GVU-Trojaner mit Webcam neu ?

JeffreyG · 22.01.2013, 14:15

Hallo ,

Ich habe hier auf einem Laptop den neuen (ich nehme an neu) GVU-Trjaner der sogar auf meine Integrierte Cam im laptop zugreifen kann und ein Bild von mir macht wenn ich mich davor stelle.

Habe ohne große bedenken den Kaspersky Windowsunlocker Verwendet, die neueste version die es auf chip gibt . Leider ohne erfolg , bis ich dan auf diese forum gestoßen bin. Ich habe mir hier ein paar threads durchgelesehn und habe dann demetsprechent gehandelt mit OTLPE

und nun lade ich die OTL.txt mal doch und hoffe auf hilfe .

Code:

ATTFilter

OTL logfile created on: 1/22/2013 1:44:04 PM - Run 
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = E: | %SystemRoot% = E:\windows | %ProgramFiles% = E:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 74.24 Mb Free Space | 74.25% Space Free | Partition Type: NTFS
Drive D: | 7.49 Gb Total Space | 6.52 Gb Free Space | 86.99% Space Free | Partition Type: FAT32
Drive E: | 905.18 Gb Total Space | 824.91 Gb Free Space | 91.13% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 7 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV:64bit: - [2012/02/02 08:29:52 | 000,628,448 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Intel\iCLS Client\HeciServer.exe -- (Intel(R) Capability Licensing Service Interface) Intel(R)
SRV:64bit: - [2011/12/07 20:44:04 | 000,594,704 | ---- | M] (Intel® Corporation) [Auto] -- E:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe -- (ZeroConfigService) Intel(R)
SRV:64bit: - [2011/12/07 20:43:56 | 000,273,168 | ---- | M] () [On_Demand] -- E:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS)
SRV:64bit: - [2011/12/07 20:43:48 | 000,618,256 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV:64bit: - [2011/12/07 20:43:44 | 000,148,752 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV:64bit: - [2011/12/04 19:30:50 | 000,659,968 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe -- (AMPPALR3)
SRV:64bit: - [2011/12/04 18:55:36 | 000,135,952 | ---- | M] (Intel(R) Corporation) [Auto] -- E:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe -- (BTHSSecurityMgr) Intel(R) Centrino(R) Wireless Bluetooth(R)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/01/11 06:10:18 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- E:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/18 09:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto] -- E:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/18 11:06:12 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/07/18 11:06:03 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService)
SRV - [2012/07/18 11:06:01 | 000,375,760 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2012/07/18 11:06:01 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- E:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012/06/11 04:33:26 | 000,724,376 | ---- | M] (Nokia) [On_Demand] -- E:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2012/02/13 01:02:24 | 000,031,624 | ---- | M] () [Auto] -- E:\Program Files (x86)\Samsung\Easy Settings\SamsungDeviceConfiguration.exe -- (SamsungDeviceConfigurationWinService)
SRV - [2012/02/10 04:28:06 | 000,240,408 | ---- | M] (Microsoft Corporation.) [On_Demand] -- E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE -- (BBUpdate)
SRV - [2012/02/10 04:28:06 | 000,193,816 | ---- | M] (Microsoft Corporation.) [Auto] -- E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE -- (BBSvc)
SRV - [2012/02/07 21:03:36 | 000,363,800 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2012/02/07 21:03:34 | 000,277,784 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2012/02/07 21:03:28 | 000,128,280 | ---- | M] () [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe -- (Intel(R) ME Service) Intel(R)
SRV - [2012/02/07 21:03:16 | 000,161,560 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe -- (jhi_service) Intel(R)
SRV - [2012/02/02 12:28:10 | 000,274,200 | ---- | M] (Intel Corporation) [On_Demand] -- E:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs) Intel(R)
SRV - [2012/02/01 01:12:16 | 002,458,944 | ---- | M] (NVIDIA Corporation) [Auto] -- E:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/01/10 13:30:16 | 000,201,344 | ---- | M] (Telefónica) [Auto] -- E:\Program Files (x86)\o2\Mobile Connection Manager\ImpWiFiSvc.exe -- (TGCM_ImportWiFiSvc)
SRV - [2011/12/19 05:16:50 | 001,104,208 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe -- (Bluetooth OBEX Service)
SRV - [2011/12/19 05:16:48 | 001,304,912 | ---- | M] (Intel Corporation) [On_Demand] -- E:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe -- (Bluetooth Media Service)
SRV - [2011/12/19 05:16:44 | 001,014,096 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe -- (Bluetooth Device Monitor)
SRV - [2010/10/22 06:08:18 | 001,039,360 | ---- | M] (Hewlett-Packard Co.) [Auto] -- E:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2010/03/18 06:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- E:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012/07/18 11:06:32 | 000,132,832 | ---- | M] (Avira GmbH) [Kernel | System] -- E:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2012/07/18 11:06:32 | 000,098,848 | ---- | M] (Avira GmbH) [File_System | Auto] -- E:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2012/07/18 11:06:32 | 000,027,760 | ---- | M] (Avira GmbH) [Kernel | System] -- E:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV:64bit: - [2012/06/11 04:33:46 | 000,026,112 | ---- | M] (Nokia) [Kernel | On_Demand] -- E:\Windows\System32\drivers\pccsmcfdx64.sys -- (pccsmcfd)
DRV:64bit: - [2012/02/01 01:12:14 | 000,028,992 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- E:\Windows\System32\drivers\nvpciflt.sys -- (nvpciflt)
DRV:64bit: - [2012/01/05 05:36:54 | 014,652,768 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2012/01/04 13:58:50 | 000,786,200 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iusb3xhc.sys -- (iusb3xhc) Intel(R)
DRV:64bit: - [2012/01/04 13:58:50 | 000,355,096 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iusb3hub.sys -- (iusb3hub) Intel(R)
DRV:64bit: - [2012/01/04 13:58:50 | 000,016,152 | ---- | M] (Intel Corporation) [Kernel | Boot] -- E:\Windows\System32\drivers\iusb3hcs.sys -- (iusb3hcs) Intel(R)
DRV:64bit: - [2011/12/20 03:38:36 | 000,034,200 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\intelaud.sys -- (intaud_WaveExtensible)
DRV:64bit: - [2011/12/20 03:38:36 | 000,025,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iwdbus.sys -- (iwdbus)
DRV:64bit: - [2011/12/14 00:26:56 | 000,060,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\iBtFltCoex.sys -- (ibtfltcoex)
DRV:64bit: - [2011/12/12 21:26:20 | 000,747,008 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\btmhsf.sys -- (btmhsf)
DRV:64bit: - [2011/12/12 21:26:18 | 000,094,720 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\btmaux.sys -- (btmaux)
DRV:64bit: - [2011/12/05 13:23:08 | 000,331,264 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV:64bit: - [2011/12/04 19:22:58 | 000,195,584 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand] -- E:\Windows\System32\drivers\AmpPal.sys -- (AMPPALP)
DRV:64bit: - [2011/12/04 19:22:58 | 000,195,584 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand] -- E:\Windows\System32\drivers\AmpPal.sys -- (AMPPAL)
DRV:64bit: - [2011/12/01 08:51:00 | 011,417,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\NETwNs64.sys -- (NETwNs64) ___ Intel(R)
DRV:64bit: - [2011/11/23 09:02:20 | 000,648,808 | ---- | M] (Realtek                                            ) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/11/10 04:04:14 | 000,060,184 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\HECIx64.sys -- (MEIx64) Intel(R)
DRV:64bit: - [2011/08/17 02:19:38 | 000,031,216 | ---- | M] (CyberLink Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\clwvd.sys -- (clwvd)
DRV:64bit: - [2011/05/03 02:42:40 | 000,222,464 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV:64bit: - [2011/04/11 05:55:24 | 000,007,680 | ---- | M] (Phoenix Technologies Ltd.) [Kernel | Auto] -- E:\Windows\System32\drivers\SGDrv64.sys -- (SGDrv)
DRV:64bit: - [2011/01/30 05:19:34 | 000,086,016 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ew_jubusenum.sys -- (huawei_enumerator)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/08 03:59:40 | 000,032,768 | ---- | M] (Huawei Tech. Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ewdcsc.sys -- (Huawei)
DRV:64bit: - [2010/07/26 20:52:16 | 000,117,248 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\ew_hwusbdev.sys -- (ew_hwusbdev)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- E:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\windows\system32\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\windows\system32\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Besitzer_ON_E\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com
IE - HKU\Besitzer_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/
IE - HKU\Besitzer_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
 
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\System32\Macromed\Flash\NPSWF64_11_5_502_146.dll ()
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: E:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59: E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: E:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: E:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: E:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: E:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: E:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: E:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922:  File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: E:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/09/03 03:25:25 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/09/03 03:25:25 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - E:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [BTMTrayAgent] E:\Program Files (x86)\Intel\Bluetooth\btmshell.dll (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [avgnt] E:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKU\Besitzer_ON_E..\Run: [ieodjrzotp] E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe (BitTech Co. Ltd.)
O4 - HKU\Besitzer_ON_E..\Run: [PC Suite Tray] E:\Program Files (x86)\Nokia PC Suite\Nokia PC Suite 7\PCSuite.exe (Nokia)
O4 - HKU\LocalService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\UpdatusUser_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin]  File not found
O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin]  File not found
O4 - HKU\UpdatusUser_ON_E..\RunOnce: [mctadmin]  File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\Besitzer_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\UpdatusUser_ON_E\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000001 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000002 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000003 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000004 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000005 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000006 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000007 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000008 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000020 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - E:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O20:64bit: - AppInit_DLLs: (C:\windows\system32\nvinitx.dll) - E:\Windows\System32\nvinitx.dll (NVIDIA Corporation)
O20 - AppInit_DLLs: (C:\windows\SysWOW64\nvinit.dll) - E:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - E:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (C:\ProgramData\phxzbypky) - E:\ProgramData\phxzbypky.exe (BitTech Co. Ltd.)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - E:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - E:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/21 15:20:10 | 000,059,310 | RHS- | M] () - D:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{d85d1922-b70c-11e1-a33a-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{d85d1922-b70c-11e1-a33a-806e6f6e6963}\Shell\AutoRun\command - "" = D:\reatogoMenu.exe
O33 - MountPoints2\{e9a6221e-f2a8-11e1-bcc8-c48508596d06}\Shell - "" = AutoRun
O33 - MountPoints2\{e9a6221e-f2a8-11e1-bcc8-c48508596d06}\Shell\AutoRun\command - "" = E:\AutoRun.exe
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 7 Days ==========
 
[2013/01/21 14:33:09 | 000,000,000 | ---D | C] -- E:\Kaspersky Rescue Disk 10.0
[2013/01/20 07:08:01 | 000,000,000 | ---D | C] -- E:\Users\Besitzer\Documents\Youcam
[2013/01/20 07:07:58 | 000,000,000 | ---D | C] -- E:\Users\Besitzer\AppData\Roaming\CyberLink
[2013/01/20 07:07:58 | 000,000,000 | ---D | C] -- E:\Users\Besitzer\AppData\Local\CyberLink
[2013/01/20 07:00:57 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe
[2013/01/20 06:57:41 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Local\phxzbypky.exe
[2013/01/20 06:57:40 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\ProgramData\phxzbypky.exe
 
========== Files - Modified Within 7 Days ==========
 
[2013/01/22 07:22:30 | 000,067,584 | --S- | M] () -- E:\windows\bootstat.dat
[2013/01/22 07:17:00 | 000,000,328 | ---- | M] () -- E:\windows\tasks\Xerox PhotoCafe Communicator.job
[2013/01/22 07:14:42 | 000,020,992 | -H-- | M] () -- E:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/22 07:14:42 | 000,020,992 | -H-- | M] () -- E:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/22 07:12:13 | 000,696,870 | ---- | M] () -- E:\windows\System32\perfh007.dat
[2013/01/22 07:12:13 | 000,652,148 | ---- | M] () -- E:\windows\System32\perfh009.dat
[2013/01/22 07:12:13 | 000,148,134 | ---- | M] () -- E:\windows\System32\perfc007.dat
[2013/01/22 07:12:13 | 000,121,080 | ---- | M] () -- E:\windows\System32\perfc009.dat
[2013/01/22 07:09:00 | 000,000,884 | ---- | M] () -- E:\windows\tasks\Adobe Flash Player Updater.job
[2013/01/22 07:07:13 | 000,174,592 | ---- | M] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Local\phxzbypky.exe
[2013/01/22 07:07:12 | 000,174,592 | ---- | M] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe
[2013/01/22 07:07:01 | 4187,361,279 | -HS- | M] () -- E:\hiberfil.sys
[2013/01/22 07:05:21 | 000,174,592 | ---- | M] (BitTech Co. Ltd.) -- E:\ProgramData\phxzbypky.exe
[2013/01/21 13:29:51 | 000,000,830 | ---- | M] () -- E:\windows\tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
 
========== Files Created - No Company Name ==========
 
[2012/09/03 03:23:36 | 000,274,256 | ---- | C] () -- E:\windows\hpwins05.dat
[2012/09/03 03:23:36 | 000,003,111 | ---- | C] () -- E:\windows\hpwmdl05.dat
[2012/09/03 02:09:05 | 001,590,378 | ---- | C] () -- E:\windows\SysWow64\PerfStringBackup.INI
[2012/03/02 09:17:08 | 000,307,200 | ---- | C] () -- E:\windows\SetDisplayResolution.exe
[2012/03/02 08:30:00 | 000,001,340 | ---- | C] () -- E:\windows\HotFixList.ini
[2012/02/05 21:29:35 | 000,734,772 | ---- | C] () -- E:\windows\SysWow64\igkrng700.bin
[2012/02/05 21:29:30 | 000,557,476 | ---- | C] () -- E:\windows\SysWow64\igfcg700m.bin
[2012/02/05 21:29:27 | 000,058,880 | ---- | C] () -- E:\windows\SysWow64\igdde32.dll
[2012/02/05 21:29:25 | 012,978,688 | ---- | C] () -- E:\windows\SysWow64\ig7icd32.dll
[2012/02/02 08:08:26 | 000,001,536 | ---- | C] () -- E:\windows\SysWow64\IusEventLog.dll
[2010/11/20 22:24:49 | 000,252,928 | ---- | C] () -- E:\windows\SysWow64\DShowRdpFilter.dll
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- E:\windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- E:\windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- E:\windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- E:\windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- E:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:25:04 | 000,197,632 | ---- | C] () -- E:\windows\SysWow64\ir32_32.dll
[2009/07/13 16:59:36 | 000,982,196 | ---- | C] () -- E:\windows\SysWow64\igkrng500.bin
[2009/07/13 16:59:36 | 000,139,824 | ---- | C] () -- E:\windows\SysWow64\igfcg500.bin
[2009/07/13 16:59:36 | 000,097,448 | ---- | C] () -- E:\windows\SysWow64\igfcg500m.bin
[2009/07/13 16:59:35 | 000,417,344 | ---- | C] () -- E:\windows\SysWow64\igcompkrng500.bin
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- E:\windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- E:\windows\SysWow64\mlang.dat
 
========== LOP Check ==========
 
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Application Data
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Desktop
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Documents
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favorites
[2012/09/09 14:27:08 | 000,000,000 | ---D | M] -- E:\ProgramData\Installations
[2012/09/09 14:34:01 | 000,000,000 | ---D | M] -- E:\ProgramData\PC Suite
[2012/03/02 08:07:20 | 000,000,000 | ---D | M] -- E:\ProgramData\Roaming
[2012/03/04 23:07:41 | 000,000,000 | ---D | M] -- E:\ProgramData\SAMSUNG
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Start Menu
[2012/08/30 04:37:09 | 000,000,000 | ---D | M] -- E:\ProgramData\Synaptics
[2012/03/02 09:19:07 | 000,000,000 | ---D | M] -- E:\ProgramData\Temp
[2009/07/14 00:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Templates
[2012/08/30 05:02:52 | 000,000,000 | ---D | M] -- E:\ProgramData\WildTangent
[2012/03/05 18:11:47 | 000,000,000 | ---D | M] -- E:\ProgramData\WinClon
[2012/03/02 08:21:16 | 000,000,000 | ---D | M] -- E:\ProgramData\Xerox PhotoCafe
[2012/08/30 04:52:48 | 000,000,828 | ---- | M] () -- E:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
[2013/01/21 13:29:51 | 000,000,830 | ---- | M] () -- E:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
[2012/12/05 15:03:34 | 000,032,546 | ---- | M] () -- E:\windows\Tasks\SCHEDLGU.TXT
[2013/01/22 07:17:00 | 000,000,328 | ---- | M] () -- E:\windows\Tasks\Xerox PhotoCafe Communicator.job
 
========== Purity Check ==========
 
 
< End of report >

markusg · 22.01.2013, 14:32

Hi,
falls du deinen Nutzernamen im Log unkenntlich gemacht hast, passe ihn im Script an.
auf deinem zweiten pc gehe auf start, programme zubehör editor, kopiere dort
rein:

Code:

ATTFilter

:OTL
O4 - HKU\Besitzer_ON_E..\Run: [ieodjrzotp] E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe (BitTech Co. Ltd.)
O20:64bit: - HKLM Winlogon: Shell - (C:\ProgramData\phxzbypky) - E:\ProgramData\phxzbypky.exe (BitTech Co. Ltd.)
[2013/01/20 06:57:41 | 000,174,592 | ---- | C] (BitTech Co. Ltd.) -- E:\Users\Besitzer\AppData\Local\phxzbypky.exe
:Files
E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe
:Commands
[EMPTYFLASH] 
[emptytemp]

dieses speicherst du auf nem usb stick als fix.txt
nutze nun wieder OTLPENet.exe (starte also von der erstellten cd) und hake alles an, wie es bereits im post zu OTLPENet.exe beschrieben ist.
• Klicke nun bitte auf den Fix Button.
es sollte nun eine meldung ähnlich dieser: "load fix from file" erscheinen, lade also die fix.txt von deinem stick.
wenn dies nicht funktioniert, bitte den fix manuell eintragen.
dann klicke erneut den fix buton. pc startet evtl. neu. wenn ja, nimm die cd aus dem laufwerk, windows sollte nun normal starten und die otl.txt öffnen,
log posten bitte.

falls du keine symbole hast, dann rechtsklick, ansicht, desktop symbole einblenden

Hinweis: Die Datei bitte wie in der Anleitung zum UpChannel angegeben auch da hochladen. Bitte NICHT die ZIP-Datei hier als Anhang
in den Thread posten!

Drücke bitte die

+ E Taste.

Öffne dein Systemlaufwerk ( meistens C: )
Suche nun
folgenden Ordner: _OTL und öffne diesen.
Mache einen Rechtsklick auf den Ordner Movedfiles --> Senden an --> Zip-Komprimierter Ordner
Dies wird eine Movedfiles.zip Datei in _OTL erstellen
Lade diese bitte in unseren Uploadchannel
hoch. ( Durchsuchen --> C:\_OTL\Movedfiles.zip )

Teile mir mit ob der Upload problemlos geklappt hat. Danke im voraus

JeffreyG · 22.01.2013, 15:49

Ich habe die fix.txt eingefügt und auf Fix geklickt ...seit dem geht alles wider ... :-)

danke.

nur verstehe ich noch nicht ganz was ihr mit dem txt. jetzt woll bzw. was muss ich noch etwas machen ?

Code:

ATTFilter

========== OTL ==========
Registry key HKEY_USERS\Besitzer_ON_E\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run not found.
E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe moved successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\ProgramData\phxzbypky deleted successfully.
E:\ProgramData\phxzbypky.exe moved successfully.
E:\Users\Besitzer\AppData\Local\phxzbypky.exe moved successfully.
========== FILES ==========
File\Folder E:\Users\Besitzer\AppData\Roaming\phxzbypky.exe not found.
========== COMMANDS ==========
 
[EMPTYFLASH]
 
User: All Users
 
User: Besitzer
 
User: Default
 
User: Default User
 
User: Public
 
User: UpdatusUser
 
Total Flash Files Cleaned = 0.00 mb
 
 
[EMPTYTEMP]
 
User: All Users
 
User: Besitzer
 
User: Default
 
User: Default User
 
User: Public
 
User: UpdatusUser
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 310898091 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes
 
Total Files Cleaned = 297.00 mb
 
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 01222013_151049

markusg · 22.01.2013, 16:23

lies bitte weiter, der Upload fehlt

JeffreyG · 22.01.2013, 17:33

habe es nun so hochgeladen , wie es beschireben ist. Hoffe es passt so

ja es hat problemlos geklappr. :-)

markusg · 22.01.2013, 17:46

Passt, danke
download tdss killer:
http://www.trojaner-board.de/82358-t...entfernen.html
Klicke auf Change parameters
• Setze die Haken bei Verify driver digital signatures und Detect TDLFS file system
• Klick auf OK und anschließend auf Start scan
- bei funden erst mal immer skip wählen, log posten
c: öffnen, tdsskiller-datum-version.txt öffnen, Inhalt posten

22.01.2013, 16:23	#4
markusg /// Malware-holic	GVU-Trojaner mit Webcam neu ? lies bitte weiter, der Upload fehlt __________________ -Verdächtige mails bitte an uns zur Analyse weiterleiten: markusg.trojaner-board@web.de Weiterleiten Anleitung: http://markusg.trojaner-board.de Mails bitte vorerst nach obiger Anleitung an markusg.trojaner-board@web.de Weiterleiten Wenn Ihr uns unterstützen möchtet

GVU-Trojaner mit Webcam neu ?

Plagegeister aller Art und deren Bekämpfung: GVU-Trojaner mit Webcam neu ?