| Dr. Schlunz | 14.04.2012 02:26 |
Windows7 Malware-Problem
Hallo,
ich habe seit einiger Zeit Probleme mit meinem Notebook, erst habe ich mir eine Malware smart hdd eingefangen und nach einer in einem anderen Forum erhaltenen Anleitung entfernt. Danach war einige Zeit Ruhe, gestern ist mir Windows eingefroren und hat sich nicht mehr hochfahren lassen (Desktop kam, aber keinerlei Zugriff auf irgendwas). Habe danach eine vollständige Wiederherstellung gemacht (Samsung Recovery) und alle Programme usw. neu installiert. Heute dann wieder eingefroren, konnte aber wieder hochfahren und arbeiten. Hijackthis hat mir diesen als sehr schädlich Eingestuften Prozess genannt:
O20 - AppInit_DLLs: C:\windows\SysWOW64\nvinit.dll
Habe dann alles gemacht was hier in der Anleitung an Logfiles genannt ist:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 02:59 on 14/04/2012 (Philip)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
.DDS Logfile: Code:
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Philip at 3:09:14 on 2012-04-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.49.1031.18.4010.2457 [GMT 2:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\taskeng.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe
C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe
C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\Users\Philip\Desktop\HiJackThis204.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Samsung\Easy Support Center\SSCKbdHk.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://samsung.msn.com
uDefault_Page_URL = hxxp://samsung.msn.com
mStart Page = hxxp://samsung.msn.com
mWinlogon: Userinit=userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{4E4EA64B-7C24-4089-A9D5-BFF9CAC24583} : DhcpNameServer = 192.168.178.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\windows\SysWOW64\nvinit.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{d2ce3e00-f94a-4740-988e-03dc2f38c34f}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{8dcb7100-df86-4384-8842-8fa844297b3f}
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
AppInit_DLLs-X64: C:\windows\SysWOW64\nvinit.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Philip\AppData\Roaming\Mozilla\Firefox\Profiles\srncvmda.default\
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;C:\windows\system32\DRIVERS\nvpciflt.sys --> C:\windows\system32\DRIVERS\nvpciflt.sys [?]
R1 aswSnx;aswSnx;C:\windows\system32\drivers\aswSnx.sys --> C:\windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\windows\system32\drivers\aswSP.sys --> C:\windows\system32\drivers\aswSP.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 aswFsBlk;aswFsBlk;C:\windows\system32\drivers\aswFsBlk.sys --> C:\windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\windows\system32\drivers\aswMonFlt.sys --> C:\windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-4-12 44768]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-11 1997416]
R2 SGDrv;SGDrv;C:\windows\system32\DRIVERS\SGdrv64.sys --> C:\windows\system32\DRIVERS\SGdrv64.sys [?]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-10-11 2656536]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\windows\system32\DRIVERS\clwvd.sys --> C:\windows\system32\DRIVERS\clwvd.sys [?]
R3 ETD;ELAN PS/2 Port Input Device;C:\windows\system32\DRIVERS\ETD.sys --> C:\windows\system32\DRIVERS\ETD.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETwNs64.sys --> C:\windows\system32\DRIVERS\NETwNs64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 gupdate;Google Update-Dienst (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-12 136176]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-4-12 1153368]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-12 253600]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 gupdatem;Google Update-Dienst (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-12 136176]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-13 09:16:42 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{444860D4-64FD-4659-ABB7-D10D2C69F714}\mpengine.dll
2012-04-13 02:11:14 162664 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-04-13 01:01:37 -------- d-sh--w- C:\windows\SysWow64\%APPDATA%
2012-04-13 00:59:57 -------- d-----w- C:\Users\Philip\AppData\Local\ElevatedDiagnostics
2012-04-12 07:47:09 174640 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2012-04-12 07:47:05 423936 ----a-w- C:\windows\Reseal64.exe
2012-04-12 07:47:04 428544 ----a-w- C:\windows\AutoReseal.exe
2012-04-12 02:04:49 -------- d-----w- C:\Users\Philip\AppData\Roaming\IrfanView
2012-04-12 02:04:49 -------- d-----w- C:\Program Files (x86)\IrfanView
2012-04-12 01:56:15 8767136 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-12 01:14:31 70304 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-12 01:14:31 418464 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-04-12 01:02:51 5559152 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-04-12 01:02:51 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-04-12 01:02:50 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-04-12 01:01:23 81408 ----a-w- C:\windows\System32\imagehlp.dll
2012-04-12 01:01:23 5120 ----a-w- C:\windows\SysWow64\wmi.dll
2012-04-12 01:01:23 5120 ----a-w- C:\windows\System32\wmi.dll
2012-04-12 01:01:23 23408 ----a-w- C:\windows\System32\drivers\fs_rec.sys
2012-04-12 01:01:23 220672 ----a-w- C:\windows\System32\wintrust.dll
2012-04-12 01:01:23 172544 ----a-w- C:\windows\SysWow64\wintrust.dll
2012-04-12 01:01:23 159232 ----a-w- C:\windows\SysWow64\imagehlp.dll
2012-04-12 00:45:27 -------- d-----w- C:\Program Files\Tracker Software
2012-04-12 00:41:34 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2012-04-12 00:40:56 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
2012-04-11 23:51:51 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-04-11 23:51:51 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-04-11 23:43:48 -------- d-----w- C:\Users\Philip\AppData\Roaming\COWON
2012-04-11 23:42:35 -------- d-----w- C:\Program Files (x86)\Common Files\COWON
2012-04-11 23:42:34 -------- d-----w- C:\Program Files (x86)\JetAudio
2012-04-11 23:28:16 -------- d-----w- C:\Users\Philip\AppData\Roaming\foobar2000
2012-04-11 23:28:01 -------- d-----w- C:\Program Files (x86)\foobar2000
2012-04-11 22:34:34 -------- d-----w- C:\Users\Philip\AppData\Local\Google
2012-04-11 22:34:22 53080 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2012-04-11 22:34:19 819032 ----a-w- C:\windows\System32\drivers\aswSnx.sys
2012-04-11 22:34:16 69976 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2012-04-11 22:33:12 41184 ----a-w- C:\windows\avastSS.scr
2012-04-11 22:33:01 -------- d-----w- C:\ProgramData\AVAST Software
2012-04-11 22:33:01 -------- d-----w- C:\Program Files\AVAST Software
2012-04-11 22:06:33 6144 ---ha-w- C:\windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-04-11 22:05:42 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-04-11 21:13:49 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2012-04-11 21:09:38 826880 ----a-w- C:\windows\SysWow64\rdpcore.dll
2012-04-11 21:09:38 23552 ----a-w- C:\windows\System32\drivers\tdtcp.sys
2012-04-11 21:09:38 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys
2012-04-11 21:09:38 1031680 ----a-w- C:\windows\System32\rdpcore.dll
2012-04-11 21:09:36 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe
2012-04-11 21:09:36 77312 ----a-w- C:\windows\System32\rdpwsx.dll
2012-04-11 21:09:36 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll
2012-04-11 20:54:11 -------- d-----w- C:\Users\Philip\AppData\Local\Power2Go
2012-04-11 20:53:06 -------- d-----r- C:\Program Files (x86)\Skype
2012-04-11 20:50:03 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2012-02-28 06:56:48 2311168 ----a-w- C:\windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb
2012-02-23 08:18:36 279656 ------w- C:\windows\System32\MpSigStub.exe
2012-02-10 06:36:07 1544192 ----a-w- C:\windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\windows\SysWow64\DWrite.dll
2012-02-03 04:34:34 3145728 ----a-w- C:\windows\System32\win32k.sys
.
============= FINISH: 3:10:00,14 ===============
--- --- ---
Besten Dank im voraus für jede Hilfe
Dr. Schlunz
Hier noch die gezippte Attach.txt | 
