Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Trojaner windows7 64bit, 100€Mahnung wegen angeblicher Urheberrechtsverletzung, sperrbildschirm (https://www.trojaner-board.de/142701-trojaner-windows7-64bit-100-mahnung-wegen-angeblicher-urheberrechtsverletzung-sperrbildschirm.html)

mallemaus 08.10.2013 14:45
Trojaner windows7 64bit, 100€Mahnung wegen angeblicher Urheberrechtsverletzung, sperrbildschirm
 
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-284DM4O on 08-10-2013 15:29:07
Running from D:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2011-01-12] (Intel Corporation)
HKLM-x32\...\Run: [ISBMgr.exe] - C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [2801288 2011-05-31] (Sony Corporation)
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [347192 2013-09-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
HKU\mallemaus\...\Run: [Phase88FireWireService] - C:\Program Files (x86)\Common Files\TerraTec\PhaseFW\driver\PhaseFWService.exe [102400 2005-01-27] (TerraTec Electronic GmbH)
HKU\mallemaus\...\Run: [Spotify Web Helper] - C:\Users\mallemaus\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1140736 2013-10-07] (Spotify Ltd)
Startup: C:\Users\mallemaus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\mallemaus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wljlc4lrj.lnk
ShortcutTarget: wljlc4lrj.lnk -> C:\PROGRA~3\jrl4cljlw.plz ()

==================== Services (Whitelisted) =================

S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [84024 2013-09-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [108088 2013-09-04] (Avira Operations GmbH & Co. KG)
S2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [138400 2011-07-05] (Atheros)
S3 VUAgent; C:\Program Files\Sony\VAIO Update\VUAgent.exe [1286784 2012-10-26] (Sony Corporation)
S2 Winmgmt; C:\PROGRA~3\wljlc4lrj.pzz [60512 2013-10-08] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~3\wljlc4lrj.pzz [60512 2013-10-08] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [60288 2009-07-14] (Microsoft Corporation)
S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [105344 2013-09-04] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132088 2013-09-04] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-04-02] (Avira Operations GmbH & Co. KG)
S1 cdrblock; C:\Windows\System32\DRIVERS\cdrblock.sys [34360 2008-05-30] (Canopus Co,. Ltd.)
S3 KeyControl25; C:\Windows\System32\drivers\esikey25.sys [36448 2010-07-22] (ESI)
S3 MAUSBMIDI; C:\Windows\System32\DRIVERS\MAudioUSBMIDI.sys [200200 2010-04-13] (M-Audio)
S2 risdsnpe; C:\Windows\System32\DRIVERS\risdsnxc64.sys [98816 2011-06-23] (REDC)
S3 Sftfs; C:\Windows\System32\DRIVERS\Sftfswin7.sys [765288 2011-10-01] (Microsoft Corporation)
S3 Sftplay; C:\Windows\System32\DRIVERS\Sftplaywin7.sys [268648 2011-10-01] (Microsoft Corporation)
S3 Sftredir; C:\Windows\System32\DRIVERS\Sftredirwin7.sys [25960 2011-10-01] (Microsoft Corporation)
S3 Sftvol; C:\Windows\System32\DRIVERS\Sftvolwin7.sys [22376 2011-10-01] (Microsoft Corporation)
S0 tdrpman258; C:\Windows\System32\DRIVERS\tdrpm258.sys [1477728 2012-01-17] (Acronis)
S3 TTPhase1394; C:\Windows\System32\Drivers\TTPhase1394.sys [183328 2007-06-23] (BridgeCo AG)
S3 TTPhaseA; C:\Windows\System32\Drivers\TTPhaseA.sys [68640 2007-06-23] (BridgeCo AG)
S4 aksfridge;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-08 15:18 - 2013-10-08 15:18 - 00000000 ____D C:\FRST
2013-10-08 13:17 - 2013-10-08 14:08 - 95025368 ____T C:\ProgramData\wljlc4lrj.pff
2013-10-08 13:17 - 2013-10-08 14:08 - 00000000 _____ C:\ProgramData\wljlc4lrj.ctrl
2013-10-08 13:17 - 2013-10-08 13:17 - 00104960 _____ C:\ProgramData\jrl4cljlw.plz
2013-10-08 13:17 - 2013-10-08 13:17 - 00060512 ____T (Microsoft Corporation) C:\ProgramData\wljlc4lrj.pzz
2013-10-08 13:16 - 2013-10-08 13:16 - 00000000 ____D C:\Windows\Sun
2013-10-08 10:15 - 2013-10-08 10:15 - 00000146 _____ C:\Users\mallemaus\Desktop\Sound - Verknüpfung.lnk
2013-10-07 18:59 - 2013-10-07 18:59 - 00000000 ____D C:\Users\mallemaus\AppData\Local\{6FF85131-CF1B-4FA3-B039-143C393F306C}
2013-10-01 09:33 - 2013-10-01 09:33 - 00000000 ____D C:\Users\mallemaus\AppData\Local\{A9CC2940-070F-431F-A02D-3599D4933A49}
2013-09-26 11:18 - 2013-10-08 12:08 - 00000000 ____D C:\Users\mallemaus\AppData\Roaming\vlc
2013-09-26 11:18 - 2013-09-26 11:18 - 00001108 _____ C:\Users\Public\Desktop\VLC media player.lnk

==================== One Month Modified Files and Folders =======

2013-10-08 15:18 - 2013-10-08 15:18 - 00000000 ____D C:\FRST
2013-10-08 14:08 - 2013-10-08 13:17 - 95025368 ____T C:\ProgramData\wljlc4lrj.pff
2013-10-08 14:08 - 2013-10-08 13:17 - 00000000 _____ C:\ProgramData\wljlc4lrj.ctrl
2013-10-08 14:08 - 2013-07-13 09:06 - 00037183 _____ C:\Windows\setupact.log
2013-10-08 14:08 - 2013-02-09 20:21 - 00000000 ____D C:\Users\mallemaus\AppData\Roaming\Dropbox
2013-10-08 13:38 - 2009-07-14 05:45 - 00020992 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-08 13:38 - 2009-07-14 05:45 - 00020992 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-08 13:20 - 2013-02-09 20:22 - 00000000 ___RD C:\Users\mallemaus\Dropbox
2013-10-08 13:17 - 2013-10-08 13:17 - 00104960 _____ C:\ProgramData\jrl4cljlw.plz
2013-10-08 13:17 - 2013-10-08 13:17 - 00060512 ____T (Microsoft Corporation) C:\ProgramData\wljlc4lrj.pzz
2013-10-08 13:16 - 2013-10-08 13:16 - 00000000 ____D C:\Windows\Sun
2013-10-08 13:06 - 2011-10-06 04:00 - 00697534 _____ C:\Windows\System32\perfh007.dat
2013-10-08 13:06 - 2011-10-06 04:00 - 00148540 _____ C:\Windows\System32\perfc007.dat
2013-10-08 13:06 - 2009-07-14 06:13 - 01614892 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-08 12:09 - 2011-11-20 17:11 - 00000000 ____D C:\Users\mallemaus\AppData\Roaming\SoftGrid Client
2013-10-08 12:08 - 2013-09-26 11:18 - 00000000 ____D C:\Users\mallemaus\AppData\Roaming\vlc
2013-10-08 10:15 - 2013-10-08 10:15 - 00000146 _____ C:\Users\mallemaus\Desktop\Sound - Verknüpfung.lnk
2013-10-08 07:35 - 2012-06-19 00:04 - 00000000 ____D C:\Users\mallemaus\AppData\Local\CrashDumps
2013-10-07 19:20 - 2013-07-11 17:10 - 00000000 ____D C:\Users\mallemaus\AppData\Roaming\Spotify
2013-10-07 18:59 - 2013-10-07 18:59 - 00000000 ____D C:\Users\mallemaus\AppData\Local\{6FF85131-CF1B-4FA3-B039-143C393F306C}
2013-10-07 18:58 - 2013-07-11 17:10 - 00000000 ____D C:\Users\mallemaus\AppData\Local\Spotify
2013-10-01 09:33 - 2013-10-01 09:33 - 00000000 ____D C:\Users\mallemaus\AppData\Local\{A9CC2940-070F-431F-A02D-3599D4933A49}
2013-09-26 11:18 - 2013-09-26 11:18 - 00001108 _____ C:\Users\Public\Desktop\VLC media player.lnk
2013-09-26 11:15 - 2012-04-07 21:20 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-26 11:15 - 2012-04-07 21:20 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-26 11:15 - 2011-10-05 18:31 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

Files to move or delete:
====================
C:\ProgramData\jrl4cljlw.plz
C:\ProgramData\PKP_DLes.DAT
C:\ProgramData\PKP_DLet.DAT
C:\ProgramData\PKP_DLev.DAT
C:\ProgramData\wljlc4lrj.ctrl
C:\ProgramData\wljlc4lrj.pff


Some content of TEMP:
====================
C:\Users\mallemaus\AppData\Local\Temp\ijl11.dll
C:\Users\mallemaus\AppData\Local\Temp\pegavi.dll
C:\Users\mallemaus\AppData\Local\Temp\pegcore.dll
C:\Users\mallemaus\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\mallemaus\AppData\Local\Temp\~tmf7702404795667212206.dll


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

9
Restore point made on: 2013-06-20 18:35:02
Restore point made on: 2013-06-20 18:41:37
Restore point made on: 2013-06-20 18:42:05
Restore point made on: 2013-06-20 18:42:21
Restore point made on: 2013-06-20 22:34:45
Restore point made on: 2013-06-20 22:38:46
Restore point made on: 2013-06-23 16:53:24
Restore point made on: 2013-07-15 14:59:33
Restore point made on: 2013-07-30 12:28:56

==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 6125.22 MB
Available physical RAM: 5368.88 MB
Total Pagefile: 6123.42 MB
Available Pagefile: 5356.24 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:302.36 GB) (Free:88.81 GB) NTFS
Drive d: (KINGSTON) (Removable) (Total:14.53 GB) (Free:10.8 GB) NTFS
Drive e: (Volume) (Fixed) (Total:275.44 GB) (Free:47.35 GB) NTFS
Drive g: (Recovery) (Fixed) (Total:18.27 GB) (Free:1.1 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: 4D8196D3)
Partition 1: (Not Active) - (Size=18 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=302 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=275 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=15 GB) - (Type=07 NTFS)


LastRegBack: 2013-06-22 18:54

==================== End Of Log ============================

cosinus 08.10.2013 14:55
Ja hallo erstmal!! :hallo:


Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
Startup: C:\Users\mallemaus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wljlc4lrj.lnk
ShortcutTarget: wljlc4lrj.lnk -> C:\PROGRA~3\jrl4cljlw.plz ()
S2 Winmgmt; C:\PROGRA~3\wljlc4lrj.pzz [60512 2013-10-08] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~3\wljlc4lrj.pzz [60512 2013-10-08] (Microsoft Corporation)
C:\ProgramData\jrl4cljlw.plz
C:\ProgramData\PKP_DLes.DAT
C:\ProgramData\PKP_DLet.DAT
C:\ProgramData\PKP_DLev.DAT
C:\ProgramData\wljlc4lrj.pzz
C:\ProgramData\wljlc4lrj.ctrl
C:\ProgramData\wljlc4lrj.pff
C:\Users\mallemaus\AppData\Local\Temp\ijl11.dll
C:\Users\mallemaus\AppData\Local\Temp\pegavi.dll
C:\Users\mallemaus\AppData\Local\Temp\pegcore.dll
C:\Users\mallemaus\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\mallemaus\AppData\Local\Temp\~tmf7702404795667212206.dll
Speichere diese bitte als Fixlist.txt auf deinem USB Stick.
  • Starte deinen Rechner erneut in die Reparaturoptionen
  • Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.

mallemaus 08.10.2013 17:35
Wow....ich bin begeistert,
genau erstmal hallo verehrter Cosinus...tut mir auch leid, dass ich so kontaktarm geschrieben habe.

Mein Rechner fährt wieder ohne Probleme hoch und ich da ich kein Crack in sachen PC bin, wäre ich ohne eure Hilfe am Ende. Mega vielen Dank. Auch eure Erklärungen und Vorgehensweisen waren superverständlich. Tausend dank für diese schnelle und zuverlässige Hilfe.

Alles Gute und die besten Grüße,

jan

P.S.: Supervielen dank,

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by SYSTEM at 2013-10-08 18:19:15 Run:1
Running from D:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Startup: C:\Users\mallemaus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wljlc4lrj.lnk
ShortcutTarget: wljlc4lrj.lnk -> C:\PROGRA~3\jrl4cljlw.plz ()
S2 Winmgmt; C:\PROGRA~3\wljlc4lrj.pzz [60512 2013-10-08] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~3\wljlc4lrj.pzz [60512 2013-10-08] (Microsoft Corporation)
C:\ProgramData\jrl4cljlw.plz
C:\ProgramData\PKP_DLes.DAT
C:\ProgramData\PKP_DLet.DAT
C:\ProgramData\PKP_DLev.DAT
C:\ProgramData\wljlc4lrj.pzz
C:\ProgramData\wljlc4lrj.ctrl
C:\ProgramData\wljlc4lrj.pff
C:\Users\mallemaus\AppData\Local\Temp\ijl11.dll
C:\Users\mallemaus\AppData\Local\Temp\pegavi.dll
C:\Users\mallemaus\AppData\Local\Temp\pegcore.dll
C:\Users\mallemaus\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\mallemaus\AppData\Local\Temp\~tmf7702404795667212206.dll
*****************

C:\Users\mallemaus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wljlc4lrj.lnk => Moved successfully.
C:\PROGRA~3\jrl4cljlw.plz => Moved successfully.
Winmgmt => Service restored successfully.
Winmgmt => Service restored successfully.
"C:\ProgramData\jrl4cljlw.plz" => File/Directory not found.
C:\ProgramData\PKP_DLes.DAT => Moved successfully.
C:\ProgramData\PKP_DLet.DAT => Moved successfully.
C:\ProgramData\PKP_DLev.DAT => Moved successfully.
C:\ProgramData\wljlc4lrj.pzz => Moved successfully.
C:\ProgramData\wljlc4lrj.ctrl => Moved successfully.
C:\ProgramData\wljlc4lrj.pff => Moved successfully.
C:\Users\mallemaus\AppData\Local\Temp\ijl11.dll => Moved successfully.
C:\Users\mallemaus\AppData\Local\Temp\pegavi.dll => Moved successfully.
C:\Users\mallemaus\AppData\Local\Temp\pegcore.dll => Moved successfully.
C:\Users\mallemaus\AppData\Local\Temp\vlc-2.0.8-win32.exe => Moved successfully.
C:\Users\mallemaus\AppData\Local\Temp\~tmf7702404795667212206.dll => Moved successfully.

==== End of Fixlog ====

cosinus 09.10.2013 00:57
Ja hallo nochmal :D

Startet der Rechner wieder normal? Sieht ja so aus, dann mach so weiter

Malwarebytes Anti-Rootkit (MBAR)

Downloade dir bitte Malwarebytes Anti-Rootkit Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
  • Starte bitte die mbar.exe.
  • Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
  • Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
  • Klicke auf den CleanUp Button und erlaube den Neustart.
  • Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
  • Nach dem Neustart starte die mbar.exe erneut.
  • Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.
Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers


Alle Zeitangaben in WEZ +1. Es ist jetzt 18:28 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131