Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Windows 7: Befallen von BrowserModifier:Win32/CouponRuc

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

 
Alt 06.07.2015, 11:38   #1
nadimauz2611
 
Windows 7: Befallen von BrowserModifier:Win32/CouponRuc - Standard

Windows 7: Befallen von BrowserModifier:Win32/CouponRuc



Hallo ihr Lieben,

leider muss ich seit einigen Tagen feststellen das mein Notebook von einem Virus bzw Trojaner befallen ist.

Ständig stürzt mein Internet Browser ab, verschiedene PopUps öffnen sich etc.

Laut Windows Defender handelt es sich um den Virus "BrowserModifier:Win32/CouponRuc"

Ich hoffe ihr könnt mir helfen, habe die Anleitung befolgt und hoffe das es so richtig ist

Lg Sarah

defogger_disable.txt (bei mir jedoch auf dem Desktop abgespeichert mit Endung .log)

Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:05 on 02/07/2015 (Sarah)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         
FRST.txt

Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-07-2015
Ran by Sarah (administrator) on SARAH-PC on 06-07-2015 12:19:06
Running from C:\Users\Sarah\Desktop
Loaded Profiles: Sarah (Available Profiles: Sarah)
Platform: Windows 8 Pro (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel(R) Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Atheros Communications) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_IATILFE.EXE
(Geek Software GmbH) C:\Program Files (x86)\PDF24\pdf24.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13672304 2014-03-21] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PDFPrint] => C:\Program Files (x86)\PDF24\pdf24.exe [191528 2014-07-04] (Geek Software GmbH)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [134784 2014-02-25] (Atheros Communications)
HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATILFE.EXE [297024 2013-01-24] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_17_0_0_190_Plugin.exe [927920 2015-06-23] (Adobe Systems Incorporated)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mystartsearch.com/web/?type=ds&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK&q={searchTerms}
HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSE1
HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://t.de.msn.com/
HKU\S-1-5-21-1104028462-2252768145-1088222659-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mystartsearch.com/?type=hp&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\S-1-5-21-1104028462-2252768145-1088222659-1001 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\S-1-5-21-1104028462-2252768145-1088222659-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2014-03-12] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
Tcpip\..\Interfaces\{9A39B855-A6CE-4479-9C4E-E6D63ABFFC4A}: [DhcpNameServer] 192.168.178.1
Tcpip\..\Interfaces\{A66A9838-764E-4561-8285-7913128B9293}: [DhcpNameServer] 192.168.178.1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.mystartsearch.com/?type=sc&ts=1433360258&z=2ec1dafe4262a358582527bg3z6cccecdq7e1ofw9w&from=wpc&uid=ST500LT012-1DG142_S3P7QMWKXXXXS3P7QMWK

FireFox:
========
FF ProfilePath: C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default
FF NewTab: chrome://quick_start/content/index.html
FF SelectedSearchEngine: mystartsearch
FF Homepage: hxxp://www.google.de/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_190.dll [2015-06-23] ()
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_190.dll [2015-06-23] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-21] ()
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2014-01-21] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2014-01-21] (Microsoft Corporation)
FF SearchPlugin: C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\searchplugins\mystartsearch.xml [2015-06-09]
FF Extension: Mini - Adblocker - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\Extensions\mtry_qxbyjnj_wyp@oaenfxhaibldvvy.org [2015-07-02]
FF Extension: DoWnSaaVe - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\Extensions\qGW@I.org [2015-07-02]
FF HKLM-x32\...\Firefox\Extensions: [searchffv2@gmail.com] - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\extensions\searchffv2@gmail.com
FF HKLM-x32\...\Firefox\Extensions: [sweetsearch@gmail.com] - C:\Users\Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\xh3mnej0.default\extensions\sweetsearch@gmail.com

Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 761f88fe; c:\Program Files (x86)\LinkRunner\LinkRunner.dll [1777152 2015-06-14] () [File not signed]
R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [319104 2014-02-25] (Windows (R) Win 7 DDK provider) [File not signed]
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [144560 2012-05-17] (Seiko Epson Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282096 2014-03-18] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-01] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-01] (Intel(R) Corporation)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16024 2015-01-31] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-02-25] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation)
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
U3 fgloypow; \??\C:\Users\Sarah\AppData\Local\Temp\fgloypow.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-06 12:18 - 2015-07-06 12:18 - 00000302 _____ C:\Users\Sarah\Desktop\Addition.txt
2015-07-06 12:14 - 2015-07-06 12:19 - 00012100 _____ C:\Users\Sarah\Desktop\FRST.txt
2015-07-06 12:14 - 2015-07-06 12:14 - 02112512 _____ (Farbar) C:\Users\Sarah\Desktop\FRST64.exe
2015-07-06 11:57 - 2015-07-06 11:57 - 00007870 _____ C:\Users\Sarah\Desktop\Gmer.txt
2015-07-02 18:06 - 2015-07-06 12:19 - 00000000 ____D C:\FRST
2015-07-02 18:05 - 2015-07-02 18:05 - 00000472 _____ C:\Users\Sarah\Desktop\defogger_disable.log
2015-07-02 18:05 - 2015-07-02 18:05 - 00000000 _____ C:\Users\Sarah\defogger_reenable
2015-07-02 18:04 - 2015-07-02 18:04 - 00050477 _____ C:\Users\Sarah\Downloads\Defogger.exe
2015-06-23 19:38 - 2015-06-23 19:38 - 18174128 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-06-14 22:29 - 2015-06-14 22:29 - 00000000 ____D C:\Program Files (x86)\LinkRunner
2015-06-10 15:04 - 2015-06-10 15:04 - 00000000 ____D C:\Users\Sarah\Downloads\Br_Hits_Vol_89
2015-06-10 14:58 - 2015-06-10 15:04 - 390805955 _____ C:\Users\Sarah\Downloads\Br_Hits_Vol_89.rar
2015-06-10 14:32 - 2015-05-28 04:02 - 19291136 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-06-10 14:32 - 2015-05-28 02:44 - 14383104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-06-10 14:32 - 2015-05-22 22:46 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-06-10 14:32 - 2015-05-22 22:44 - 01020928 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-06-10 14:32 - 2015-05-22 22:44 - 00756736 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-06-10 14:32 - 2015-05-22 22:44 - 00422912 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-06-10 14:32 - 2015-05-22 22:44 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-06-10 14:32 - 2015-05-22 22:44 - 00193536 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-06-10 14:32 - 2015-05-22 22:44 - 00045568 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-06-10 14:32 - 2015-05-21 15:08 - 01119232 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-06-10 14:32 - 2015-05-09 01:39 - 00981504 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-06-10 14:32 - 2015-05-08 22:05 - 00668160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-06-10 14:32 - 2015-03-27 10:07 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\cryptcatsvc.dll
2015-06-10 14:31 - 2015-05-28 04:04 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-06-10 14:31 - 2015-05-28 04:03 - 02237440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-06-10 14:31 - 2015-05-28 04:03 - 01409024 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-06-10 14:31 - 2015-05-28 04:03 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2015-06-10 14:31 - 2015-05-28 04:03 - 00601600 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-06-10 14:31 - 2015-05-28 04:03 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2015-06-10 14:31 - 2015-05-28 04:02 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-06-10 14:31 - 2015-05-28 04:02 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-06-10 14:31 - 2015-05-28 04:02 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 02656768 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00949760 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-06-10 14:31 - 2015-05-28 04:01 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-06-10 14:31 - 2015-05-28 04:00 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-06-10 14:31 - 2015-05-28 02:45 - 01763328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-06-10 14:31 - 2015-05-28 02:45 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-06-10 14:31 - 2015-05-28 02:45 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-06-10 14:31 - 2015-05-28 02:45 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll
2015-06-10 14:31 - 2015-05-28 02:44 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-06-10 14:31 - 2015-05-28 02:44 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-06-10 14:31 - 2015-05-28 02:44 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 13771776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 02865152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-06-10 14:31 - 2015-05-28 02:43 - 00737280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00690176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-06-10 14:31 - 2015-05-28 02:43 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-06-10 14:31 - 2015-05-28 02:24 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-06-10 14:31 - 2015-05-28 02:23 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-06-10 14:31 - 2015-05-28 02:22 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2015-06-10 14:31 - 2015-05-28 02:20 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll
2015-06-10 14:31 - 2015-05-28 02:00 - 00441856 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-06-10 14:31 - 2015-05-28 01:55 - 00361984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-06-10 14:31 - 2015-05-28 00:14 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
2015-06-10 14:31 - 2015-05-21 20:07 - 04067840 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-06-10 14:31 - 2015-04-25 05:41 - 00541696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2015-06-10 14:31 - 2015-04-25 01:13 - 00652288 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2015-06-10 14:31 - 2015-04-09 00:05 - 00410336 _____ C:\Windows\system32\ApnDatabase.xml
2015-06-09 12:20 - 2015-06-09 12:20 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-06-09 12:20 - 2015-06-09 12:20 - 00001151 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-06-09 12:20 - 2015-06-09 12:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-08 13:13 - 2014-04-16 20:20 - 00029888 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll
2015-06-08 13:13 - 2014-04-16 20:20 - 00028352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-10-21 15:36 - 2014-06-28 23:45 - 00000852 _____ C:\Windows\system32\Drivers\RTKHDRC.DAT
2021-10-04 09:34 - 2014-06-28 23:45 - 00000712 _____ C:\Windows\system32\Drivers\RTMICEQ0.DAT
2015-07-06 12:18 - 2014-07-17 15:15 - 00000000 ____D C:\Users\Sarah\AppData\Local\CrashDumps
2015-07-06 12:09 - 2014-06-28 19:31 - 01838947 _____ C:\Windows\WindowsUpdate.log
2015-07-06 12:00 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\system32\sru
2015-07-06 11:38 - 2014-06-29 14:42 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-06 11:30 - 2014-12-08 12:30 - 00000937 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {DE4FEC30-9B34-4EA2-953F-BE7755838752}.job
2015-07-06 11:30 - 2014-12-08 12:30 - 00000751 _____ C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {DE4FEC30-9B34-4EA2-953F-BE7755838752}.job
2015-07-06 11:30 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-07-06 11:23 - 2014-10-13 18:18 - 00000000 ____D C:\Users\Sarah\Documents\Bluetooth Folder
2015-07-06 11:14 - 2012-07-26 12:27 - 00715482 _____ C:\Windows\system32\perfh007.dat
2015-07-06 11:14 - 2012-07-26 12:27 - 00148046 _____ C:\Windows\system32\perfc007.dat
2015-07-06 11:14 - 2012-07-26 09:28 - 01654648 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-02 18:05 - 2014-06-28 19:31 - 00000000 ____D C:\Users\Sarah
2015-07-02 17:20 - 2014-06-28 19:34 - 00000000 ____D C:\Windows\KJ
2015-07-02 09:26 - 2015-06-03 21:33 - 00000000 ____D C:\ProgramData\7207110823293547146
2015-07-02 09:26 - 2015-06-03 20:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-27 13:31 - 2012-07-26 09:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-24 19:13 - 2014-06-29 09:55 - 00000000 ____D C:\Users\Sarah\Documents\Bewerbungen
2015-06-24 16:53 - 2012-07-26 09:59 - 00000000 ____D C:\Windows\CbsTemp
2015-06-23 19:39 - 2014-06-29 14:42 - 00003772 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-06-23 11:46 - 2014-06-28 23:47 - 00000000 ____D C:\Users\Sarah\AppData\Local\Microsoft Help
2015-06-20 13:22 - 2015-06-04 12:25 - 00001456 _____ C:\Users\Sarah\AppData\Local\Adobe Für Web speichern 13.0 Prefs
2015-06-20 05:48 - 2014-11-12 21:53 - 00792024 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-06-20 05:48 - 2014-11-12 21:53 - 00177624 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-06-14 22:30 - 2015-06-03 22:34 - 00000000 ____D C:\ProgramData\cfa6a2ca000017dc
2015-06-12 15:56 - 2012-07-26 10:12 - 00000000 ____D C:\Windows\rescache
2015-06-12 15:28 - 2015-04-16 18:29 - 05047664 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-12 15:26 - 2014-06-28 19:27 - 00020002 _____ C:\Windows\PFRO.log
2015-06-12 12:50 - 2012-07-26 07:26 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-06-12 12:49 - 2015-04-29 14:32 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-06-12 12:49 - 2015-04-29 14:32 - 00000000 ____D C:\Windows\system32\appraiser
2015-06-11 10:33 - 2014-06-28 22:14 - 00000000 ____D C:\Windows\system32\MRT
2015-06-10 15:43 - 2014-06-28 22:14 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Files in the root of some directories =======

2015-06-04 12:25 - 2015-06-20 13:22 - 0001456 _____ () C:\Users\Sarah\AppData\Local\Adobe Für Web speichern 13.0 Prefs
2015-06-03 22:33 - 2015-06-03 22:33 - 0000000 _____ () C:\Users\Sarah\AppData\Local\Temp.dat
2014-06-28 23:45 - 2014-06-28 23:45 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\Sarah\AppData\Local\Temp\ose00000.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-27 13:46

==================== End of log ============================
         
Additions.txt

Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-07-2015
Ran by Sarah at 2015-07-06 12:18:44
Running from C:\Users\Sarah\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================
         
Gmer.txt

Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-06 11:57:56
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST500LT012-1DG142 rev.0001SDM1 465,76GB
Running: kwhyxxh7.exe; Driver: C:\Users\Sarah\AppData\Local\Temp\fgloypow.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\Explorer.EXE[4796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue                                                                                                                                                                                        000007fb99bd3e91 6 bytes JMP 000007fc92bc3ff0
.text    C:\Windows\Explorer.EXE[4796] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW                                                                                                                                                                                    000007fb96bc26f0 5 bytes JMP 000007fc92bc4830
.text    C:\Windows\Explorer.EXE[4796] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal                                                                                                                                                                                      000007fb91c1d724 7 bytes JMP 000007fb92bc4160
.text    C:\Windows\Explorer.EXE[4796] C:\Windows\SYSTEM32\sppc.dll!SLIsGenuineLocalEx                                                                                                                                                                                          000007fb90f8d014 5 bytes JMP 000007fb92bc4180
.text    C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                                                                                                                          000007fb93891532 4 bytes [89, 93, FB, 07]
.text    C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                                                                                                                          000007fb9389153a 4 bytes [89, 93, FB, 07]
.text    C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                                                                                                                        000007fb9389165a 4 bytes [89, 93, FB, 07]
.text    C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742                                                                                                                                              000007fb90f31b32 4 bytes [F3, 90, FB, 07]
.text    C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[2656] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750                                                                                                                                              000007fb90f31b3a 4 bytes [F3, 90, FB, 07]
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[336] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                                                                                                                                                000007fb93891532 4 bytes [89, 93, FB, 07]
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[336] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                                                                                                                                                000007fb9389153a 4 bytes [89, 93, FB, 07]
.text    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[336] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                                                                                                                                              000007fb9389165a 4 bytes [89, 93, FB, 07]
.text    C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                                                                                                         000007fb99c1a620 5 bytes JMP 000007fc92bc3270
.text    C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                                                                                                                                               000007fb93891532 4 bytes [89, 93, FB, 07]
.text    C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                                                                                                                                               000007fb9389153a 4 bytes [89, 93, FB, 07]
.text    C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                                                                                                                                             000007fb9389165a 4 bytes [89, 93, FB, 07]
.text    C:\Program Files\Internet Explorer\IEXPLORE.EXE[5948] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal                                                                                                                                                              000007fb91c1d724 7 bytes JMP 000007fb92bc4160
.text    C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[4912] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306                                                                                                                                            000007fb9998177a 4 bytes [98, 99, FB, 07]
.text    C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[4912] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314                                                                                                                                            000007fb99981782 4 bytes [98, 99, FB, 07]
?        C:\Windows\system32\esentprf.dll [2072] entry point in ".data" section                                                                                                                                                                                                 000007fb93296110

---- Threads - GMER 2.1 ----

Thread   C:\Windows\system32\csrss.exe [4076:3136]                                                                                                                                                                                                                              fffff96000b2b5e8
---- Processes - GMER 2.1 ----

Process  C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TR5D2JB\kwhyxxh7.exe (*** suspicious ***) @ C:\Users\Sarah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TR5D2JB\kwhyxxh7.exe [652](2015-07-06 09:31:16)  0000000000400000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                                                                                                                                                                      520837393
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b8ee658c0220                                                                                                                                                                                            

---- EOF - GMER 2.1 ----
         

 

Themen zu Windows 7: Befallen von BrowserModifier:Win32/CouponRuc
browsermodifier, downsaave entfernen, fehlercode 0xc0000005, greeeatsavei4u entfernen, js/exploit.agent.njy, linkrunner entfernen, newtab, pum.security.hijack.disablechromeupdates, pup.optional.downsave.a, pup.optional.enjoycoupon.a, pup.optional.fastsearch.a, pup.optional.faststart.a, pup.optional.ffpluginhp.a, pup.optional.lightningdownloader.a, pup.optional.multiplug, pup.optional.multiplug.a, pup.optional.mystartsearch, pup.optional.mystartsearch.a, pup.optional.pricepeep.a, pup.optional.qone8, pup.optional.quickstart.a, pup.optional.sectionlogistics.a, pup.optional.shoppinggate.a, pup.optional.sweetsearch.a, win32/adware.multiplug.li, win32/elex.bf, win32/patched.nfu




Ähnliche Themen: Windows 7: Befallen von BrowserModifier:Win32/CouponRuc


  1. Windows 7 (64 Bit) mit PUP.OPTIONAL.RIDER befallen.
    Plagegeister aller Art und deren Bekämpfung - 14.11.2015 (40)
  2. Microsoft Security Essentials findet wiederholt Trojan:Win32 und BrowserModifier:Win32
    Plagegeister aller Art und deren Bekämpfung - 15.08.2015 (13)
  3. Windows 7: Viren: BrowserModifier:Win32/CouponRuc und Trojan:Win32/Peals!gfs evtl. weitere
    Log-Analyse und Auswertung - 31.01.2015 (9)
  4. Windows XP mit vielen Vieren befallen
    Log-Analyse und Auswertung - 25.01.2014 (28)
  5. Windows 8.1: Trojan:Win32/Meredrop, Trojan:Win32/Malagent, Trojan:Win32/Matsnu.L und Worm:Win32/Ainslot.A
    Log-Analyse und Auswertung - 19.01.2014 (5)
  6. Windows XP 32bit mit "not-a-virus:WebToolbar.Win32.MyWebSearch.rh." befallen,KEIN SPEERBILD, TASK-MANGER lässt sich NICHT über strg+alt+entf
    Plagegeister aller Art und deren Bekämpfung - 11.11.2013 (14)
  7. Windows 7 mit Trojaner befallen
    Log-Analyse und Auswertung - 20.10.2013 (3)
  8. Windows 7 mit GVU Trojaner befallen
    Log-Analyse und Auswertung - 19.07.2013 (13)
  9. Windows XP Pc mit AVASoft Virus befallen
    Plagegeister aller Art und deren Bekämpfung - 04.04.2013 (7)
  10. Win32: Sirefef-AHF [Trj] und Win32: Malware-gen in C:\Windows\System32\services.exe Windows 7 64bit
    Log-Analyse und Auswertung - 31.08.2012 (16)
  11. Trojaner auf dem PC wg Phishing-Mail (Deutsche Post) (BrowserModifier win32 zwangi)
    Plagegeister aller Art und deren Bekämpfung - 25.07.2012 (10)
  12. Windows XP vom Suisa Trojaner befallen.
    Plagegeister aller Art und deren Bekämpfung - 05.06.2012 (32)
  13. Windows 2003 befallen mit was?
    Log-Analyse und Auswertung - 29.08.2011 (2)
  14. Windows-Vista -PC mit spyeye befallen
    Log-Analyse und Auswertung - 09.05.2011 (5)
  15. WL: windows-vista-pc-mit-spyeye-befallen
    Log-Analyse und Auswertung - 08.03.2011 (1)
  16. Mein PC total befallen..Backdoor.Win32.Bifrose.zuh usw.
    Plagegeister aller Art und deren Bekämpfung - 15.01.2009 (0)
  17. Befallen mit Backdoor Win32.Rbot.fcu/Win32.Rbot.fcw
    Plagegeister aller Art und deren Bekämpfung - 03.12.2007 (6)

Zum Thema Windows 7: Befallen von BrowserModifier:Win32/CouponRuc - Hallo ihr Lieben, leider muss ich seit einigen Tagen feststellen das mein Notebook von einem Virus bzw Trojaner befallen ist. Ständig stürzt mein Internet Browser ab, verschiedene PopUps öffnen sich - Windows 7: Befallen von BrowserModifier:Win32/CouponRuc...
Archiv
Du betrachtest: Windows 7: Befallen von BrowserModifier:Win32/CouponRuc auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.