Hallo zusammen,

versuche soeben ein Gerät, Windows 8.1, von einem Virus / Trojaner zu befreien.
Wenn ich das Gerät starte erscheint die Meldung "Kennwort für Systemstart" in einer Windows 98 Optik.

Habe bisher mit autoruns alles was komisch aussah gelöscht, das hat aber nichts gebracht.

Das FRST Tool sagt folgendes :
FRST Logfile:

Code: Alles auswählenAufklappen

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-06-2015
Ran by SYSTEM on MINWINPC on 26-06-2015 11:45:53
Running from F:\
Platform: Windows 8.1 (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-07-27] (SRS Labs, Inc.)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-05] ()
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2609064 2012-08-30] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-28] (Synaptics Incorporated)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Stefan\...\Run: [MailTab] => C:\Program Files (x86)\FIPLAB Ltd\MailTab for Gmail\MailTabWin.exe [2734080 2012-10-09] ()
HKU\Stefan\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\Stefan\...\Run: [DelayShred] => c:\Program Files\McAfee\MQS\ShrCL.exe [101272 2015-04-08] (McAfee, Inc.)
HKU\Stefan\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1938624 2014-10-21] (Valve Corporation)
HKU\Stefan\...\Run: [Device Smart Session Net.Tcp] => C:\sxeracq\nadintj.exe
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2015-03-30]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-07-09]
ShortcutTarget: Dropbox.lnk -> C:\Users\Default\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 0099681433230856mcinstcleanup; C:\WINDOWS\TEMP\009968~1.EXE [883024 2015-05-04] (McAfee, Inc.)
S2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [81088 2014-12-19] (Adobe Systems Incorporated)
S3 AdobeFlashPlayerUpdateSvc; C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [268464 2015-06-23] (Adobe Systems Incorporated)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-07] (Microsoft Corporation)
S3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [279000 2013-11-04] (Intel Corporation)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [43696 2013-08-03] (Microsoft Corporation)
S3 GamesAppService; C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [206072 2010-10-12] (WildTangent, Inc.)
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2014-01-17] (Google Inc.)
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2014-01-17] (Google Inc.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [635104 2012-04-20] (Intel(R) Corporation)
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
S2 irstrtsv; C:\windows\SysWOW64\irstrtsv.exe [193576 2012-07-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 LMS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [277824 2012-07-17] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-06-04] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 McOobeSv2; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McSchedulerSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [119408 2015-05-20] (Mozilla Foundation)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
S2 NAUpdate; C:\Program Files (x86)\Nero\Update\NASvc.exe [769432 2012-07-13] (Nero AG)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-08-10] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [150600 2013-06-01] (Microsoft Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [21504 2013-08-22] (Microsoft Corporation)
S3 PrintNotify; C:\WINDOWS\system32\spool\drivers\x64\3\PrintConfig.dll [2899968 2014-08-16] (Microsoft Corporation)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201360 2012-08-31] (Realtek Semiconductor)
S3 ScDeviceEnum; C:\Windows\System32\ScDeviceEnum.dll [131072 2014-10-29] (Microsoft Corporation)
S3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [833728 2014-10-21] (Valve Corporation)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [114656 2012-09-25] (Toshiba Europe GmbH)
S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [53384 2012-08-23] (TOSHIBA Corporation)
S2 TNSSVC; C:\Program Files\Toshiba\LANDriver\TNSSVC.exe [40944 2012-09-07] ()
S3 TOSHIBA Bluetooth Service; C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [179608 2014-11-01] (TOSHIBA CORPORATION)
S2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\Teco\TecoService.exe [291240 2012-08-25] (TOSHIBA Corporation)
S3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [458152 2012-07-28] (TOSHIBA Corporation)
S2 UNS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [365376 2012-07-17] (Intel Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 WEPHOSTSVC; C:\Windows\system32\wephostsvc.dll [26112 2014-10-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 workfolderssvc; C:\Windows\system32\workfolderssvc.dll [1668096 2014-10-29] (Microsoft Corporation)
S4 wuauserv; C:\Windows\system32\wuaueng.dll [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)
S2 CouponarificService64; C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5\xtloowpkjv64.exe [X]
S2 Level Quality Watcher; C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010010000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]
S2 sarconsogulpe; C:\Program Files\sarconsogulpe\sarconsogulpe.exe run options=00001009990000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 b06bdrv; C:\Windows\System32\drivers\bxvbda.sys [531296 2013-08-22] (Broadcom Corporation)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [33280 2014-02-22] (Microsoft Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 e1cexpress; C:\Windows\system32\DRIVERS\e1c64x64.sys [468752 2014-09-26] (Intel Corporation)
S3 e1iexpress; C:\Windows\system32\DRIVERS\e1i63x64.sys [460288 2013-06-18] (Intel Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 iaLPSSi_GPIO; C:\Windows\System32\drivers\iaLPSSi_GPIO.sys [24568 2013-07-30] (Intel Corporation)
S3 iaLPSSi_I2C; C:\Windows\System32\drivers\iaLPSSi_I2C.sys [99320 2013-07-25] (Intel Corporation)
S0 iaStorA; C:\Windows\System32\drivers\iaStorA.sys [645952 2012-07-31] (Intel Corporation)
S3 igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [4195840 2013-11-04] (Intel Corporation)
S3 intaud_WaveExtensible; C:\Windows\system32\drivers\intelaud.sys [39320 2013-10-17] (Intel Corporation)
S3 IntcAzAudAddService; C:\Windows\system32\drivers\RTKVHD64.sys [3242896 2012-12-10] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [43800 2012-07-20] (Intel Corporation)
S3 iwdbus; C:\Windows\System32\drivers\iwdbus.sys [27032 2013-10-17] (Intel Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [21248 2013-08-22] (Microsoft Corporation)
S3 MEIx64; C:\Windows\System32\drivers\HECIx64.sys [62784 2012-07-03] (Intel Corporation)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80160 2015-02-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [41168 2014-11-19] (NetFilterSDK.com)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3349984 2014-04-17] (Intel Corporation)
S3 ReFS; C:\Windows\System32\Drivers\ReFS.sys [921920 2014-10-15] (Microsoft Corporation)
S3 risdxc; C:\Windows\System32\drivers\risdxc64.sys [106496 2013-07-30] (REDC)
S3 silabenm; C:\Windows\system32\DRIVERS\silabenm.sys [27336 2013-11-25] (Silicon Laboratories)
S3 silabser; C:\Windows\system32\DRIVERS\silabser.sys [73216 2013-11-25] (Silicon Laboratories)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [33168 2013-11-01] (Windows (R) Win 7 DDK provider)
S0 tos_sps64; C:\Windows\System32\drivers\tos_sps64.sys [499096 2012-06-18] (TOSHIBA Corporation)
S2 TVALZFL; C:\Windows\system32\DRIVERS\TVALZFL.sys [16768 2012-07-22] (TOSHIBA Corporation)
S3 vpci; C:\Windows\System32\drivers\vpci.sys [69952 2014-10-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S0 Wof; C:\Windows\System32\Drivers\Wof.sys [157016 2014-03-13] (Microsoft Corporation)
S3 WUDFSensorLP; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188384 2012-08-10] (Windows (R) Win 7 DDK provider)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-26 11:45 - 2015-06-26 11:45 - 00000000 ____D C:\FRST
2015-06-25 13:08 - 2015-06-25 17:37 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-06-17 08:35 - 2015-06-17 08:35 - 00088576 _____ C:\Users\Stefan\Downloads\68239.zip
2015-06-07 16:58 - 2013-09-23 12:49 - 00197704 _____ (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2015-06-02 12:29 - 2015-06-02 12:29 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\TeamViewer
2015-06-02 12:28 - 2015-06-02 12:29 - 02234136 _____ C:\Users\Stefan\Downloads\TeamViewer_Cliente.exe
2015-06-02 08:36 - 2015-06-02 08:36 - 04203552 _____ C:\Windows\binaries_burst6y.zip
2015-06-02 08:36 - 2015-05-30 23:52 - 00000000 ____D C:\Windows\binaries_burst6y
2015-05-28 20:25 - 2015-05-28 20:25 - 02066112 _____ C:\Users\Stefan\Downloads\1815165846_lanrentuku.com.zip
2015-05-28 20:25 - 2015-05-28 20:25 - 02066112 _____ C:\Users\Stefan\Downloads\1815165846_lanrentuku.com (1).zip
2015-05-28 09:07 - 2015-05-28 09:07 - 00059190 _____ C:\Users\Stefan\Downloads\RundkursRuhrgebiet.zip
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-24 21:12 - 2013-09-29 20:04 - 00097354 _____ C:\Windows\PFRO.log
2015-06-24 21:12 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\BBI
2015-06-24 21:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\sru
2015-06-24 09:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\Microsoft.NET
2015-06-24 08:59 - 2013-11-12 09:45 - 01572895 _____ C:\Windows\WindowsUpdate.log
2015-06-24 08:32 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\ELAM
2015-06-23 20:45 - 2013-08-22 14:36 - 00000000 ____D C:\Windows\SysWOW64
2015-06-23 13:54 - 2013-09-30 05:14 - 01776918 _____ C:\Windows\System32\PerfStringBackup.INI
2015-06-23 13:52 - 2013-08-22 15:46 - 00348429 _____ C:\Windows\setupact.log
2015-06-23 12:17 - 2013-08-30 09:54 - 00000000 ____D C:\05_Jennmar
2015-06-23 06:01 - 2014-01-17 18:24 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-18 10:52 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\FxsTmp
2015-06-16 10:58 - 2014-07-09 19:52 - 00000000 ___RD C:\Users\Stefan\Dropbox
2015-06-16 10:58 - 2014-07-09 19:51 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Dropbox
2015-06-16 10:46 - 2013-11-12 09:53 - 00000000 ___DO C:\Users\Stefan\SkyDrive
2015-06-08 11:34 - 2015-05-11 11:38 - 00000000 ___HD C:\sxeracq
2015-06-07 16:58 - 2013-02-02 09:11 - 00000000 ____D C:\Program Files\Common Files\McAfee
2015-06-07 16:57 - 2015-05-15 10:16 - 00000000 ___HD C:\lxiktqcagqa4b
2015-06-07 16:57 - 2012-07-26 09:12 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-06-07 16:48 - 2015-05-15 10:16 - 00000000 ____D C:\Windows\lxiktqcagqa4b
2015-06-06 12:21 - 2015-05-11 21:06 - 00000000 ___HD C:\recyclebin
2015-06-02 13:56 - 2014-02-13 20:34 - 00000000 ____D C:\ProgramData\Oracle
2015-06-02 12:54 - 2013-08-22 14:36 - 00000000 ___RD C:\Program Files (x86)
2015-05-27 12:22 - 2015-01-14 18:24 - 00000000 ____D C:\Users\Stefan\Documents\WISO Konto Online
 
Some files in TEMP:
====================
C:\Users\Stefan\AppData\Local\Temp\APNSetup.exe
C:\Users\Stefan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpulbzlk.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Stefan\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\nsf7BDD.exe
C:\Users\Stefan\AppData\Local\Temp\nsn8266.exe
C:\Users\Stefan\AppData\Local\Temp\nsn9949.exe
C:\Users\Stefan\AppData\Local\Temp\nst2C11.exe
C:\Users\Stefan\AppData\Local\Temp\nsu8804.exe
C:\Users\Stefan\AppData\Local\Temp\nsv3142.exe
C:\Users\Stefan\AppData\Local\Temp\nsy3710.exe
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Stefan\AppData\Local\Temp\unrar.dll
C:\Users\Stefan\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Stefan\AppData\Local\Temp\wusetup.exE
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe
[2015-03-11 14:43] - [2015-01-28 00:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88
 
C:\Windows\System32\winlogon.exe
[2014-12-17 19:43] - [2014-10-29 02:22] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437
 
C:\Windows\System32\wininit.exe
[2014-12-17 19:42] - [2014-10-29 02:25] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380
 
C:\Windows\System32\svchost.exe
[2014-12-17 19:42] - [2014-10-29 05:11] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47
 
C:\Windows\System32\services.exe
[2014-12-17 19:43] - [2014-10-29 04:53] - 0411128 ____A (Microsoft Corporation) 5BF02EBEFEDC706318C96E2E60EDCB91
 
C:\Windows\System32\User32.dll
[2014-12-17 19:43] - [2014-10-29 05:00] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5
 
C:\Windows\System32\userinit.exe
[2014-12-17 19:42] - [2014-10-29 02:28] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F
 
C:\Windows\System32\rpcss.dll
[2014-12-17 19:43] - [2014-10-29 02:19] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00
 
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2014-09-15 06:57] - [2014-06-19 03:13] - 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB
 
 
==================== Restore Points =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 29%
Total physical RAM: 3232.17 MB
Available physical RAM: 2286.69 MB
Total Pagefile: 3230.45 MB
Available Pagefile: 2314.16 MB
Total Virtual: 2047.88 MB
Available Virtual: 1947.4 MB
 
==================== Drives ================================
 
Drive c: (Speicher I) (Fixed) (Total:219.15 GB) (Free:10.84 GB) NTFS
Drive d: (System) (Fixed) (Total:0.44 GB) (Free:0.12 GB) NTFS
Drive f: (_STICK) (Removable) (Total:29.81 GB) (Free:6.67 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.08 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
========================================================
Disk: 1 (Size: 29.8 GB) (Disk ID: 8C014770)
Partition 1: (Active) - (Size=29.8 GB) - (Type=0C)
 
 
LastRegBack: 2015-06-22 09:11
 
==================== End of log ============================
         

--- --- ---



Für Tipps wäre ich dankbar.

Grüße


Nachtrag :

...davor habe ich die Platte mit der Kaspersky Rescue Disk bearbeitet, gefunden wurde ein Trojaner und 2 Malware Einträge, die wurden durch die Disk gelöscht

Hi,

bitte nochmal scannen, Haken bei BCD setzen.

Hier mit dem gesetzten "List BCD"
FRST Logfile:

Code: Alles auswählenAufklappen

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-06-2015
Ran by SYSTEM on MINWINPC on 26-06-2015 13:53:55
Running from C:\
Platform: Windows 8.1 (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.


ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-07-27] (SRS Labs, Inc.)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-05] ()
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2609064 2012-08-30] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-28] (Synaptics Incorporated)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Stefan\...\Run: [MailTab] => C:\Program Files (x86)\FIPLAB Ltd\MailTab for Gmail\MailTabWin.exe [2734080 2012-10-09] ()
HKU\Stefan\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\Stefan\...\Run: [DelayShred] => c:\Program Files\McAfee\MQS\ShrCL.exe [101272 2015-04-08] (McAfee, Inc.)
HKU\Stefan\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1938624 2014-10-21] (Valve Corporation)
HKU\Stefan\...\Run: [Device Smart Session Net.Tcp] => C:\sxeracq\nadintj.exe
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2015-03-30]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-07-09]
ShortcutTarget: Dropbox.lnk -> C:\Users\Default\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 0099681433230856mcinstcleanup; C:\WINDOWS\TEMP\009968~1.EXE [883024 2015-05-04] (McAfee, Inc.)
S2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [81088 2014-12-19] (Adobe Systems Incorporated)
S3 AdobeFlashPlayerUpdateSvc; C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [268464 2015-06-23] (Adobe Systems Incorporated)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-07] (Microsoft Corporation)
S3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [279000 2013-11-04] (Intel Corporation)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [43696 2013-08-03] (Microsoft Corporation)
S3 GamesAppService; C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [206072 2010-10-12] (WildTangent, Inc.)
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2014-01-17] (Google Inc.)
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2014-01-17] (Google Inc.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [635104 2012-04-20] (Intel(R) Corporation)
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
S2 irstrtsv; C:\windows\SysWOW64\irstrtsv.exe [193576 2012-07-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 LMS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [277824 2012-07-17] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-06-04] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 McOobeSv2; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McSchedulerSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [119408 2015-05-20] (Mozilla Foundation)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
S2 NAUpdate; C:\Program Files (x86)\Nero\Update\NASvc.exe [769432 2012-07-13] (Nero AG)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-08-10] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [150600 2013-06-01] (Microsoft Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [21504 2013-08-22] (Microsoft Corporation)
S3 PrintNotify; C:\WINDOWS\system32\spool\drivers\x64\3\PrintConfig.dll [2899968 2014-08-16] (Microsoft Corporation)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201360 2012-08-31] (Realtek Semiconductor)
S3 ScDeviceEnum; C:\Windows\System32\ScDeviceEnum.dll [131072 2014-10-29] (Microsoft Corporation)
S3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [833728 2014-10-21] (Valve Corporation)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [114656 2012-09-25] (Toshiba Europe GmbH)
S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [53384 2012-08-23] (TOSHIBA Corporation)
S2 TNSSVC; C:\Program Files\Toshiba\LANDriver\TNSSVC.exe [40944 2012-09-07] ()
S3 TOSHIBA Bluetooth Service; C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [179608 2014-11-01] (TOSHIBA CORPORATION)
S2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\Teco\TecoService.exe [291240 2012-08-25] (TOSHIBA Corporation)
S3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [458152 2012-07-28] (TOSHIBA Corporation)
S2 UNS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [365376 2012-07-17] (Intel Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 WEPHOSTSVC; C:\Windows\system32\wephostsvc.dll [26112 2014-10-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 workfolderssvc; C:\Windows\system32\workfolderssvc.dll [1668096 2014-10-29] (Microsoft Corporation)
S4 wuauserv; C:\Windows\system32\wuaueng.dll [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)
S2 CouponarificService64; C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5\xtloowpkjv64.exe [X]
S2 Level Quality Watcher; C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010010000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]
S2 sarconsogulpe; C:\Program Files\sarconsogulpe\sarconsogulpe.exe run options=00001009990000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 b06bdrv; C:\Windows\System32\drivers\bxvbda.sys [531296 2013-08-22] (Broadcom Corporation)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [33280 2014-02-22] (Microsoft Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 e1cexpress; C:\Windows\system32\DRIVERS\e1c64x64.sys [468752 2014-09-26] (Intel Corporation)
S3 e1iexpress; C:\Windows\system32\DRIVERS\e1i63x64.sys [460288 2013-06-18] (Intel Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 iaLPSSi_GPIO; C:\Windows\System32\drivers\iaLPSSi_GPIO.sys [24568 2013-07-30] (Intel Corporation)
S3 iaLPSSi_I2C; C:\Windows\System32\drivers\iaLPSSi_I2C.sys [99320 2013-07-25] (Intel Corporation)
S0 iaStorA; C:\Windows\System32\drivers\iaStorA.sys [645952 2012-07-31] (Intel Corporation)
S3 igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [4195840 2013-11-04] (Intel Corporation)
S3 intaud_WaveExtensible; C:\Windows\system32\drivers\intelaud.sys [39320 2013-10-17] (Intel Corporation)
S3 IntcAzAudAddService; C:\Windows\system32\drivers\RTKVHD64.sys [3242896 2012-12-10] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [43800 2012-07-20] (Intel Corporation)
S3 iwdbus; C:\Windows\System32\drivers\iwdbus.sys [27032 2013-10-17] (Intel Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [21248 2013-08-22] (Microsoft Corporation)
S3 MEIx64; C:\Windows\System32\drivers\HECIx64.sys [62784 2012-07-03] (Intel Corporation)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80160 2015-02-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [41168 2014-11-19] (NetFilterSDK.com)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3349984 2014-04-17] (Intel Corporation)
S3 ReFS; C:\Windows\System32\Drivers\ReFS.sys [921920 2014-10-15] (Microsoft Corporation)
S3 risdxc; C:\Windows\System32\drivers\risdxc64.sys [106496 2013-07-30] (REDC)
S3 silabenm; C:\Windows\system32\DRIVERS\silabenm.sys [27336 2013-11-25] (Silicon Laboratories)
S3 silabser; C:\Windows\system32\DRIVERS\silabser.sys [73216 2013-11-25] (Silicon Laboratories)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [33168 2013-11-01] (Windows (R) Win 7 DDK provider)
S0 tos_sps64; C:\Windows\System32\drivers\tos_sps64.sys [499096 2012-06-18] (TOSHIBA Corporation)
S2 TVALZFL; C:\Windows\system32\DRIVERS\TVALZFL.sys [16768 2012-07-22] (TOSHIBA Corporation)
S3 vpci; C:\Windows\System32\drivers\vpci.sys [69952 2014-10-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S0 Wof; C:\Windows\System32\Drivers\Wof.sys [157016 2014-03-13] (Microsoft Corporation)
S3 WUDFSensorLP; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188384 2012-08-10] (Windows (R) Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-26 13:53 - 2015-06-26 13:53 - 00000000 _____ C:\FRST.txt
2015-06-26 13:53 - 2015-06-26 11:45 - 01636352 _____ (Farbar) C:\FRST.exe
2015-06-26 12:10 - 2015-06-26 12:11 - 00000000 ____D C:\AdwCleaner
2015-06-26 12:10 - 2015-04-13 15:53 - 02217984 _____ C:\adwcleaner_4.201.exe
2015-06-26 11:45 - 2015-06-26 13:53 - 00000000 ____D C:\FRST
2015-06-25 13:08 - 2015-06-25 17:37 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-06-17 08:35 - 2015-06-17 08:35 - 00088576 _____ C:\Users\Stefan\Downloads\68239.zip
2015-06-07 16:58 - 2013-09-23 12:49 - 00197704 _____ (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2015-06-02 12:29 - 2015-06-02 12:29 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\TeamViewer
2015-06-02 12:28 - 2015-06-02 12:29 - 02234136 _____ C:\Users\Stefan\Downloads\TeamViewer_Cliente.exe
2015-06-02 08:36 - 2015-06-02 08:36 - 04203552 _____ C:\Windows\binaries_burst6y.zip
2015-06-02 08:36 - 2015-05-30 23:52 - 00000000 ____D C:\Windows\binaries_burst6y
2015-05-28 20:25 - 2015-05-28 20:25 - 02066112 _____ C:\Users\Stefan\Downloads\1815165846_lanrentuku.com.zip
2015-05-28 20:25 - 2015-05-28 20:25 - 02066112 _____ C:\Users\Stefan\Downloads\1815165846_lanrentuku.com (1).zip
2015-05-28 09:07 - 2015-05-28 09:07 - 00059190 _____ C:\Users\Stefan\Downloads\RundkursRuhrgebiet.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-24 21:12 - 2013-09-29 20:04 - 00097354 _____ C:\Windows\PFRO.log
2015-06-24 21:12 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\BBI
2015-06-24 21:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\sru
2015-06-24 09:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\Microsoft.NET
2015-06-24 08:59 - 2013-11-12 09:45 - 01572895 _____ C:\Windows\WindowsUpdate.log
2015-06-24 08:32 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\ELAM
2015-06-23 20:45 - 2013-08-22 14:36 - 00000000 ____D C:\Windows\SysWOW64
2015-06-23 13:54 - 2013-09-30 05:14 - 01776918 _____ C:\Windows\System32\PerfStringBackup.INI
2015-06-23 13:52 - 2013-08-22 15:46 - 00348429 _____ C:\Windows\setupact.log
2015-06-23 12:17 - 2013-08-30 09:54 - 00000000 ____D C:\05_Jennmar
2015-06-23 06:01 - 2014-01-17 18:24 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-18 10:52 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\FxsTmp
2015-06-16 10:58 - 2014-07-09 19:52 - 00000000 ___RD C:\Users\Stefan\Dropbox
2015-06-16 10:58 - 2014-07-09 19:51 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Dropbox
2015-06-16 10:46 - 2013-11-12 09:53 - 00000000 ___DO C:\Users\Stefan\SkyDrive
2015-06-08 11:34 - 2015-05-11 11:38 - 00000000 ___HD C:\sxeracq
2015-06-07 16:58 - 2013-02-02 09:11 - 00000000 ____D C:\Program Files\Common Files\McAfee
2015-06-07 16:57 - 2015-05-15 10:16 - 00000000 ___HD C:\lxiktqcagqa4b
2015-06-07 16:57 - 2012-07-26 09:12 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-06-07 16:48 - 2015-05-15 10:16 - 00000000 ____D C:\Windows\lxiktqcagqa4b
2015-06-06 12:21 - 2015-05-11 21:06 - 00000000 ___HD C:\recyclebin
2015-06-02 13:56 - 2014-02-13 20:34 - 00000000 ____D C:\ProgramData\Oracle
2015-06-02 12:54 - 2013-08-22 14:36 - 00000000 ___RD C:\Program Files (x86)
2015-05-27 12:22 - 2015-01-14 18:24 - 00000000 ____D C:\Users\Stefan\Documents\WISO Konto Online

Some files in TEMP:
====================
C:\Users\Stefan\AppData\Local\Temp\APNSetup.exe
C:\Users\Stefan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpulbzlk.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Stefan\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\nsf7BDD.exe
C:\Users\Stefan\AppData\Local\Temp\nsn8266.exe
C:\Users\Stefan\AppData\Local\Temp\nsn9949.exe
C:\Users\Stefan\AppData\Local\Temp\nst2C11.exe
C:\Users\Stefan\AppData\Local\Temp\nsu8804.exe
C:\Users\Stefan\AppData\Local\Temp\nsv3142.exe
C:\Users\Stefan\AppData\Local\Temp\nsy3710.exe
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Stefan\AppData\Local\Temp\unrar.dll
C:\Users\Stefan\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Stefan\AppData\Local\Temp\wusetup.exE


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe
[2015-03-11 14:43] - [2015-01-28 00:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88

C:\Windows\System32\winlogon.exe
[2014-12-17 19:43] - [2014-10-29 02:22] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437

C:\Windows\System32\wininit.exe
[2014-12-17 19:42] - [2014-10-29 02:25] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380

C:\Windows\System32\svchost.exe
[2014-12-17 19:42] - [2014-10-29 05:11] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47

C:\Windows\System32\services.exe
[2014-12-17 19:43] - [2014-10-29 04:53] - 0411128 ____A (Microsoft Corporation) 5BF02EBEFEDC706318C96E2E60EDCB91

C:\Windows\System32\User32.dll
[2014-12-17 19:43] - [2014-10-29 05:00] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

C:\Windows\System32\userinit.exe
[2014-12-17 19:42] - [2014-10-29 02:28] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F

C:\Windows\System32\rpcss.dll
[2014-12-17 19:43] - [2014-10-29 02:19] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2014-09-15 06:57] - [2014-06-19 03:13] - 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB


==================== Restore Points  =========================


==================== BCD ================================
Der Speicher f�r die Startkonfigurationsdaten konnte nicht ge”ffnet werden.
Das angeforderte Systemger„t kann nicht gefunden werden.


==================== Memory info =========================== 

Percentage of memory in use: 28%
Total physical RAM: 3232.17 MB
Available physical RAM: 2303.25 MB
Total Pagefile: 3230.45 MB
Available Pagefile: 2303.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.32 MB

==================== Drives ================================

Drive c: (Speicher I) (Fixed) (Total:219.15 GB) (Free:10.83 GB) NTFS
Drive d: (System) (Fixed) (Total:0.44 GB) (Free:0.12 GB) NTFS
Drive e: (_STICK) (Removable) (Total:29.81 GB) (Free:6.67 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.08 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 1 (Size: 29.8 GB) (Disk ID: 8C014770)
Partition 1: (Active) - (Size=29.8 GB) - (Type=0C)


LastRegBack: 2015-06-22 09:11

==================== End of log ============================
         

--- --- ---


Danke

Ich habe dein Thema in Arbeit und melde mich so schnell als möglich mit weiteren Anweisungen.

Bitte beachte, dass alle meine Antworten zuerst von einem Ausbilder freigegeben werden müssen, bevor ich diese hier posten darf. Dies garantiert, dass Du Hilfe von einem ausgebildeten Helfer bekommst.

Ich bedanke mich für deine Geduld

Mein Name ist Dennis und ich werde dir bei der Bereinigung helfen.

Bitte beachte, dass es ein paar Regeln gibt:

• Bitte lies meine Posts komplett durch bevor du sie abarbeitest
• Wenn ein Problem auftauchen sollte, unterbreche deine Arbeit, poste die entsandenen Logs und schildere dieses so genau wie möglich.
• Bitte kein Crossposting
• Installiere oder Deinstalliere keine Software ohne Aufforderung
• Bitte verwende nur die Tools welche hier im Thread erwähnt werden
• Antworte innerhalb von 24h um eine sinnvolle Bereinigung zu ermöglichen
• Poste die Logs immer in CODE-Tags (#-Button), zur Not die Logs einfach aufteilen

Los gehts

Schritt # 1: FRST Fix

Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code: Alles auswählenAufklappen

ATTFilter

HKU\Stefan\...\Run: [Device Smart Session Net.Tcp] => C:\sxeracq\nadintj.exe
S2 CouponarificService64; C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5\xtloowpkjv64.exe [X]
S2 Level Quality Watcher; C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010010000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]
S2 sarconsogulpe; C:\Program Files\sarconsogulpe\sarconsogulpe.exe run options=00001009990000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]

C:\sxeracq
C:\lxiktqcagqa4b
C:\Windows\lxiktqcagqa4b
C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5
C:\Program Files\Level Quality Watcher
C:\Program Files\sarconsogulpe
         

Speichere diese bitte als Fixlist.txt auf deinem USB Stick.

• Starte deinen Rechner erneut in die Reparaturoptionen
• Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.


Schritt # 2: Versuch zu Booten

Kannst du nun normal oder in den abgesicherten Modus hochfahren?



Schritt # 3: Neuer FRST Scan

WENN du normal booten kannst:

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)

• Starte jetzt FRST.
• Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
• Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
• Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

Ansonsten:

Scan mit Farbar's Recovery Scan Tool (Recovery Mode - Windows Vista, 7, 8)

Hinweise für Windows 8-Nutzer: Anleitung 1 (FRST-Variante) und Anleitung 2 (zweiter Teil)

• Downloade dir bitte die passende Version des Tools (im Zweifel beide) und speichere diese auf einen USB Stick: FRST 32-Bit | FRST 64-Bit
• Schließe den USB Stick an das infizierte System an und boote das System in die System Reparatur Option.
• Scanne jetzt nach der bebilderten Anleitung oder verwende die folgende Kurzanleitung:

Über den Boot Manager:

• Starte den Rechner neu.
• Während dem Hochfahren drücke mehrmals die F8 Taste
• Wähle nun Computer reparieren.
• Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Mit Windows CD/DVD (auch bei Windows 8 möglich):

• Lege die Windows CD in dein Laufwerk.
• Starte den Rechner neu und starte von der CD.
• Wähle die Spracheinstellungen und klicke "Weiter".
• Klicke auf Computerreparaturoptionen !
• Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Wähle in den Reparaturoptionen: Eingabeaufforderung

• Gib nun bitte notepad ein und drücke Enter.
• Im öffnenden Textdokument: Datei > Speichern unter... und wähle Computer.
  Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt, merke ihn dir.
• Schließe Notepad wieder
• Gib nun bitte folgenden Befehl ein.
  e:\frst.exe bzw. e:\frst64.exe
  Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks, den du dir gemerkt hast. Gegebenfalls anpassen.
• Akzeptiere den Disclaimer mit Ja und klicke Untersuchen

Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier nach Möglichkeit in Code-Tags (Anleitung).

Schritt # 4: Bitte Posten

• Das Fixlog von FRST
• Die Antwort auf meine Frage
• Das frische FRST-Log

Hallo Dennis und Danke bis hierhin.

Schritt # 1 + 2 ausgeführt, Boot ins OS danach nicht möglich (bzw. nur bis zu der Passwortabfrage, dem Virus)

In den abgesicherten Modus von Windows 8.1 komme ich aktuell nicht rein, kenne auch nur den Weg über das laufende OS dort rein zu gelangen.

Fixlog.txt :

Fix result of Farbar Recovery Scan Tool (x86) Version: 24-06-2015
Ran by SYSTEM at 2015-06-26 15:45:23 Run:1
Running from C:\
Boot Mode: Recovery

==============================================

fixlist content:
*****************
HKU\Stefan\...\Run: [Device Smart Session Net.Tcp] => C:\sxeracq\nadintj.exe
S2 CouponarificService64; C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5\xtloowpkjv64.exe [X]
S2 Level Quality Watcher; C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010010000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]
S2 sarconsogulpe; C:\Program Files\sarconsogulpe\sarconsogulpe.exe run options=00001009990000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]

C:\sxeracq
C:\lxiktqcagqa4b
C:\Windows\lxiktqcagqa4b
C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5
C:\Program Files\Level Quality Watcher
C:\Program Files\sarconsogulpe
*****************

HKU\Stefan\Software\Microsoft\Windows\CurrentVersion\Run\\Device Smart Session Net.Tcp => value removed successfully.
CouponarificService64 => Service removed successfully.
Level Quality Watcher => Service removed successfully.
sarconsogulpe => Service removed successfully.
C:\sxeracq => moved successfully.
C:\lxiktqcagqa4b => moved successfully.
C:\Windows\lxiktqcagqa4b => moved successfully.
"C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5" => File/Folder not found.
"C:\Program Files\Level Quality Watcher" => File/Folder not found.
"C:\Program Files\sarconsogulpe" => File/Folder not found.

==== End of Fixlog 15:45:23 ====

Schritt # 3

FRST Scan :
FRST Logfile:

Code: Alles auswählenAufklappen

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-06-2015
Ran by SYSTEM on MINWINPC on 26-06-2015 16:15:35
Running from C:\
Platform: Windows 8.1 (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.


ATTENTION!:=====> THE OPERATING SYSTEM IS A X64 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X86 SYSTEM DISK.
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-07-27] (SRS Labs, Inc.)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-05] ()
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2609064 2012-08-30] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-28] (Synaptics Incorporated)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Stefan\...\Run: [MailTab] => C:\Program Files (x86)\FIPLAB Ltd\MailTab for Gmail\MailTabWin.exe [2734080 2012-10-09] ()
HKU\Stefan\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\Stefan\...\Run: [DelayShred] => c:\Program Files\McAfee\MQS\ShrCL.exe [101272 2015-04-08] (McAfee, Inc.)
HKU\Stefan\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1938624 2014-10-21] (Valve Corporation)
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2015-03-30]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-07-09]
ShortcutTarget: Dropbox.lnk -> C:\Users\Default\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 0099681433230856mcinstcleanup; C:\WINDOWS\TEMP\009968~1.EXE [883024 2015-05-04] (McAfee, Inc.)
S2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [81088 2014-12-19] (Adobe Systems Incorporated)
S3 AdobeFlashPlayerUpdateSvc; C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [268464 2015-06-23] (Adobe Systems Incorporated)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-07] (Microsoft Corporation)
S3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [279000 2013-11-04] (Intel Corporation)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [43696 2013-08-03] (Microsoft Corporation)
S3 GamesAppService; C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [206072 2010-10-12] (WildTangent, Inc.)
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2014-01-17] (Google Inc.)
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [116648 2014-01-17] (Google Inc.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [635104 2012-04-20] (Intel(R) Corporation)
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
S2 irstrtsv; C:\windows\SysWOW64\irstrtsv.exe [193576 2012-07-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 LMS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [277824 2012-07-17] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-06-04] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 McOobeSv2; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McSchedulerSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [119408 2015-05-20] (Mozilla Foundation)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
S2 NAUpdate; C:\Program Files (x86)\Nero\Update\NASvc.exe [769432 2012-07-13] (Nero AG)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [139856 2013-08-10] (Microsoft Corporation)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [150600 2013-06-01] (Microsoft Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S3 PerfHost; C:\Windows\SysWow64\perfhost.exe [21504 2013-08-22] (Microsoft Corporation)
S3 PrintNotify; C:\WINDOWS\system32\spool\drivers\x64\3\PrintConfig.dll [2899968 2014-08-16] (Microsoft Corporation)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201360 2012-08-31] (Realtek Semiconductor)
S3 ScDeviceEnum; C:\Windows\System32\ScDeviceEnum.dll [131072 2014-10-29] (Microsoft Corporation)
S3 Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [833728 2014-10-21] (Valve Corporation)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [114656 2012-09-25] (Toshiba Europe GmbH)
S3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [53384 2012-08-23] (TOSHIBA Corporation)
S2 TNSSVC; C:\Program Files\Toshiba\LANDriver\TNSSVC.exe [40944 2012-09-07] ()
S3 TOSHIBA Bluetooth Service; C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [179608 2014-11-01] (TOSHIBA CORPORATION)
S2 TOSHIBA eco Utility Service; C:\Program Files\TOSHIBA\Teco\TecoService.exe [291240 2012-08-25] (TOSHIBA Corporation)
S3 TPCHSrv; C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [458152 2012-07-28] (TOSHIBA Corporation)
S2 UNS; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [365376 2012-07-17] (Intel Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 WEPHOSTSVC; C:\Windows\system32\wephostsvc.dll [26112 2014-10-29] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 workfolderssvc; C:\Windows\system32\workfolderssvc.dll [1668096 2014-10-29] (Microsoft Corporation)
S4 wuauserv; C:\Windows\system32\wuaueng.dll [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 b06bdrv; C:\Windows\System32\drivers\bxvbda.sys [531296 2013-08-22] (Broadcom Corporation)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [33280 2014-02-22] (Microsoft Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 e1cexpress; C:\Windows\system32\DRIVERS\e1c64x64.sys [468752 2014-09-26] (Intel Corporation)
S3 e1iexpress; C:\Windows\system32\DRIVERS\e1i63x64.sys [460288 2013-06-18] (Intel Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 iaLPSSi_GPIO; C:\Windows\System32\drivers\iaLPSSi_GPIO.sys [24568 2013-07-30] (Intel Corporation)
S3 iaLPSSi_I2C; C:\Windows\System32\drivers\iaLPSSi_I2C.sys [99320 2013-07-25] (Intel Corporation)
S0 iaStorA; C:\Windows\System32\drivers\iaStorA.sys [645952 2012-07-31] (Intel Corporation)
S3 igfx; C:\Windows\system32\DRIVERS\igdkmd64.sys [4195840 2013-11-04] (Intel Corporation)
S3 intaud_WaveExtensible; C:\Windows\system32\drivers\intelaud.sys [39320 2013-10-17] (Intel Corporation)
S3 IntcAzAudAddService; C:\Windows\system32\drivers\RTKVHD64.sys [3242896 2012-12-10] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [43800 2012-07-20] (Intel Corporation)
S3 iwdbus; C:\Windows\System32\drivers\iwdbus.sys [27032 2013-10-17] (Intel Corporation)
S3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [21248 2013-08-22] (Microsoft Corporation)
S3 MEIx64; C:\Windows\System32\drivers\HECIx64.sys [62784 2012-07-03] (Intel Corporation)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80160 2015-02-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [41168 2014-11-19] (NetFilterSDK.com)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3349984 2014-04-17] (Intel Corporation)
S3 ReFS; C:\Windows\System32\Drivers\ReFS.sys [921920 2014-10-15] (Microsoft Corporation)
S3 risdxc; C:\Windows\System32\drivers\risdxc64.sys [106496 2013-07-30] (REDC)
S3 silabenm; C:\Windows\system32\DRIVERS\silabenm.sys [27336 2013-11-25] (Silicon Laboratories)
S3 silabser; C:\Windows\system32\DRIVERS\silabser.sys [73216 2013-11-25] (Silicon Laboratories)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [33168 2013-11-01] (Windows (R) Win 7 DDK provider)
S0 tos_sps64; C:\Windows\System32\drivers\tos_sps64.sys [499096 2012-06-18] (TOSHIBA Corporation)
S2 TVALZFL; C:\Windows\system32\DRIVERS\TVALZFL.sys [16768 2012-07-22] (TOSHIBA Corporation)
S3 vpci; C:\Windows\System32\drivers\vpci.sys [69952 2014-10-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S0 Wof; C:\Windows\System32\Drivers\Wof.sys [157016 2014-03-13] (Microsoft Corporation)
S3 WUDFSensorLP; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
S3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188384 2012-08-10] (Windows (R) Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-26 13:53 - 2015-06-26 16:15 - 00002904 _____ C:\FRST.txt
2015-06-26 13:53 - 2015-06-26 11:45 - 01636352 _____ (Farbar) C:\FRST.exe
2015-06-26 12:10 - 2015-06-26 12:11 - 00000000 ____D C:\AdwCleaner
2015-06-26 12:10 - 2015-04-13 15:53 - 02217984 _____ C:\adwcleaner_4.201.exe
2015-06-26 11:45 - 2015-06-26 16:15 - 00000000 ____D C:\FRST
2015-06-25 13:08 - 2015-06-25 17:37 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-06-17 08:35 - 2015-06-17 08:35 - 00088576 _____ C:\Users\Stefan\Downloads\68239.zip
2015-06-07 16:58 - 2013-09-23 12:49 - 00197704 _____ (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2015-06-02 12:29 - 2015-06-02 12:29 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\TeamViewer
2015-06-02 12:28 - 2015-06-02 12:29 - 02234136 _____ C:\Users\Stefan\Downloads\TeamViewer_Cliente.exe
2015-06-02 08:36 - 2015-06-02 08:36 - 04203552 _____ C:\Windows\binaries_burst6y.zip
2015-06-02 08:36 - 2015-05-30 23:52 - 00000000 ____D C:\Windows\binaries_burst6y
2015-05-28 20:25 - 2015-05-28 20:25 - 02066112 _____ C:\Users\Stefan\Downloads\1815165846_lanrentuku.com.zip
2015-05-28 20:25 - 2015-05-28 20:25 - 02066112 _____ C:\Users\Stefan\Downloads\1815165846_lanrentuku.com (1).zip
2015-05-28 09:07 - 2015-05-28 09:07 - 00059190 _____ C:\Users\Stefan\Downloads\RundkursRuhrgebiet.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-24 21:12 - 2013-09-29 20:04 - 00097354 _____ C:\Windows\PFRO.log
2015-06-24 21:12 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\BBI
2015-06-24 21:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\sru
2015-06-24 09:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\Microsoft.NET
2015-06-24 08:59 - 2013-11-12 09:45 - 01572895 _____ C:\Windows\WindowsUpdate.log
2015-06-24 08:32 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\ELAM
2015-06-23 20:45 - 2013-08-22 14:36 - 00000000 ____D C:\Windows\SysWOW64
2015-06-23 13:54 - 2013-09-30 05:14 - 01776918 _____ C:\Windows\System32\PerfStringBackup.INI
2015-06-23 13:52 - 2013-08-22 15:46 - 00348429 _____ C:\Windows\setupact.log
2015-06-23 12:17 - 2013-08-30 09:54 - 00000000 ____D C:\05_Jennmar
2015-06-23 06:01 - 2014-01-17 18:24 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-18 10:52 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\FxsTmp
2015-06-16 10:58 - 2014-07-09 19:52 - 00000000 ___RD C:\Users\Stefan\Dropbox
2015-06-16 10:58 - 2014-07-09 19:51 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Dropbox
2015-06-16 10:46 - 2013-11-12 09:53 - 00000000 ___DO C:\Users\Stefan\SkyDrive
2015-06-07 16:58 - 2013-02-02 09:11 - 00000000 ____D C:\Program Files\Common Files\McAfee
2015-06-07 16:57 - 2012-07-26 09:12 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-06-06 12:21 - 2015-05-11 21:06 - 00000000 ___HD C:\recyclebin
2015-06-02 13:56 - 2014-02-13 20:34 - 00000000 ____D C:\ProgramData\Oracle
2015-06-02 12:54 - 2013-08-22 14:36 - 00000000 ___RD C:\Program Files (x86)
2015-05-27 12:22 - 2015-01-14 18:24 - 00000000 ____D C:\Users\Stefan\Documents\WISO Konto Online

Some files in TEMP:
====================
C:\Users\Stefan\AppData\Local\Temp\APNSetup.exe
C:\Users\Stefan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpulbzlk.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Stefan\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\nsf7BDD.exe
C:\Users\Stefan\AppData\Local\Temp\nsn8266.exe
C:\Users\Stefan\AppData\Local\Temp\nsn9949.exe
C:\Users\Stefan\AppData\Local\Temp\nst2C11.exe
C:\Users\Stefan\AppData\Local\Temp\nsu8804.exe
C:\Users\Stefan\AppData\Local\Temp\nsv3142.exe
C:\Users\Stefan\AppData\Local\Temp\nsy3710.exe
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Stefan\AppData\Local\Temp\unrar.dll
C:\Users\Stefan\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Stefan\AppData\Local\Temp\wusetup.exE


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe
[2015-03-11 14:43] - [2015-01-28 00:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88

C:\Windows\System32\winlogon.exe
[2014-12-17 19:43] - [2014-10-29 02:22] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437

C:\Windows\System32\wininit.exe
[2014-12-17 19:42] - [2014-10-29 02:25] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380

C:\Windows\System32\svchost.exe
[2014-12-17 19:42] - [2014-10-29 05:11] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47

C:\Windows\System32\services.exe
[2014-12-17 19:43] - [2014-10-29 04:53] - 0411128 ____A (Microsoft Corporation) 5BF02EBEFEDC706318C96E2E60EDCB91

C:\Windows\System32\User32.dll
[2014-12-17 19:43] - [2014-10-29 05:00] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

C:\Windows\System32\userinit.exe
[2014-12-17 19:42] - [2014-10-29 02:28] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F

C:\Windows\System32\rpcss.dll
[2014-12-17 19:43] - [2014-10-29 02:19] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2014-09-15 06:57] - [2014-06-19 03:13] - 0310080 ___AC (Microsoft Corporation) 64CA2B4A49A8EAF495E435623ECCE7DB


==================== Restore Points  =========================


==================== BCD ================================
Der Speicher f�r die Startkonfigurationsdaten konnte nicht ge”ffnet werden.
Das angeforderte Systemger„t kann nicht gefunden werden.


==================== Memory info =========================== 

Percentage of memory in use: 28%
Total physical RAM: 3232.17 MB
Available physical RAM: 2304.87 MB
Total Pagefile: 3230.45 MB
Available Pagefile: 2305.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.32 MB

==================== Drives ================================

Drive c: (Speicher I) (Fixed) (Total:219.15 GB) (Free:10.85 GB) NTFS
Drive d: (System) (Fixed) (Total:0.44 GB) (Free:0.12 GB) NTFS
Drive e: (_STICK) (Removable) (Total:29.81 GB) (Free:6.67 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.08 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 1 (Size: 29.8 GB) (Disk ID: 8C014770)
Partition 1: (Active) - (Size=29.8 GB) - (Type=0C)


LastRegBack: 2015-06-22 09:11

==================== End of log ============================
         

--- --- ---


Danke

Hi,

Schritt # 1: Frage

Wie machst du denn den Scan derzeit? Mit einer Windows DVD?


Schritt # 2: Besorgen von 64 Bit CD

Du benötigst eine 64 Bit Windows 8.1 CD. Diese kannst du hier herunterladen.

Wähle im Downloader einfach unter "Edition" Windows 8.1 und unter "Architektur" 64-Bit (x64) aus.

Boote zukünftig von dieser statt von der alten.


Schritt # 3: Korrekter FRST Scan

Bitte mit Methode CD/DVD machen.

Scan mit Farbar's Recovery Scan Tool (Recovery Mode - Windows Vista, 7, 8)

Hinweise für Windows 8-Nutzer: Anleitung 1 (FRST-Variante) und Anleitung 2 (zweiter Teil)

• Downloade dir bitte die passende Version des Tools (im Zweifel beide) und speichere diese auf einen USB Stick: FRST 32-Bit | FRST 64-Bit
• Schließe den USB Stick an das infizierte System an und boote das System in die System Reparatur Option.
• Scanne jetzt nach der bebilderten Anleitung oder verwende die folgende Kurzanleitung:

Über den Boot Manager:

• Starte den Rechner neu.
• Während dem Hochfahren drücke mehrmals die F8 Taste
• Wähle nun Computer reparieren.
• Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Mit Windows CD/DVD (auch bei Windows 8 möglich):

• Lege die Windows CD in dein Laufwerk.
• Starte den Rechner neu und starte von der CD.
• Wähle die Spracheinstellungen und klicke "Weiter".
• Klicke auf Computerreparaturoptionen !
• Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Wähle in den Reparaturoptionen: Eingabeaufforderung

• Gib nun bitte notepad ein und drücke Enter.
• Im öffnenden Textdokument: Datei > Speichern unter... und wähle Computer.
  Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt, merke ihn dir.
• Schließe Notepad wieder
• Gib nun bitte folgenden Befehl ein.
  e:\frst.exe bzw. e:\frst64.exe
  Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks, den du dir gemerkt hast. Gegebenfalls anpassen.
• Akzeptiere den Disclaimer mit Ja und klicke Untersuchen

Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier nach Möglichkeit in Code-Tags (Anleitung).

Schritt # 4: Bitte Posten

• Antwort auf meine Frage
• Das neue FRST Log

Hallo,

den Scan habe ich unter einer Windows 7 Live CD gemacht.
Hier der Scan unter dem von Dir genannten Windows 8.1 Install Datenträger :
FRST Logfile:

Code: Alles auswählenAufklappen

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-06-2015
Ran by SYSTEM on MININT-1B1IOG3 on 29-06-2015 15:01:13
Running from E:\
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-07-27] (SRS Labs, Inc.)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-05] ()
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2609064 2012-08-30] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-28] (Synaptics Incorporated)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [156000 2013-04-15] (Intel Corporation)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
HKLM-x32\...\Run: [Intel AppUp(R) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [156000 2013-04-15] (Intel Corporation)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2014-06-16] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [WISO Konto Online 2015] => C:\Program Files (x86)\Buhl\WISO Konto Online 2015\mg.exe [1120568 2015-05-07] (Buhl Data Service)
HKLM-x32\...\Run: [ITSecMng] => C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [80840 2011-04-01] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Stefan\...\Run: [MailTab] => C:\Program Files (x86)\FIPLAB Ltd\MailTab for Gmail\MailTabWin.exe [2734080 2012-10-09] ()
HKU\Stefan\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\Stefan\...\Run: [DelayShred] => c:\Program Files\McAfee\MQS\ShrCL.exe [101272 2015-04-08] (McAfee, Inc.)
HKU\Stefan\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1938624 2014-10-21] (Valve Corporation)
HKU\Stefan\...\Policies\Explorer: [NoLowDiscSpaceChecks] 1
HKU\Stefan\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Stefan\...\Policies\Explorer: [NoControlPanel] 0
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2015-03-30]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-07-09]
ShortcutTarget: Dropbox.lnk -> C:\windows\system32\config\systemprofile\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 0099681433230856mcinstcleanup; C:\WINDOWS\TEMP\009968~1.EXE [883024 2015-05-04] (McAfee, Inc.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-07] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
S2 irstrtsv; C:\windows\SysWOW64\irstrtsv.exe [193576 2012-07-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-06-04] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 McOobeSv2; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McSchedulerSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201360 2012-08-31] (Realtek Semiconductor)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [114656 2012-09-25] (Toshiba Europe GmbH)
S2 TNSSVC; C:\Program Files\Toshiba\LANDriver\TNSSVC.exe [40944 2012-09-07] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S4 wuauserv; C:\Windows\system32\wuaueng.dll [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 e1cexpress; C:\Windows\system32\DRIVERS\e1c64x64.sys [468752 2014-09-26] (Intel Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [43800 2012-07-20] (Intel Corporation)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80160 2015-02-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [41168 2014-11-19] (NetFilterSDK.com)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3349984 2014-04-17] (Intel Corporation)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [33168 2013-11-01] (Windows (R) Win 7 DDK provider)
S3 toshidpt; C:\Windows\system32\drivers\Toshidpt.sys [10232 2012-08-01] (TOSHIBA Corporation.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188384 2012-08-10] (Windows (R) Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-29 14:55 - 2015-06-29 15:00 - 00000000 _____ C:\Recovery.txt
2015-06-26 17:04 - 2015-06-26 17:04 - 00000000 ____D C:\ESET
2015-06-26 13:53 - 2015-06-26 16:16 - 00021256 _____ C:\FRST.txt
2015-06-26 13:53 - 2015-06-26 11:45 - 01636352 _____ (Farbar) C:\FRST.exe
2015-06-26 12:10 - 2015-06-26 12:11 - 00000000 ____D C:\AdwCleaner
2015-06-26 12:10 - 2015-04-13 15:53 - 02217984 _____ C:\adwcleaner_4.201.exe
2015-06-26 11:45 - 2015-06-29 14:57 - 00000000 ____D C:\FRST
2015-06-25 13:08 - 2015-06-25 17:37 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-06-17 08:35 - 2015-06-17 08:35 - 00088576 _____ C:\Users\Stefan\Downloads\68239.zip
2015-06-07 16:58 - 2013-09-23 12:49 - 00197704 _____ (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2015-06-02 12:33 - 2015-06-02 12:33 - 00000000 ____D C:\Windows\System32\Tasks\Aufgaben der Ereignisanzeige
2015-06-02 12:29 - 2015-06-02 12:29 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\TeamViewer
2015-06-02 12:28 - 2015-06-02 12:29 - 02234136 _____ C:\Users\Stefan\Downloads\TeamViewer_Cliente.exe
2015-06-02 08:36 - 2015-06-02 08:36 - 04203552 _____ C:\Windows\binaries_burst6y.zip
2015-06-02 08:36 - 2015-05-30 23:52 - 00000000 ____D C:\Windows\binaries_burst6y

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-24 21:12 - 2013-09-29 20:04 - 00097354 _____ C:\Windows\PFRO.log
2015-06-24 21:12 - 2013-08-22 15:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-24 21:12 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\BBI
2015-06-24 21:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\sru
2015-06-24 20:59 - 2014-02-15 20:33 - 00001142 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf2a84cba9fedb.job
2015-06-24 20:45 - 2013-07-10 10:47 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-24 20:34 - 2014-01-03 15:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-24 20:25 - 2013-07-01 11:28 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3296789569-1479612353-1228796244-1001
2015-06-24 20:16 - 2013-11-12 13:46 - 00003946 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F17BD90E-16D2-4198-9365-3323C12B9DAF}
2015-06-24 08:59 - 2015-02-04 18:54 - 00001138 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d040a39ce00188.job
2015-06-24 08:59 - 2013-11-12 09:45 - 01572895 _____ C:\Windows\WindowsUpdate.log
2015-06-24 08:32 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\ELAM
2015-06-23 20:45 - 2013-07-10 10:47 - 00003772 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-06-23 13:54 - 2013-09-30 05:14 - 01776918 _____ C:\Windows\System32\PerfStringBackup.INI
2015-06-23 13:54 - 2013-09-30 04:56 - 00765582 _____ C:\Windows\System32\perfh007.dat
2015-06-23 13:54 - 2013-09-30 04:56 - 00159366 _____ C:\Windows\System32\perfc007.dat
2015-06-23 13:52 - 2013-08-22 15:46 - 00348429 _____ C:\Windows\setupact.log
2015-06-23 12:17 - 2013-08-30 09:54 - 00000000 ____D C:\05_Jennmar
2015-06-23 06:01 - 2014-01-17 18:24 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-19 17:59 - 2014-10-27 19:50 - 00001138 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cff216d3d01ded.job
2015-06-18 10:52 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\FxsTmp
2015-06-16 10:58 - 2014-07-09 19:52 - 00000000 ___RD C:\Users\Stefan\Dropbox
2015-06-16 10:58 - 2014-07-09 19:51 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Dropbox
2015-06-16 10:46 - 2013-11-12 09:53 - 00000000 ___DO C:\Users\Stefan\SkyDrive
2015-06-15 17:39 - 2013-07-01 11:20 - 00000000 ____D C:\Users\Stefan\AppData\Local\Packages
2015-06-07 16:58 - 2013-02-02 09:11 - 00000000 ____D C:\Program Files\Common Files\McAfee
2015-06-07 16:57 - 2012-07-26 09:12 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-06-06 12:21 - 2015-05-11 21:06 - 00000000 ___HD C:\recyclebin
2015-06-02 13:56 - 2014-02-13 20:34 - 00000000 ____D C:\ProgramData\Oracle
2015-06-02 13:55 - 2014-02-13 20:33 - 00000000 ____D C:\Program Files (x86)\Java
2015-06-02 13:53 - 2014-02-13 20:33 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

Some files in TEMP:
====================
C:\Users\Stefan\AppData\Local\Temp\APNSetup.exe
C:\Users\Stefan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpulbzlk.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Stefan\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\nsf7BDD.exe
C:\Users\Stefan\AppData\Local\Temp\nsn8266.exe
C:\Users\Stefan\AppData\Local\Temp\nsn9949.exe
C:\Users\Stefan\AppData\Local\Temp\nst2C11.exe
C:\Users\Stefan\AppData\Local\Temp\nsu8804.exe
C:\Users\Stefan\AppData\Local\Temp\nsv3142.exe
C:\Users\Stefan\AppData\Local\Temp\nsy3710.exe
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Stefan\AppData\Local\Temp\unrar.dll
C:\Users\Stefan\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Stefan\AppData\Local\Temp\wusetup.exE


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2014-12-17 19:43] - [2014-10-29 02:22] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437

C:\Windows\System32\wininit.exe
[2014-12-17 19:42] - [2014-10-29 02:25] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380

C:\Windows\explorer.exe
[2015-03-11 14:43] - [2015-01-28 00:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88

C:\Windows\SysWOW64\explorer.exe
[2015-03-11 14:43] - [2015-01-28 00:41] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225

C:\Windows\System32\svchost.exe
[2014-12-17 19:42] - [2014-10-29 05:11] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47

C:\Windows\SysWOW64\svchost.exe
[2014-12-17 19:42] - [2014-10-29 04:17] - 0033088 ____A (Microsoft Corporation) D0ABC231C0B3E88C6B612B28ABBF734D

C:\Windows\System32\services.exe
[2014-12-17 19:43] - [2014-10-29 04:53] - 0411128 ____A (Microsoft Corporation) 5BF02EBEFEDC706318C96E2E60EDCB91

C:\Windows\System32\User32.dll
[2014-12-17 19:43] - [2014-10-29 05:00] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

C:\Windows\SysWOW64\User32.dll
[2014-12-17 19:43] - [2014-10-29 02:04] - 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE

C:\Windows\System32\userinit.exe
[2014-12-17 19:42] - [2014-10-29 02:28] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F

C:\Windows\SysWOW64\userinit.exe
[2014-12-17 19:42] - [2014-10-29 02:05] - 0022528 ____A (Microsoft Corporation) D10643FC0095434C819316CA6CD748C0

C:\Windows\System32\rpcss.dll
[2014-12-17 19:43] - [2014-10-29 02:19] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================


==================== BCD ================================
Der Speicher f�r die Startkonfigurationsdaten konnte nicht ge”ffnet werden.
Das angeforderte Systemger„t kann nicht gefunden werden.


==================== Memory info =========================== 

Percentage of memory in use: 11%
Total physical RAM: 6038.16 MB
Available physical RAM: 5329.3 MB
Total Pagefile: 6038.16 MB
Available Pagefile: 5353.16 MB
Total Virtual: 131072 MB
Available Virtual: 131071.87 MB

==================== Drives ================================

Drive c: (Speicher I) (Fixed) (Total:219.15 GB) (Free:10.82 GB) NTFS
Drive d: (ESD-USB) (Removable) (Total:29.07 GB) (Free:25.72 GB) FAT32
Drive e: (_STICK) (Removable) (Total:29.81 GB) (Free:11.11 GB) FAT32
Drive f: (System) (Fixed) (Total:0.44 GB) (Free:0.12 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 29.1 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 2 (Size: 29.8 GB) (Disk ID: 8C014770)
Partition 1: (Active) - (Size=29.8 GB) - (Type=0C)


LastRegBack: 2015-06-22 09:11

==================== End of log ============================
         

--- --- ---

Danke

Hi,

Schritt # 1: FRST Fix

Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code: Alles auswählenAufklappen

ATTFilter

LastRegBack: 2015-06-22 09:11
         

Speichere diese bitte als Fixlist.txt auf deinem USB Stick.

• Starte deinen Rechner erneut in die Reparaturoptionen
• Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.


Schritt # 2: Frage

Kannst du jetzt normal in dein Windows booten?



Schritt # 3: Neuer FRST-Scan

Falls ja, dann:

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)

• Starte jetzt FRST.
• Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
• Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
• Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

Falls nicht, dann:

Scan mit Farbar's Recovery Scan Tool (Recovery Mode - Windows Vista, 7, 8)

Hinweise für Windows 8-Nutzer: Anleitung 1 (FRST-Variante) und Anleitung 2 (zweiter Teil)

• Downloade dir bitte die passende Version des Tools (im Zweifel beide) und speichere diese auf einen USB Stick: FRST 32-Bit | FRST 64-Bit
• Schließe den USB Stick an das infizierte System an und boote das System in die System Reparatur Option.
• Scanne jetzt nach der bebilderten Anleitung oder verwende die folgende Kurzanleitung:

Über den Boot Manager:

• Starte den Rechner neu.
• Während dem Hochfahren drücke mehrmals die F8 Taste
• Wähle nun Computer reparieren.
• Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Mit Windows CD/DVD (auch bei Windows 8 möglich):

• Lege die Windows CD in dein Laufwerk.
• Starte den Rechner neu und starte von der CD.
• Wähle die Spracheinstellungen und klicke "Weiter".
• Klicke auf Computerreparaturoptionen !
• Wähle dein Betriebssystem und Benutzerkonto und klicke jeweils "Weiter".

Wähle in den Reparaturoptionen: Eingabeaufforderung

• Gib nun bitte notepad ein und drücke Enter.
• Im öffnenden Textdokument: Datei > Speichern unter... und wähle Computer.
  Hier wird dir der Laufwerksbuchstabe deines USB Sticks angezeigt, merke ihn dir.
• Schließe Notepad wieder
• Gib nun bitte folgenden Befehl ein.
  e:\frst.exe bzw. e:\frst64.exe
  Hinweis: e steht für den Laufwerksbuchstaben deines USB Sticks, den du dir gemerkt hast. Gegebenfalls anpassen.
• Akzeptiere den Disclaimer mit Ja und klicke Untersuchen

Das Tool erstellt eine FRST.txt auf deinem USB Stick. Poste den Inhalt bitte hier nach Möglichkeit in Code-Tags (Anleitung).

Schritt # 4: Bitte Posten

• Das Fixlog von FRST
• Die Antwort auf meine Frage
• Das FRST-Log

Hallo,

hier ist das Fixlog :

Fix result of Farbar Recovery Scan Tool (x64) Version:24-06-2015
Ran by SYSTEM at 2015-06-30 10:48:36 Run:3
Running from E:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
LastRegBack: 2015-06-22 09:11
*****************

DEFAULT hive copied successfully to System32\config\HiveBackup
DEFAULT hive restored successfully from registry back up.
SAM hive copied successfully to System32\config\HiveBackup
SAM hive restored successfully from registry back up.
SECURITY hive copied successfully to System32\config\HiveBackup
SECURITY hive restored successfully from registry back up.
SOFTWARE hive copied successfully to System32\config\HiveBackup
SOFTWARE hive restored successfully from registry back up.
SYSTEM hive copied successfully to System32\config\HiveBackup
SYSTEM hive restored successfully from registry back up.

==== End of Fixlog 10:48:39 ====


Das starten in das Betriebssystem funktioniert noch nicht, es erscheint das Sperrbild mit der Eingabe des "Codes"

Frst Scan Log :
FRST Logfile:

Code: Alles auswählenAufklappen

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-06-2015
Ran by SYSTEM on MININT-9NLGDQ8 on 30-06-2015 10:53:01
Running from E:\
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-07-27] (SRS Labs, Inc.)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-05] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-05] ()
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2609064 2012-08-30] ()
HKLM\...\Run: [TOSDCR] => C:\Program Files\TOSHIBA\PasswordUtility\TOSDCR.exe [169296 2007-08-28] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-28] (Synaptics Incorporated)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [156000 2013-04-15] (Intel Corporation)
HKLM-x32\...\Run: [TOSDCR] => %ProgramFiles%\TOSHIBA\PasswordUtility\TOSDCR.exe
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
HKLM-x32\...\Run: [ATLauncher] => "C:\Program Files\McAfee\MSC\OOBE\ATLauncher.exe" /createshortcuts:1
HKLM-x32\...\Run: [Intel AppUp(R) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [156000 2013-04-15] (Intel Corporation)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2014-06-16] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [WISO Konto Online 2015] => C:\Program Files (x86)\Buhl\WISO Konto Online 2015\mg.exe [1120568 2015-05-07] (Buhl Data Service)
HKLM-x32\...\Run: [ITSecMng] => C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [80840 2011-04-01] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Stefan\...\Run: [MailTab] => C:\Program Files (x86)\FIPLAB Ltd\MailTab for Gmail\MailTabWin.exe [2734080 2012-10-09] ()
HKU\Stefan\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\Stefan\...\Run: [DelayShred] => c:\Program Files\McAfee\MQS\ShrCL.exe [101272 2015-04-08] (McAfee, Inc.)
HKU\Stefan\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1938624 2014-10-21] (Valve Corporation)
HKU\Stefan\...\Policies\Explorer: [NoLowDiscSpaceChecks] 1
HKU\Stefan\...\Policies\Explorer: [NoFolderOptions] 0
HKU\Stefan\...\Policies\Explorer: [NoControlPanel] 0
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2015-03-30]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014-07-09]
ShortcutTarget: Dropbox.lnk -> C:\windows\system32\config\systemprofile\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 0099681433230856mcinstcleanup; C:\WINDOWS\TEMP\009968~1.EXE [883024 2015-05-04] (McAfee, Inc.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-07] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
S2 irstrtsv; C:\windows\SysWOW64\irstrtsv.exe [193576 2012-07-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-06-04] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 McOobeSv2; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McSchedulerSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201360 2012-08-31] (Realtek Semiconductor)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [114656 2012-09-25] (Toshiba Europe GmbH)
S2 TNSSVC; C:\Program Files\Toshiba\LANDriver\TNSSVC.exe [40944 2012-09-07] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S4 wuauserv; C:\Windows\system32\wuaueng.dll [0 2015-05-12] () <==== ATTENTION (zero byte File/Folder)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)
S2 CouponarificService64; C:\Program Files (x86)\08F60977-C840-42C6-A2D3-06E8FE3787F5\xtloowpkjv64.exe [X]
S2 Level Quality Watcher; C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010010000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]
S2 sarconsogulpe; C:\Program Files\sarconsogulpe\sarconsogulpe.exe run options=00001009990000000000000000000000 sourceguid=F59A0002-F007-46FB-97D3-3BC5D2551041 [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 e1cexpress; C:\Windows\system32\DRIVERS\e1c64x64.sys [468752 2014-09-26] (Intel Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [43800 2012-07-20] (Intel Corporation)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S3 mfeavfk01; No ImagePath
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [80160 2015-02-13] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfehidk01; No ImagePath
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencbdc01; No ImagePath
S3 mfencbdc02; No ImagePath
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [41168 2014-11-19] (NetFilterSDK.com)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3349984 2014-04-17] (Intel Corporation)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [33168 2013-11-01] (Windows (R) Win 7 DDK provider)
S3 toshidpt; C:\Windows\system32\drivers\Toshidpt.sys [10232 2012-08-01] (TOSHIBA Corporation.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188384 2012-08-10] (Windows (R) Win 7 DDK provider)
S0 mfeapfk; system32\drivers\mfeapfk.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-30 10:48 - 2015-06-30 10:48 - 00000000 ____D C:\Windows\System32\config\HiveBackup
2015-06-29 14:55 - 2015-06-30 10:52 - 00000000 _____ C:\Recovery.txt
2015-06-26 17:04 - 2015-06-26 17:04 - 00000000 ____D C:\ESET
2015-06-26 13:53 - 2015-06-26 16:16 - 00021256 _____ C:\FRST.txt
2015-06-26 13:53 - 2015-06-26 11:45 - 01636352 _____ (Farbar) C:\FRST.exe
2015-06-26 12:10 - 2015-06-26 12:11 - 00000000 ____D C:\AdwCleaner
2015-06-26 12:10 - 2015-04-13 15:53 - 02217984 _____ C:\adwcleaner_4.201.exe
2015-06-26 11:45 - 2015-06-30 10:48 - 00000000 ____D C:\FRST
2015-06-25 13:08 - 2015-06-25 17:37 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-06-17 08:35 - 2015-06-17 08:35 - 00088576 _____ C:\Users\Stefan\Downloads\68239.zip
2015-06-07 16:58 - 2013-09-23 12:49 - 00197704 _____ (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2015-06-02 12:33 - 2015-06-02 12:33 - 00000000 ____D C:\Windows\System32\Tasks\Aufgaben der Ereignisanzeige
2015-06-02 12:29 - 2015-06-02 12:29 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\TeamViewer
2015-06-02 12:28 - 2015-06-02 12:29 - 02234136 _____ C:\Users\Stefan\Downloads\TeamViewer_Cliente.exe
2015-06-02 08:36 - 2015-06-02 08:36 - 04203552 _____ C:\Windows\binaries_burst6y.zip
2015-06-02 08:36 - 2015-05-30 23:52 - 00000000 ____D C:\Windows\binaries_burst6y

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-30 09:49 - 2013-09-29 20:04 - 00888230 _____ C:\Windows\PFRO.log
2015-06-24 21:12 - 2013-08-22 15:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-24 21:12 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\BBI
2015-06-24 21:00 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\sru
2015-06-24 20:59 - 2014-02-15 20:33 - 00001142 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf2a84cba9fedb.job
2015-06-24 20:45 - 2013-07-10 10:47 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-24 20:34 - 2014-01-03 15:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-24 20:25 - 2013-07-01 11:28 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3296789569-1479612353-1228796244-1001
2015-06-24 20:16 - 2013-11-12 13:46 - 00003946 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F17BD90E-16D2-4198-9365-3323C12B9DAF}
2015-06-24 08:59 - 2015-02-04 18:54 - 00001138 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1d040a39ce00188.job
2015-06-24 08:59 - 2013-11-12 09:45 - 01572895 _____ C:\Windows\WindowsUpdate.log
2015-06-24 08:32 - 2013-08-22 14:25 - 00262144 ___SH C:\Windows\System32\config\ELAM
2015-06-23 20:45 - 2013-07-10 10:47 - 00003772 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-06-23 13:54 - 2013-09-30 05:14 - 01776918 _____ C:\Windows\System32\PerfStringBackup.INI
2015-06-23 13:54 - 2013-09-30 04:56 - 00765582 _____ C:\Windows\System32\perfh007.dat
2015-06-23 13:54 - 2013-09-30 04:56 - 00159366 _____ C:\Windows\System32\perfc007.dat
2015-06-23 13:52 - 2013-08-22 15:46 - 00348429 _____ C:\Windows\setupact.log
2015-06-23 12:17 - 2013-08-30 09:54 - 00000000 ____D C:\05_Jennmar
2015-06-23 06:01 - 2014-01-17 18:24 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-19 17:59 - 2014-10-27 19:50 - 00001138 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cff216d3d01ded.job
2015-06-18 10:52 - 2013-08-22 16:36 - 00000000 ____D C:\Windows\System32\FxsTmp
2015-06-16 10:58 - 2014-07-09 19:52 - 00000000 ___RD C:\Users\Stefan\Dropbox
2015-06-16 10:58 - 2014-07-09 19:51 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Dropbox
2015-06-16 10:46 - 2013-11-12 09:53 - 00000000 ___DO C:\Users\Stefan\SkyDrive
2015-06-15 17:39 - 2013-07-01 11:20 - 00000000 ____D C:\Users\Stefan\AppData\Local\Packages
2015-06-07 16:58 - 2013-02-02 09:11 - 00000000 ____D C:\Program Files\Common Files\McAfee
2015-06-07 16:57 - 2012-07-26 09:12 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-06-06 12:21 - 2015-05-11 21:06 - 00000000 ___HD C:\recyclebin
2015-06-02 13:56 - 2014-02-13 20:34 - 00000000 ____D C:\ProgramData\Oracle
2015-06-02 13:55 - 2014-02-13 20:33 - 00000000 ____D C:\Program Files (x86)\Java
2015-06-02 13:53 - 2014-02-13 20:33 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

Some files in TEMP:
====================
C:\Users\Stefan\AppData\Local\Temp\APNSetup.exe
C:\Users\Stefan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpulbzlk.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Stefan\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Stefan\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Stefan\AppData\Local\Temp\nsf7BDD.exe
C:\Users\Stefan\AppData\Local\Temp\nsn8266.exe
C:\Users\Stefan\AppData\Local\Temp\nsn9949.exe
C:\Users\Stefan\AppData\Local\Temp\nst2C11.exe
C:\Users\Stefan\AppData\Local\Temp\nsu8804.exe
C:\Users\Stefan\AppData\Local\Temp\nsv3142.exe
C:\Users\Stefan\AppData\Local\Temp\nsy3710.exe
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Stefan\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Stefan\AppData\Local\Temp\unrar.dll
C:\Users\Stefan\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Stefan\AppData\Local\Temp\wusetup.exE


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2014-12-17 19:43] - [2014-10-29 02:22] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437

C:\Windows\System32\wininit.exe
[2014-12-17 19:42] - [2014-10-29 02:25] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380

C:\Windows\explorer.exe
[2015-03-11 14:43] - [2015-01-28 00:47] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88

C:\Windows\SysWOW64\explorer.exe
[2015-03-11 14:43] - [2015-01-28 00:41] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225

C:\Windows\System32\svchost.exe
[2014-12-17 19:42] - [2014-10-29 05:11] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47

C:\Windows\SysWOW64\svchost.exe
[2014-12-17 19:42] - [2014-10-29 04:17] - 0033088 ____A (Microsoft Corporation) D0ABC231C0B3E88C6B612B28ABBF734D

C:\Windows\System32\services.exe
[2014-12-17 19:43] - [2014-10-29 04:53] - 0411128 ____A (Microsoft Corporation) 5BF02EBEFEDC706318C96E2E60EDCB91

C:\Windows\System32\User32.dll
[2014-12-17 19:43] - [2014-10-29 05:00] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5

C:\Windows\SysWOW64\User32.dll
[2014-12-17 19:43] - [2014-10-29 02:04] - 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE

C:\Windows\System32\userinit.exe
[2014-12-17 19:42] - [2014-10-29 02:28] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F

C:\Windows\SysWOW64\userinit.exe
[2014-12-17 19:42] - [2014-10-29 02:05] - 0022528 ____A (Microsoft Corporation) D10643FC0095434C819316CA6CD748C0

C:\Windows\System32\rpcss.dll
[2014-12-17 19:43] - [2014-10-29 02:19] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points =========================


==================== BCD ================================
Der Speicher f�r die Startkonfigurationsdaten konnte nicht ge”ffnet werden.
Das angeforderte Systemger„t kann nicht gefunden werden.


==================== Memory info =========================== 

Percentage of memory in use: 11%
Total physical RAM: 6038.16 MB
Available physical RAM: 5331.42 MB
Total Pagefile: 6038.16 MB
Available Pagefile: 5355.7 MB
Total Virtual: 131072 MB
Available Virtual: 131071.87 MB

==================== Drives ================================

Drive c: (Speicher I) (Fixed) (Total:219.15 GB) (Free:10.71 GB) NTFS
Drive d: (ESD-USB) (Removable) (Total:29.07 GB) (Free:25.72 GB) FAT32
Drive e: (_STICK) (Removable) (Total:29.81 GB) (Free:11.11 GB) FAT32
Drive f: (System) (Fixed) (Total:0.44 GB) (Free:0.12 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 29.1 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 2 (Size: 29.8 GB) (Disk ID: 8C014770)
Partition 1: (Active) - (Size=29.8 GB) - (Type=0C)


LastRegBack: 2015-06-22 09:11

==================== End of log ============================
         

--- --- ---



Danke

Hi,

Schritt # 1: Passwort auslesen

Downloade dir dieses Programm, brenne es auf eine CD und boote von dieser.

Wähle als Sprache deutsch aus, bei Wiederherstellungsmodus SAM und in dem untersten Auswahlfenster "Lookup SYSKEY startup password". Klicke auf weiter.

Wähle unten bei "Password mutation level" die Intensive Suche aus. Klicke aufs Zahnrad --> keyboard layout --> load new layout --> dein Tastaturlayout in Windows (wahrscheinlich German - Germany). Klicke auf weiter.

Lass die Standardpfade, klick auf weiter und danach auf "Finde Passwörter".

Das kann jetzt etwas länger dauern.

Wenn ein Passwort gefunden wurde, werden die ersten 3 Zeichen angezeigt. Poste diese hier damit wir versuchen können das richtige Passwort zu erraten. Du kannst natürlich auch selbst herumprobieren.

Schritt # 2: Bitte Posten

• Die ersten 3 Zeichen des Passwortes.

Hallo,

die ersten 3 Buchstaben sind sup

Wenn ich zwei mal ein falsches PW eingebe geht das Notebook aus, muss es dann neu starten, zum Glück ist eine SSD verbaut...

Habs !!!

Das Kennwort lautet support123 , fühl mich als hätte ich im Lotto gewonnen !

Ich komme jetzt ins OS, was muss ich nun tun?

Daten sichern, neu installieren ?

Wenn ich unter den instalölierten Programmen schauen und sortiere nach "zuletzt installiert" taucht da nichts auffälliges auf.

Grüße

Hi,

den kriegen wir noch sauber keine Angst

Schritt # 1: Passwort deaktivieren

Drücke gleichzeitig die Windows + R - Taste. Gebe in die Textbox "syskey" ein.

Klicke auf den Button "Aktualisieren". Wähle nun die unterste Option aus --> "Vom System generiertes Kennwort" --> "Schlüssel für den Systemstart lokal speichern".

Klicke auf "OK". Du wirst zur Bestätigung nochmal das alte Passwort eingeben müssen.



Schritt # 2: MBAR-Scan

Downloade dir bitte Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.

• Starte bitte die mbar.exe.
• Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
• Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
• Klicke auf den CleanUp Button und erlaube den Neustart.
• Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
• Nach dem Neustart starte die mbar.exe erneut.
• Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.

Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers


Schritt # 3: Scan mit FRST

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)

• Starte jetzt FRST.
• Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
• Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
• Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)

Schritt # 4: Frage

Macht der Rechner sonst noch irgendwelche Probleme?



Schritt # 5: Bitte Posten

• Rückmeldung, ob das Passwort nun erfolgreich verschwunden ist
• Das MBAR-Log
• Die FRST-Logs
• Die Antwort auf meine Frage

Hallo,

leider tauchen im System massig Probleme auf, diverse Dienste starten nicht, Maustreiber hat sich abgeschossen, lässt sich nicht neu installieren, sfc /scannow bricht ab...

Ich werde jetzt eine Datensicherung und Neuinstallation durchführen.

Danke für die Hilfe !

Dann wären wir hier durch.

Abschließend noch ein paar Tipps von mir:

Schritt # 1: Empfohlene Software

Habe immer ein aktuelles Antivirenprogramm deiner Wahl installiert und aktiviere die automatischen Updates (standardmäßig eingeschaltet).

Verwende nach Möglichkeit nicht den Internet Explorer, da dieser viele Sicherheitslücken enthält. Achte aber darauf, dass er immer up to date bleibt, weil viele Programme diesen zum Anzeigen von Websites benutzen.

Alternativ kannst du verwenden:

• Mozilla Firefox
• Google Chrome

Dazu sind folgende Add-ons empfehlenswert:

Adblock Plus --> Blockiert Werbung. Werbung kann sehr nervig sein, aber auch auf schädliche Links verweisen.
Web Of Trust --> Zeigt Userbewertungen zu besuchten Internetseiten an.

Du kannst auch Malwarebytes Anti-Exploit verwenden, um aktuelle Sicherheitslücken zu stopfen.

Halte immer deine Plug-ins und Software aktuell, vor allem:

• Deinen Browser
• Flash Player
• Java
• PDF Reader

Du kannst diese komfortabel regelmäßig hiermit überprüfen:

PluginCheck
Filehippo App Manager



Schritt # 2: Tipps um eine Neuinfektion zu vermeiden

Downloade nach Möglichkeit immer direkt von der Herstellerseite oder alternativ von einem sauberen Download-Portal wie FilePony.de. Von Downloadern wie die von Chip und Softonic raten wir ab: CHIP-Installer - was ist das? - Anleitungen

Auch versuchen sich immer mehr Programme durch Installationsroutinen auf den PC "durchzumogeln". Das klappt ganz gut, weil viele Anwender sich diese nicht genau durchlesen und schnell durchklicken. Manchmal steht auch in den Lizenzvereinbarungen, dass ein Programm, was eigentlich als Freeware angepriesen wird, nur genutzt werden kann, wenn man sich bestimmte Toolbars oder andere Programme mitinstallieren lässt.
Da hilft es nur aufmerksam zu sein.

Ein Tool, welches dich dabei gut unterstützen kann, ist: Unchecky. Dieses überwacht im Hintergrund Installationsprozesse und hakt automatisch nervige Adwarekomponenten wie Toolbars ab. Falls man etwas übersieht, warnt noch ein Pop-up, bevor man fortfahren kann.

Wir raten von jeglichen Optimizern, Cleanern, SpeadUps und Ähnlichem ab, da diese Softwareprodukte meist keinen Performancegewinn bringen. Du kannst jedoch regelmäßig deinen PC mit der windowsinternen Datenträgerbereinigung behandeln.

Überprüfe regelmäßig (mind. 1x pro Monat) deinen PC mit Malwarebytes Anti-Malware und ESET.

Falls du dir unsicher bist, ob ein Download wirklich sauber ist, kannst du immer https://www.virustotal.com/ zurate ziehen.



Schritt # 3: Unterstütze uns!

Wenn du uns mit einer kleinen Spende unterstützen möchtest, so kannst du dies hier tun: http://www.trojaner-board.de/79994-s...ndenkonto.html

Es reicht aber auch schon ein simples hier, wenn du mit uns zufrieden warst.

unsere Facebook-Seite!.

Bitte gib mir bescheid, wenn du das alles gelesen hast und alles klar ist, damit ich dieses Thema aus meinen Abos löschen kann.

Bescheid !

Und Danke nochmal