TR/Coinminer.J bei win 8.1 nicht zu entfernen

ronald.dunk · 20.05.2015, 12:38

Wird zwar blockiert und in die Quarantäne verschoben kann auch von dort aus gelöscht werden taucht aber nach Neustart immer wieder auf. Im abgesicherten Modus bleibt er unentdeckt. Bei deaktivierten Lan kommt kein Antivir Warnhinweis.

GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-05-20 13:22:51
Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\0000003e Samsung_SSD_840_EVO_250GB rev.EXT0BB6Q 232,89GB
Running: Gmer-19357.exe; Driver: C:\Users\caroline\AppData\Local\Temp\ufldapow.sys

---- Threads - GMER 2.1 ----

Thread C:\Windows\system32\csrss.exe [620:644] fffff960008a12d0
Thread C:\Windows\system32\csrss.exe [620:668] fffff960008a12d0
Thread C:\Windows\SYSTEM32\ntdll.dll [6796:6800] 0000000000fa98ce
Thread C:\Windows\SYSTEM32\ntdll.dll [6796:6940] 000000006e1bc1f0
Thread C:\Windows\SYSTEM32\ntdll.dll [6796:6944] 0000000069048bce
Thread C:\Windows\SYSTEM32\ntdll.dll [6796:7044] 0000000074f93730
---- Processes - GMER 2.1 ----

Library C:\Program Files (x86)\InstallShield Installation Information\{1DF11DAD-D427-4E1D-ABB6-04CB881EBE06}\CloudAPI\CloudAPI.dll (*** suspicious ***) @ C:\Program Files (x86)\ASUS\AI Suite III\Wi-Fi GO!\AssistTools\WiFi GO! Server.exe [2024](2014-05-23 15:26:51) 0000000072680000
Library c:\users\caroline\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpzpstiy.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128](2015-05-20 11:03:43) 0000000004e10000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:24) 000000006bdb0000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (ICU I18N DLL/The ICU Project)(2015-03-04 21:45:30) 000000004a900000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (ICU Common DLL/The ICU Project)(2015-03-04 21:45:30) 00000000057d0000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (ICU Data DLL/The ICU Project)(2015-03-04 21:45:30) 000000004ad00000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 000000006b990000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006b6a0000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128](2015-03-04 21:45:30) 000000006b540000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 000000006ad70000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000069ce0000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000069a50000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000069790000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000069760000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128](2015-03-04 21:45:30) 0000000069750000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:28) 0000000069720000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 00000000696e0000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2015-03-04 21:45:26) 0000000069690000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128](2015-03-04 21:45:30) 0000000069560000
Library C:\Users\caroline\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\caroline\AppData\Roaming\Dropbox\bin\Dropbox.exe [6128](2015-03-04 21:45:30) 0000000069520000

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xDA 0xC2 0xA9 0xC3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x47 0x9D 0xB6 0x15 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@de-DE 211
Reg HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime 0xC3 0x76 0xAF 0x15 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM027FHS4Q100902_02_07D8_6F+SAM0526H9MSA10422_2B_07D9_DB^03C6031D226EF25C7EE6A786 82685AEA@Timestamp 0xEE 0x47 0x6D 0xC4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 688
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9AD7C94A-46E9-4BCF-8017-85A203117B5E}\Connection@Name isatap.home
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1960756080
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 363f32bb-64e8-4f52-b6c8-6fe0d37
Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{ca30dae5-5db4-4187-a2d5-787bec7975d2}
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_A2DP\Parameters@SrcHandle-High -16384
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_A2DP\Parameters@SrcHandle-Low 1760870608
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_A2DP\Parameters@SnkHandle-High -16384
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_A2DP\Parameters@SnkHandle-Low 1559609360
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_RCP\Parameters@Tg-High -16384
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_RCP\Parameters@Tg-Low 1760758592
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_RCP\Parameters@Ctrl-High -16384
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_RCP\Parameters@Ctrl-Low 1652292224
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\240a64508c30
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\240a64508c30@7c1e520ada4c 0x6F 0x52 0xD7 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\240a64508c30@fc58fa16089e 0x33 0x3E 0xEF 0x54 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{11289462-0d6d-4f0e-87bf-97efb12c8253}@LastProbeTime 1432123231
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{9AD7C94A-46E9-4BCF-8017-85A203117B5E}@ReusableType 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{9AD7C94A-46E9-4BCF-8017-85A203117B5E}@DefunctTimestamp 0xF3 0x1C 0x5C 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 11062
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2650
Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 212
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B55366C0-9976-4DBE-9CC8-2003689175C5}@LeaseObtainedTime 1432116015
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B55366C0-9976-4DBE-9CC8-2003689175C5}@T1 1432159215
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B55366C0-9976-4DBE-9CC8-2003689175C5}@T2 1432191615
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B55366C0-9976-4DBE-9CC8-2003689175C5}@LeaseTerminatesTime 1432202415
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 570
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 2721
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Blocked 2721
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Count 2721
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8856F961-340A-11D0-A96B-00C04FD705A2}\iexplore@Count 22
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore@Count 1896
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 2721
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0x79 0x64 0xC6 0xB9 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x03 0x09 0x9F 0xD2 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x03 0x09 0x9F 0xD2 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 39226
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x03 0x09 0x9F 0xD2 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 39226
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x03 0x09 0x9F 0xD2 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x30 0x73 0x95 0xB6 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63567710207333%3bID%3dBE50F3BAF4ABDDF9!120%3bLR%3d63567712831463%3bEP%3d4%3bSO%3d0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xEC 0x91 0xDF 0x4C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 6
Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@LastRateLimitedDumpGenerationTime 0xEB 0x8F 0xDC 0xD3 ...
Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_DipAwayMode.exe_c95df8bf6b3c1b0b48fdf69f812982ba341bbf0_c7722fa0_1ab0954a

---- EOF - GMER 2.1 ----

Malwarebytes Anti-Malware
www.malwarebytes.org

Suchlauf Datum: 18.05.2015
Suchlauf-Zeit: 21:02:08
Logdatei: malware.txt
Administrator: Ja

Version: 2.01.6.1022
Malware Datenbank: v2015.03.09.05
Rootkit Datenbank: v2015.02.25.01
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 8.1
CPU: x64
Dateisystem: NTFS
Benutzer: caroline

Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 353101
Verstrichene Zeit: 6 Min, 37 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(Keine schädliche Elemente gefunden)

Module: 0
(Keine schädliche Elemente gefunden)

Registrierungsschlüssel: 2
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-2499066365-3350258436-517844590-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, , [12675ae9c1c964d2c8536cb0e61d23dd],
PUP.Optional.SearchProtect.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, , [12675ae9c1c964d2c8536cb0e61d23dd],

Registrierungswerte: 0
(Keine schädliche Elemente gefunden)

Registrierungsdaten: 0
(Keine schädliche Elemente gefunden)

Ordner: 0
(Keine schädliche Elemente gefunden)

Dateien: 0
(Keine schädliche Elemente gefunden)

Physische Sektoren: 0
(Keine schädliche Elemente gefunden)

(end)

TR/Coinminer.J bei win 8.1 nicht zu entfernen

Log-Analyse und Auswertung: TR/Coinminer.J bei win 8.1 nicht zu entfernen

TR/Coinminer.J bei win 8.1 nicht zu entfernen

Ähnliche Themen: TR/Coinminer.J bei win 8.1 nicht zu entfernen