Windows Vista: GVU-Trojaner + abgesicherter Modus funktioniert nicht
Hi TB-Team,
mein Vater hat sich den GVU Trojaner eingefangen und da der abgesicherte Modus nicht funktioniert bin ich auf eure Hilfe angewiesen.
Ich möchte auf dem aktuellen System nur noch ein paar Daten sichern und dann wird komplett formatiert und neu aufgespielt. Daher sind evtl. weitere Fixes/Cleans die ihr beim aktuellen Status des PCs meines Vaters sicher finden werdet nicht nötig, ich brauche lediglich den Sperrbildschirm entfernt.
Hatte schon gestern versucht ein Log zu erstellen aber erst heute bemerkt dass OTL nur für XP gebraucht wird habe also jetzt den FRST log erstellt.
Danke schonmal im vorraus,
Gruß Pascal Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014 01
Ran by SYSTEM on MINWINPC on 15-03-2014 12:44:43
Running from G:\
Windows Vista (TM) Home Premium (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1006264 2007-11-02] (Microsoft Corporation)
HKLM\...\Run: [StartCCC] - c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [90112 2006-11-10] ()
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4702208 2007-10-31] (Realtek Semiconductor)
HKLM\...\Run: [NeroFilterCheck] - C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [153136 2007-02-26] (Nero AG)
HKLM\...\Run: [recinfo933] - c:\RecInfo\RecInfo.exe [2764800 2007-10-23] ()
HKLM\...\Run: [FaxCenterServer] - C:\Program Files\Lexmark Fax Solutions\fm3032.exe [295856 2007-02-08] ()
HKLM\...\Run: [WinampAgent] - C:\Program Files\Winamp\winampa.exe [37376 2008-01-15] ()
HKLM\...\Run: [lxczbmgr.exe] - C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe [74672 2007-02-08] (Lexmark International, Inc.)
HKLM\...\Run: [GrooveMonitor] - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [LogitechCommunicationsManager] - C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [488984 2007-02-07] (Logitech Inc.)
HKLM\...\Run: [LogitechQuickCamRibbon] - C:\Program Files\Logitech\QuickCam10\QuickCam10.exe [774168 2007-02-07] ()
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Thomas und Uschi\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125440 2006-11-02] (Microsoft Corporation)
HKU\Thomas und Uschi\...\Run: [TomTomHOME.exe] - C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [248208 2013-03-21] (TomTom)
HKU\Thomas und Uschi\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [201728 2006-11-02] (Microsoft Corporation)
AppInit_DLLs: C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll [1050912 2014-03-03] (Conduit)
Startup: C:\Users\Thomas und Uschi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9lcwlvbnrj.lnk
ShortcutTarget: 9lcwlvbnrj.lnk -> C:\ProgramData\jrnbvlwcl9.cpp (Корпорация Майкрософт)
Startup: C:\Users\Thomas und Uschi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
ShortcutTarget: MyPC Backup.lnk -> C:\Program Files\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
========================== Services (Whitelisted) =================
S2 BackupStack; C:\Program Files\MyPC Backup\BackupStack.exe [38440 2013-09-19] (Just Develop It)
S2 CltMngSvc; C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe [2454816 2014-03-03] (Conduit)
S3 HRService; C:\Program Files\Haufe\iDesk\iDeskService\iDeskService.exe [71208 2007-09-06] ()
S2 LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [105248 2007-02-06] (Logitech Inc.)
S2 lxcz_device; C:\Windows\system32\lxczcoms.exe [537520 2007-02-08] ( )
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [235696 2014-01-15] (McAfee, Inc.)
S2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [214896 2012-02-01] ()
S2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [66872 2008-02-17] ()
S2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [103736 2008-02-17] ()
S2 SystemStoreService; C:\Program Files\SoftwareUpdater\SystemStore.exe [297984 2014-03-14] ()
S2 TestHandler; C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [204800 2006-12-08] (Fujitsu Siemens Computers)
S2 TuneUp.UtilitiesSvc; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe [1731896 2014-01-28] (TuneUp Software)
S2 WajamUpdaterV3; C:\Program Files\Wajam\Updater\WajamUpdaterV3.exe [114176 2013-11-01] (Wajam)
S2 Winmgmt; C:\ProgramData\jrnbvlwcl9.cpp [155648 2014-03-13] (Корпорация Майкрософт)
==================== Drivers (Whitelisted) ====================
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [385072 2008-01-18] (Symantec Corporation)
S4 JRAID; C:\Windows\system32\drivers\jraid.sys [48256 2007-06-13] (JMicron Technology Corp.)
S3 LVcKap; C:\Windows\System32\DRIVERS\LVcKap.sys [1691808 2007-02-06] ()
S3 LVMVDrv; C:\Windows\System32\DRIVERS\LVMVDrv.sys [1964064 2007-02-06] (Logitech Inc.)
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25632 2007-02-06] ()
S3 LVUSBSta; C:\Windows\System32\drivers\LVUSBSta.sys [41504 2007-02-03] (Logitech Inc.)
S3 netrcacm; C:\Windows\System32\DRIVERS\netrcacm.sys [20648 2003-01-20] (Thomson Inc.)
S3 pepifilter; C:\Windows\System32\DRIVERS\lv302af.sys [14240 2007-02-03] (Logitech Inc.)
S3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [938272 2007-02-03] (Logitech Inc.)
S3 sea1bus; C:\Windows\System32\DRIVERS\sea1bus.sys [61536 2007-01-04] (MCCI)
S3 sea1mdfl; C:\Windows\System32\DRIVERS\sea1mdfl.sys [9360 2007-01-04] (MCCI)
S3 sea1mdm; C:\Windows\System32\DRIVERS\sea1mdm.sys [97088 2007-01-04] (MCCI)
S3 sea1mgmt; C:\Windows\System32\DRIVERS\sea1mgmt.sys [88624 2007-01-04] (MCCI)
S3 sea1unic; C:\Windows\System32\DRIVERS\sea1unic.sys [90800 2007-01-04] (MCCI)
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2012-09-01] (Avira GmbH)
S3 TuneUpUtilitiesDrv; C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys [10088 2012-11-16] (TuneUp Software)
S4 viamraid; C:\Windows\system32\drivers\viamraid.sys [102912 2006-11-08] (VIA Technologies inc,.ltd)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-03-15 12:44 - 2014-03-15 12:44 - 00000000 ____D () C:\FRST
2014-03-14 14:11 - 2014-03-14 14:11 - 00072314 _____ () C:\OTL.Txt
2014-03-14 05:52 - 2014-03-14 05:52 - 00000000 ____D () C:\Users\Thomas und Uschi\AppData\Local\SoftwareUpdater
2014-03-13 10:43 - 2014-03-13 10:43 - 95027928 ____T () C:\ProgramData\9lcwlvbnrj.fee
2014-03-13 10:43 - 2014-03-13 10:43 - 00155648 _____ (Корпорация Майкрософт) C:\ProgramData\jrnbvlwcl9.cpp
2014-03-12 10:24 - 2014-03-12 10:25 - 00765576 _____ (Reimage®) C:\Users\Thomas und Uschi\Downloads\ReimageRepair.exe
2014-03-01 09:12 - 2014-03-14 06:06 - 00001374 _____ () C:\Users\Thomas und Uschi\Desktop\Registry kostenlos entrümpeln!.lnk
==================== One Month Modified Files and Folders =======
2014-03-15 12:44 - 2014-03-15 12:44 - 00000000 ____D () C:\FRST
2014-03-14 14:11 - 2014-03-14 14:11 - 00072314 _____ () C:\OTL.Txt
2014-03-14 13:37 - 2007-12-29 04:57 - 00000000 ____D () C:\users\Thomas und Uschi
2014-03-14 07:27 - 2007-12-29 04:47 - 01389918 _____ () C:\Windows\WindowsUpdate.log
2014-03-14 07:06 - 2006-11-02 04:47 - 00003072 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-14 07:06 - 2006-11-02 04:47 - 00003072 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-14 06:48 - 2012-08-30 07:01 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-03-14 06:48 - 2011-10-01 07:51 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-03-14 06:06 - 2014-03-01 09:12 - 00001374 _____ () C:\Users\Thomas und Uschi\Desktop\Registry kostenlos entrümpeln!.lnk
2014-03-14 05:52 - 2014-03-14 05:52 - 00000000 ____D () C:\Users\Thomas und Uschi\AppData\Local\SoftwareUpdater
2014-03-14 05:46 - 2006-11-02 04:47 - 00110592 _____ () C:\Windows\System32\umstartup.etl
2014-03-14 05:21 - 2012-01-08 04:41 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-14 05:07 - 2007-11-30 08:27 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-13 10:43 - 2014-03-13 10:43 - 95027928 ____T () C:\ProgramData\9lcwlvbnrj.fee
2014-03-13 10:43 - 2014-03-13 10:43 - 00155648 _____ (Корпорация Майкрософт) C:\ProgramData\jrnbvlwcl9.cpp
2014-03-12 10:25 - 2014-03-12 10:24 - 00765576 _____ (Reimage®) C:\Users\Thomas und Uschi\Downloads\ReimageRepair.exe
2014-03-10 09:54 - 2012-08-26 07:14 - 00000000 ____D () C:\Users\Thomas und Uschi\AppData\Local\Deployment
2014-03-08 03:18 - 2011-10-01 07:51 - 00001969 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-03-07 12:16 - 2013-12-30 10:43 - 00000000 ____D () C:\Program Files\SearchProtect
2014-02-21 10:25 - 2006-11-02 02:33 - 01461736 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-02-21 09:41 - 2013-12-30 10:52 - 00000000 ____D () C:\Program Files\Wajam
2014-02-19 11:35 - 2013-07-27 04:52 - 00033022 _____ () C:\Windows\PFRO.log
2014-02-19 11:35 - 2013-04-17 10:24 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-02-16 09:49 - 2013-08-14 23:54 - 00000000 ____D () C:\Windows\System32\MRT
2014-02-16 09:39 - 2006-11-02 02:24 - 85946576 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
Files to move or delete:
====================
C:\ProgramData\9lcwlvbnrj.fee
C:\Users\Public\GMX_Toolbar_IE_Setup.exe
Some content of TEMP:
====================
C:\Users\Thomas und Uschi\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Thomas und Uschi\AppData\Local\Temp\rtdrvmon.exe
C:\Users\Thomas und Uschi\AppData\Local\Temp\SPSetup.exe
==================== Known DLLs (Whitelisted) ============
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2007-11-02 15:17] - [2007-11-02 15:17] - 0308224 ____A (Microsoft Corporation) A3FEA6ED9FD3CF07219A632E4A716226
C:\Windows\System32\wininit.exe
[2007-11-02 15:17] - [2007-11-02 15:17] - 0095744 ____A (Microsoft Corporation) 39D959CD9F3BC44F78DB3C6588AAC3FE
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2007-11-02 15:17] - [2007-11-02 15:17] - 0633856 ____A (Microsoft Corporation) 3322B167C8F76319C991B851514DFAC9
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-04-16 02:49] - [2009-03-02 20:17] - 0550400 ____A (Microsoft Corporation) B1BB45E24717A7F790B4411C4446EF5E
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2006-11-02 00:52] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2014-01-16 10:12:50
Restore point made on: 2014-01-18 08:20:24
Restore point made on: 2014-01-24 11:33:24
Restore point made on: 2014-01-30 10:40:19
Restore point made on: 2014-02-01 06:09:03
Restore point made on: 2014-02-04 10:21:27
Restore point made on: 2014-02-08 04:17:03
Restore point made on: 2014-02-15 11:26:54
Restore point made on: 2014-02-16 09:38:17
Restore point made on: 2014-02-18 11:22:21
Restore point made on: 2014-02-21 09:48:27
Restore point made on: 2014-02-25 10:18:06
Restore point made on: 2014-02-28 10:31:05
Restore point made on: 2014-03-08 03:22:01
Restore point made on: 2014-03-11 08:02:56
Restore point made on: 2014-03-14 05:05:41
Restore point made on: 2014-03-14 06:40:21
==================== Memory info ===========================
Percentage of memory in use: 22%
Total physical RAM: 1918.88 MB
Available physical RAM: 1490.37 MB
Total Pagefile: 1711.67 MB
Available Pagefile: 1558.31 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.76 MB
==================== Drives ================================
Drive c: (SYSTEM) (Fixed) (Total:216.41 GB) (Free:126.26 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:107.22 GB) (Free:59.78 GB) NTFS
Drive f: (WinRE) (Fixed) (Total:11.72 GB) (Free:4.82 GB) NTFS
Drive g: () (Removable) (Total:14.89 GB) (Free:14.89 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 335 GB) (Disk ID: C5DD776A)
Partition: GPT Partition Type.
========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 00000000)
Partition: GPT Partition Type.
LastRegBack: 2014-03-14 06:12
==================== End Of Log ============================
| 
+ R Taste und schreibe notepad in das Ausführen Fenster.