Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert

samthron · 15.07.2019, 16:05

Hallo,

ein Bekannter hat einen "Microsoft Mitarbeiter" auf sein Notebook gelassen, weil sein Rechner (auch tatsächlich) so langsam ist und sich einen Virus eingefangen hat. Er hat sich dann einen TimeViewer geladen und der "SupportMitarbeiter" hat sich auf den Rechner verbunden und sich 3 Tage lang gearbeitet. Eine neue Seriennummer installiert, die Postfächer bereinigt, das Onlinebanking geprüft, als mit allen Schikanen verarscht... Rechner und Handy gekapert, Router gekapert und dann munter Überweisungen getätigt...

Den Rechner habe ich mal mit der ESET-Rescue CD gebootet, gescannt und folgende schöne Dinge gefunden (Archivzugriffsfehler sind ausgeblendet):

Code:

ATTFilter

/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Downloaded Installers/{BA219F82-20BF-49AD-A279-E2D69D3B9D3F}/setup.msi » MSI » msi.cab » CAB » SlimCleanerPlus.exe - a variant of Win32/Slimware.B potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Mozilla/Firefox/Profiles/pebjh2p5.default-1398088373925-1513167997011/cache2/entries/ADF4825969C0D1FD5FC2A9F6F2C1A2315149DA5F » ZIP » js/PartnerId.js - JS/Mindspark.G potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/Downloads/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLMonitor.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLService.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUninstall.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUtil.dll - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPL.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{6FF69967-0BFE-4F14-B6DF-E73783E52340}/setup.msi » MSI » app.cab » CAB » F5fedfdf90c2b4567a5edbf92262a6182 - a variant of Win32/UwS.SlimDrivers.A application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{8AE269B5-4133-4FFC-9896-D718886D7D8F}/setup.msi » MSI » app.cab » CAB » Fe40ebec7b471432eaedb98be7633658b - a variant of Win32/UwS.SlimDrivers.A application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Downloaded Installers/{BA219F82-20BF-49AD-A279-E2D69D3B9D3F}/setup.msi » MSI » msi.cab » CAB » SlimCleanerPlus.exe - a variant of Win32/Slimware.B potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Mozilla/Firefox/Profiles/pebjh2p5.default-1398088373925-1513167997011/cache2/entries/ADF4825969C0D1FD5FC2A9F6F2C1A2315149DA5F » ZIP » js/PartnerId.js - JS/Mindspark.G potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/Downloads/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLMonitor.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLService.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUninstall.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUtil.dll - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPL.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{6FF69967-0BFE-4F14-B6DF-E73783E52340}/setup.msi » MSI » app.cab » CAB » F5fedfdf90c2b4567a5edbf92262a6182 - a variant of Win32/UwS.SlimDrivers.A application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{8AE269B5-4133-4FFC-9896-D718886D7D8F}/setup.msi » MSI » app.cab » CAB » Fe40ebec7b471432eaedb98be7633658b - a variant of Win32/UwS.SlimDrivers.A application

Macht es jetzt Sinn hier mal zu versuchen, ESET das bereinigen zu lassen, oder ist es besser nach eurem Schema zu versuchen, den Rechner wieder sauber zu bekommen.
Die HDD habe ich schon mal auf eine externe Festplatte kopiert.

Vielen Dank für eure gute Arbeit und Hilfe!!

Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert

Diskussionsforum: Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert

Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert

Ähnliche Themen: Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert