, realtek, registry, scan, secure, software, system, system32, temp, trojaner, webcam, windows |
Baum-Darstellung