W32/Patched.UC' [virus] in 'C:\Windows\System32\services.exe

smeenk · 20.05.2013, 13:01

Ich habe herausgefunden dass Dein Rechner möglich infiziert war mit eine neue ZA-Variante
Es kann sein das Wir noch einige Schritte unternehmen müssen um alles los zu werden

Bitte deaktiviere während des Scans alle Virenscanner, da sie das Ergebnis beeinflussen.
Starte die Zoek.exe mit einem Doppelklick (nur Windows XP-Benutzer).
Windows Vista/7 Benutzer starten das Tool bitte per Rechtsklick auf das Icon und wählen "Als Administrator starten".

Kopiere untenstehende Code in das Textfeld:

Code:

ATTFilter

C:\Program Files\Windows Defender;v
CD \;b
DIR /S /A:L >>"%temp%\log.txt";b
dir /a-d "C:\Program Files\Windows Defender">>log.txt;b

Nun klicke auf "Run script" und warte geduldig, bis der Scan durchgelaufen ist.
Wenn das Tool fertig ist, wird sich Notepad mit dem Logfile öffnen (ggfs. erst nach einem Neustart).
Nachträglich kannst Du den Bericht unter c:\zoek-results.log einsehen.
Poste mir das Log File zoek-results.log

Miyuline · 20.05.2013, 19:19

Oh, okay!
Hier der Log

Code:

ATTFilter

Zoek.exe Version 4.0.0.2 Updated 15-May-2013
Tool run by Miyu on 20.05.2013 at 20:16:21,68.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected

==== Older Logs ======================

C:\zoek-results16.05.2013-2350.log	41880 bytes
C:\zoek-results17.05.2013-0920.log	6862 bytes
C:\zoek-results17.05.2013-1212.log	1496 bytes
C:\zoek-results18.05.2013-1335.log	2227 bytes
C:\zoek-results18.05.2013-1403.log	619 bytes
C:\zoek-results18.05.2013-1934.log	4025 bytes

==== Batch Command(s) Run By Tool======================

 Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: 7C8D-3948

 Verzeichnis von C:\

14.07.2009  07:08    <VERBINDUNG>   Documents and Settings [..]
19.12.2012  03:13    <VERBINDUNG>   Dokumente und Einstellungen [C:\Users]
19.12.2012  03:13    <VERBINDUNG>   Programme [C:\Program Files]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen

14.07.2009  07:08    <SYMLINKD>     All Users [C:\ProgramData]
14.07.2009  07:08    <VERBINDUNG>   Default User [..]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\All Users

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\ProgramData]
14.07.2009  07:08    <VERBINDUNG>   Application Data [..]
14.07.2009  07:08    <VERBINDUNG>   Desktop [..]
14.07.2009  07:08    <VERBINDUNG>   Documents [..]
19.12.2012  03:13    <VERBINDUNG>   Dokumente [C:\Users\Public\Documents]
19.12.2012  03:13    <VERBINDUNG>   Favoriten [C:\Users\Public\Favorites]
14.07.2009  07:08    <VERBINDUNG>   Favorites [..]
14.07.2009  07:08    <VERBINDUNG>   Start Menu [..]
19.12.2012  03:13    <VERBINDUNG>   Startmen [C:\ProgramData\Microsoft\Windows\Start Menu]
14.07.2009  07:08    <VERBINDUNG>   Templates [..]
19.12.2012  03:13    <VERBINDUNG>   Vorlagen [C:\ProgramData\Microsoft\Windows\Templates]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\All Users\Microsoft\Windows\Start Menu

19.12.2012  03:13    <VERBINDUNG>   Programme [C:\ProgramData\Microsoft\Windows\Start Menu\Programs]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Default

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Default\AppData\Roaming]
14.07.2009  07:08    <VERBINDUNG>   Application Data [..]
19.12.2012  03:13    <VERBINDUNG>   Druckumgebung [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
19.12.2012  03:13    <VERBINDUNG>   Eigene Dateien [C:\Users\Default\Documents]
14.07.2009  07:08    <VERBINDUNG>   Local Settings [..]
19.12.2012  03:13    <VERBINDUNG>   Lokale Einstellungen [C:\Users\Default\AppData\Local]
14.07.2009  07:08    <VERBINDUNG>   My Documents [..]
14.07.2009  07:08    <VERBINDUNG>   NetHood [..]
19.12.2012  03:13    <VERBINDUNG>   Netzwerkumgebung [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
14.07.2009  07:08    <VERBINDUNG>   PrintHood [..]
14.07.2009  07:08    <VERBINDUNG>   Recent [..]
14.07.2009  07:08    <VERBINDUNG>   SendTo [..]
14.07.2009  07:08    <VERBINDUNG>   Start Menu [..]
19.12.2012  03:13    <VERBINDUNG>   Startmen [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
14.07.2009  07:08    <VERBINDUNG>   Templates [..]
19.12.2012  03:13    <VERBINDUNG>   Vorlagen [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Default\AppData\Local

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Default\AppData\Local]
14.07.2009  07:08    <VERBINDUNG>   Application Data [..]
14.07.2009  07:08    <VERBINDUNG>   History [..]
14.07.2009  07:08    <VERBINDUNG>   Temporary Internet Files [..]
19.12.2012  03:13    <VERBINDUNG>   Verlauf [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Default\AppData\Roaming\Microsoft\Windows\Start Menu

19.12.2012  03:13    <VERBINDUNG>   Programme [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Default\Documents

19.12.2012  03:13    <VERBINDUNG>   Eigene Bilder [C:\Users\Default\Pictures]
19.12.2012  03:13    <VERBINDUNG>   Eigene Musik [C:\Users\Default\Music]
19.12.2012  03:13    <VERBINDUNG>   Eigene Videos [C:\Users\Default\Videos]
14.07.2009  07:08    <VERBINDUNG>   My Music [..]
14.07.2009  07:08    <VERBINDUNG>   My Pictures [..]
14.07.2009  07:08    <VERBINDUNG>   My Videos [..]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Miyu

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Miyu\AppData\Roaming]
19.12.2012  03:13    <VERBINDUNG>   Cookies [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Cookies]
19.12.2012  03:13    <VERBINDUNG>   Druckumgebung [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
19.12.2012  03:13    <VERBINDUNG>   Eigene Dateien [C:\Users\Miyu\Documents]
19.12.2012  03:13    <VERBINDUNG>   Lokale Einstellungen [C:\Users\Miyu\AppData\Local]
19.12.2012  03:13    <VERBINDUNG>   Netzwerkumgebung [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
19.12.2012  03:13    <VERBINDUNG>   Recent [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Recent]
19.12.2012  03:13    <VERBINDUNG>   SendTo [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\SendTo]
19.12.2012  03:13    <VERBINDUNG>   Startmen [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Start Menu]
19.12.2012  03:13    <VERBINDUNG>   Vorlagen [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Templates]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Miyu\AppData\Local

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Miyu\AppData\Local]
19.12.2012  03:13    <VERBINDUNG>   Temporary Internet Files [C:\Users\Miyu\AppData\Local\Microsoft\Windows\Temporary Internet Files]
19.12.2012  03:13    <VERBINDUNG>   Verlauf [C:\Users\Miyu\AppData\Local\Microsoft\Windows\History]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Miyu\AppData\Roaming\Microsoft\Windows\Start Menu

19.12.2012  03:13    <VERBINDUNG>   Programme [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Miyu\Documents

19.12.2012  03:13    <VERBINDUNG>   Eigene Bilder [C:\Users\Miyu\Pictures]
19.12.2012  03:13    <VERBINDUNG>   Eigene Musik [C:\Users\Miyu\Music]
19.12.2012  03:13    <VERBINDUNG>   Eigene Videos [C:\Users\Miyu\Videos]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Dokumente und Einstellungen\Public\Documents

19.12.2012  03:13    <VERBINDUNG>   Eigene Bilder [C:\Users\Public\Pictures]
19.12.2012  03:13    <VERBINDUNG>   Eigene Musik [C:\Users\Public\Music]
19.12.2012  03:13    <VERBINDUNG>   Eigene Videos [C:\Users\Public\Videos]
14.07.2009  07:08    <VERBINDUNG>   My Music [C:\Users\Public\Music]
14.07.2009  07:08    <VERBINDUNG>   My Pictures [C:\Users\Public\Pictures]
14.07.2009  07:08    <VERBINDUNG>   My Videos [C:\Users\Public\Videos]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Program Files

19.12.2012  03:13    <VERBINDUNG>   Gemeinsame Dateien [C:\Program Files\Common Files]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Program Files\Windows Defender

14.07.2009  19:58    <SYMLINKD>     de-DE [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpAsDesc.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpClient.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MpCmdRun.exe [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpCommu.dll [c:\windows\system32\config]
14.07.2009  03:29    <SYMLINK>      MpEvMsg.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpOAV.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpRTP.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MSASCui.exe [c:\windows\system32\config]
20.11.2010  15:27    <SYMLINK>      MsMpCom.dll [c:\windows\system32\config]
14.07.2009  03:29    <SYMLINK>      MsMpLics.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MsMpRes.dll [c:\windows\system32\config]
              11 Datei(en),      2.907.648 Bytes

 Verzeichnis von C:\Program Files\Windows NT

19.12.2012  03:13    <VERBINDUNG>   Zubeh”r [C:\Program Files\Windows NT\Accessories]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\ProgramData

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\ProgramData]
14.07.2009  07:08    <VERBINDUNG>   Application Data [..]
14.07.2009  07:08    <VERBINDUNG>   Desktop [..]
14.07.2009  07:08    <VERBINDUNG>   Documents [..]
19.12.2012  03:13    <VERBINDUNG>   Dokumente [C:\Users\Public\Documents]
19.12.2012  03:13    <VERBINDUNG>   Favoriten [C:\Users\Public\Favorites]
14.07.2009  07:08    <VERBINDUNG>   Favorites [..]
14.07.2009  07:08    <VERBINDUNG>   Start Menu [..]
19.12.2012  03:13    <VERBINDUNG>   Startmen [C:\ProgramData\Microsoft\Windows\Start Menu]
14.07.2009  07:08    <VERBINDUNG>   Templates [..]
19.12.2012  03:13    <VERBINDUNG>   Vorlagen [C:\ProgramData\Microsoft\Windows\Templates]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\ProgramData\Microsoft\Windows\Start Menu

19.12.2012  03:13    <VERBINDUNG>   Programme [C:\ProgramData\Microsoft\Windows\Start Menu\Programs]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Programme

19.12.2012  03:13    <VERBINDUNG>   Gemeinsame Dateien [C:\Program Files\Common Files]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Programme\Windows Defender

14.07.2009  19:58    <SYMLINKD>     de-DE [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpAsDesc.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpClient.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MpCmdRun.exe [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpCommu.dll [c:\windows\system32\config]
14.07.2009  03:29    <SYMLINK>      MpEvMsg.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpOAV.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpRTP.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MSASCui.exe [c:\windows\system32\config]
20.11.2010  15:27    <SYMLINK>      MsMpCom.dll [c:\windows\system32\config]
14.07.2009  03:29    <SYMLINK>      MsMpLics.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MsMpRes.dll [c:\windows\system32\config]
              11 Datei(en),      2.907.648 Bytes

 Verzeichnis von C:\Programme\Windows NT

19.12.2012  03:13    <VERBINDUNG>   Zubeh”r [C:\Program Files\Windows NT\Accessories]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users

14.07.2009  07:08    <SYMLINKD>     All Users [C:\ProgramData]
14.07.2009  07:08    <VERBINDUNG>   Default User [..]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\All Users

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\ProgramData]
14.07.2009  07:08    <VERBINDUNG>   Application Data [..]
14.07.2009  07:08    <VERBINDUNG>   Desktop [..]
14.07.2009  07:08    <VERBINDUNG>   Documents [..]
19.12.2012  03:13    <VERBINDUNG>   Dokumente [C:\Users\Public\Documents]
19.12.2012  03:13    <VERBINDUNG>   Favoriten [C:\Users\Public\Favorites]
14.07.2009  07:08    <VERBINDUNG>   Favorites [..]
14.07.2009  07:08    <VERBINDUNG>   Start Menu [..]
19.12.2012  03:13    <VERBINDUNG>   Startmen [C:\ProgramData\Microsoft\Windows\Start Menu]
14.07.2009  07:08    <VERBINDUNG>   Templates [..]
19.12.2012  03:13    <VERBINDUNG>   Vorlagen [C:\ProgramData\Microsoft\Windows\Templates]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\All Users\Microsoft\Windows\Start Menu

19.12.2012  03:13    <VERBINDUNG>   Programme [C:\ProgramData\Microsoft\Windows\Start Menu\Programs]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Default

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Default\AppData\Roaming]
14.07.2009  07:08    <VERBINDUNG>   Application Data [..]
19.12.2012  03:13    <VERBINDUNG>   Druckumgebung [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
19.12.2012  03:13    <VERBINDUNG>   Eigene Dateien [C:\Users\Default\Documents]
14.07.2009  07:08    <VERBINDUNG>   Local Settings [..]
19.12.2012  03:13    <VERBINDUNG>   Lokale Einstellungen [C:\Users\Default\AppData\Local]
14.07.2009  07:08    <VERBINDUNG>   My Documents [..]
14.07.2009  07:08    <VERBINDUNG>   NetHood [..]
19.12.2012  03:13    <VERBINDUNG>   Netzwerkumgebung [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
14.07.2009  07:08    <VERBINDUNG>   PrintHood [..]
14.07.2009  07:08    <VERBINDUNG>   Recent [..]
14.07.2009  07:08    <VERBINDUNG>   SendTo [..]
14.07.2009  07:08    <VERBINDUNG>   Start Menu [..]
19.12.2012  03:13    <VERBINDUNG>   Startmen [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
14.07.2009  07:08    <VERBINDUNG>   Templates [..]
19.12.2012  03:13    <VERBINDUNG>   Vorlagen [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Default\AppData\Local

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Default\AppData\Local]
14.07.2009  07:08    <VERBINDUNG>   Application Data [..]
14.07.2009  07:08    <VERBINDUNG>   History [..]
14.07.2009  07:08    <VERBINDUNG>   Temporary Internet Files [..]
19.12.2012  03:13    <VERBINDUNG>   Verlauf [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

19.12.2012  03:13    <VERBINDUNG>   Programme [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Default\Documents

19.12.2012  03:13    <VERBINDUNG>   Eigene Bilder [C:\Users\Default\Pictures]
19.12.2012  03:13    <VERBINDUNG>   Eigene Musik [C:\Users\Default\Music]
19.12.2012  03:13    <VERBINDUNG>   Eigene Videos [C:\Users\Default\Videos]
14.07.2009  07:08    <VERBINDUNG>   My Music [..]
14.07.2009  07:08    <VERBINDUNG>   My Pictures [..]
14.07.2009  07:08    <VERBINDUNG>   My Videos [..]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Miyu

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Miyu\AppData\Roaming]
19.12.2012  03:13    <VERBINDUNG>   Cookies [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Cookies]
19.12.2012  03:13    <VERBINDUNG>   Druckumgebung [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
19.12.2012  03:13    <VERBINDUNG>   Eigene Dateien [C:\Users\Miyu\Documents]
19.12.2012  03:13    <VERBINDUNG>   Lokale Einstellungen [C:\Users\Miyu\AppData\Local]
19.12.2012  03:13    <VERBINDUNG>   Netzwerkumgebung [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
19.12.2012  03:13    <VERBINDUNG>   Recent [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Recent]
19.12.2012  03:13    <VERBINDUNG>   SendTo [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\SendTo]
19.12.2012  03:13    <VERBINDUNG>   Startmen [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Start Menu]
19.12.2012  03:13    <VERBINDUNG>   Vorlagen [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Templates]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Miyu\AppData\Local

19.12.2012  03:13    <VERBINDUNG>   Anwendungsdaten [C:\Users\Miyu\AppData\Local]
19.12.2012  03:13    <VERBINDUNG>   Temporary Internet Files [C:\Users\Miyu\AppData\Local\Microsoft\Windows\Temporary Internet Files]
19.12.2012  03:13    <VERBINDUNG>   Verlauf [C:\Users\Miyu\AppData\Local\Microsoft\Windows\History]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Start Menu

19.12.2012  03:13    <VERBINDUNG>   Programme [C:\Users\Miyu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Miyu\Documents

19.12.2012  03:13    <VERBINDUNG>   Eigene Bilder [C:\Users\Miyu\Pictures]
19.12.2012  03:13    <VERBINDUNG>   Eigene Musik [C:\Users\Miyu\Music]
19.12.2012  03:13    <VERBINDUNG>   Eigene Videos [C:\Users\Miyu\Videos]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Users\Public\Documents

19.12.2012  03:13    <VERBINDUNG>   Eigene Bilder [C:\Users\Public\Pictures]
19.12.2012  03:13    <VERBINDUNG>   Eigene Musik [C:\Users\Public\Music]
19.12.2012  03:13    <VERBINDUNG>   Eigene Videos [C:\Users\Public\Videos]
14.07.2009  07:08    <VERBINDUNG>   My Music [C:\Users\Public\Music]
14.07.2009  07:08    <VERBINDUNG>   My Pictures [C:\Users\Public\Pictures]
14.07.2009  07:08    <VERBINDUNG>   My Videos [C:\Users\Public\Videos]
               0 Datei(en),              0 Bytes

 Verzeichnis von C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea

14.07.2009  03:29    <SYMLINK>      MpEvMsg.dll [c:\windows\system32\config]
               1 Datei(en),         52.224 Bytes

 Verzeichnis von C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c

14.07.2009  03:41    <SYMLINK>      MpAsDesc.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpClient.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MpCmdRun.exe [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpCommu.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpOAV.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpRTP.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpSvc.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MSASCui.exe [c:\windows\system32\config]
14.07.2009  03:29    <SYMLINK>      MsMpLics.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MsMpRes.dll [c:\windows\system32\config]
              10 Datei(en),      3.806.208 Bytes

 Verzeichnis von C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306

14.07.2009  03:41    <SYMLINK>      MpAsDesc.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpClient.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MpCmdRun.exe [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpCommu.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpOAV.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpRTP.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MpSvc.dll [c:\windows\system32\config]
14.07.2009  03:39    <SYMLINK>      MSASCui.exe [c:\windows\system32\config]
20.11.2010  15:27    <SYMLINK>      MsMpCom.dll [c:\windows\system32\config]
14.07.2009  03:29    <SYMLINK>      MsMpLics.dll [c:\windows\system32\config]
14.07.2009  03:41    <SYMLINK>      MsMpRes.dll [c:\windows\system32\config]
              11 Datei(en),      3.867.136 Bytes

     Anzahl der angezeigten Dateien:
              44 Datei(en),     13.540.864 Bytes
             151 Verzeichnis(se),  9.402.843.136 Bytes frei

==== Folders Found In C:\Program Files\Windows Defender ======================

2009-07-14 17:58:49	d---a-we	C:\Program Files\Windows Defender\de-DE

==== Files Found In C:\Program Files\Windows Defender ======================

2009-07-14 01:29:10	52224	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MpEvMsg.dll
2009-07-14 01:29:50	4608	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MsMpLics.dll
2009-07-14 01:39:20	190976	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MpCmdRun.exe
2009-07-14 01:39:20	961024	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MSASCui.exe
2009-07-14 01:41:26	10752	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MpAsDesc.dll
2009-07-14 01:41:26	314880	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MpCommu.dll
2009-07-14 01:41:26	52224	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MpOAV.dll
2009-07-14 01:41:26	571904	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MpClient.dll
2009-07-14 01:41:27	200192	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MpRTP.dll
2009-07-14 01:41:30	487936	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MsMpRes.dll
2010-11-20 13:27:03	60928	----a-we	!HASH: COULD NOT OPEN FILE !!!!!	C:\Program Files\Windows Defender\MsMpCom.dll

==== EOF on 20.05.2013 at 20:17:16,00 ======================

smeenk · 20.05.2013, 20:39

Es ist tatsächlich anwesend, wir werden versuchen es los zu werden.

Bitte deaktiviere während des Scans alle Virenscanner, da sie das Ergebnis beeinflussen.
Starte die Zoek.exe mit einem Doppelklick (nur Windows XP-Benutzer).
Windows Vista/7 Benutzer starten das Tool bitte per Rechtsklick auf das Icon und wählen "Als Administrator starten".

Kopiere untenstehende Code in das Textfeld:

Code:

ATTFilter

emptycheck;
for %%A in (;b
"C:\Program Files\Windows Defender\de-DE";b
"C:\Program Files\Windows Defender\MpAsDesc.dll";b
"C:\Program Files\Windows Defender\MpClient.dll";b
"C:\Program Files\Windows Defender\MpCmdRun.exe";b
"C:\Program Files\Windows Defender\MpCommu.dll";b
"C:\Program Files\Windows Defender\MpEvMsg.dll";b
"C:\Program Files\Windows Defender\MpOAV.dll";b
"C:\Program Files\Windows Defender\MpRTP.dll";b
"C:\Program Files\Windows Defender\MSASCui.exe";b
"C:\Program Files\Windows Defender\MsMpCom.dll";b
"C:\Program Files\Windows Defender\MsMpLics.dll";b
"C:\Program Files\Windows Defender\MsMpRes.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpAsDesc.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpClient.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpCmdRun.exe";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpCommu.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpOAV.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpRTP.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpSvc.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MSASCui.exe";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MsMpLics.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MsMpRes.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpAsDesc.dll
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpClient.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCommu.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpOAV.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpRTP.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpSvc.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpCom.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpLics.dll";b
"C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpRes.dll";b
) DO (;b
fsutil reparsepoint delete %%A;b
if not errorlevel 1 (;b
echo.Reparsepoint %%A succesfully deleted;b
) else (;b
echo.Reparsepoint %%A not found or not deleted;b
))>>log.txt;b
echo.log.txt
CD \;b
DIR /S /A:L >>"%temp%\log.txt";b
emptycheck;

Nun klicke auf "Run script" und warte geduldig, bis der Scan durchgelaufen ist.
Wenn das Tool fertig ist, wird sich Notepad mit dem Logfile öffnen (ggfs. erst nach einem Neustart).
Nachträglich kannst Du den Bericht unter c:\zoek-results.log einsehen.
Poste mir das Log File zoek-results.log

smeenk · 17.05.2013, 12:21

Ich denke alles ist sauber

Noch mal ne Check:

Downloade Dir bitte

SecurityCheck und:

Speichere es auf dem Desktop.
Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.

Poste den Inhalt bitte hier.

Miyuline · 17.05.2013, 12:28

Erledigt

Code:

ATTFilter

  Results of screen317's Security Check version 0.99.63  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
Avira Desktop   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java(TM) 6 Update 38  
 Java 7 Update 21  
 Adobe Flash Player 11.7.700.202  
 Adobe Reader XI  
 Mozilla Firefox (21.0) 
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````

Sollte ich mir wegen dem rot markierten Satz sorgen machen? o.O

smeenk · 17.05.2013, 12:32

Downloade dir bitte Farbar's Service Scanner

Starte das Tool mit Doppelklick auf die FSS.exe
Gehe sicher, dass folgende Optionen angehakt sind.
- Internet Services
- Windows Firewall
- System Restore
- Security Center/Action Center
- Windows Update
- Windows Defender
- Other Services
Klicke auf Scan.
Wenn das Tool fertig ist, wird es eine FSS.txt in dem Verzeichnis erstellen, wo das Tool gelaufen ist.

Poste bitte den Inhalt hier.

Miyuline · 17.05.2013, 12:36

Code:

ATTFilter

 
Farbar Service Scanner Version: 14-04-2013
Ran by Miyu (administrator) on 17-05-2013 at 13:35:18
Running from "C:\Users\Miyu\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-14 01:54] - [2009-07-14 03:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

smeenk · 17.05.2013, 12:40

Downloade dir bitte RestoreBFE.exe.

Starte das Tool mit Doppelklick.
Nach ein paar Sekunden sollte eine Nachricht mit "Done" aufpoppen.

Downloade dir bitte diese Tool von folgendem Link: Service Repair
Nach dem Start wird das Tool versuchen einige Standarddienste wiederherzustellen. Poste mit bitte das anfallende Logfile.

Rechner nachher neustarten.

Erneut eine Farbar Service Scanner Log-Datei erstellen und posten

Miyuline · 17.05.2013, 12:49

Code:

ATTFilter

Log Opened: 2013-05-17 @ 13:47:56
13:47:56 - -----------------
13:47:56 - | Begin Logging |
13:47:56 - -----------------
13:47:56 - Fix started on a WIN_7 X64 computer
13:47:56 - Prep in progress.  Please Wait.
13:47:57 - Prep complete
13:47:57 - Repairing Services Now.  Please wait...
13:47:57 - Services Repair Complete.
13:48:24 - Reboot Skipped

Ich mach schnell den Neustart

Hier der Log

Code:

ATTFilter

Farbar Service Scanner Version: 14-04-2013
Ran by Miyu (administrator) on 17-05-2013 at 13:53:20
Running from "C:\Users\Miyu\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-14 01:54] - [2009-07-14 03:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

smeenk · 17.05.2013, 13:01

Downloade Dir untenstehende Reg-Dateien:

http://download.bleepingcomputer.com...s/7/MpsSvc.reg
http://download.bleepingcomputer.com.../WinDefend.reg

DoppelKlicken und Änderungen ermöglichen

Rechner neustarten und eine neue Farbar Service Scanner Log erstellen.

Miyuline · 17.05.2013, 13:08

Soviele Neustarts hat der glaub ich das gesamte letzte Jahr insgesamt nicht bekommen

Code:

ATTFilter

Farbar Service Scanner Version: 14-04-2013
Ran by Miyu (administrator) on 17-05-2013 at 14:05:53
Running from "C:\Users\Miyu\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-14 01:54] - [2009-07-14 03:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

smeenk · 17.05.2013, 13:37

Es kommen noch einige Neustarts dazu

Downloade Dir untenstehende Reg-Dateien:

http://download.bleepingcomputer.com...ces/7/BITS.reg
http://download.bleepingcomputer.com...7/wuauserv.reg
http://download.bleepingcomputer.com...s/7/wscsvc.reg

DoppelKlicken und Änderungen ermöglichen

Rechner neustarten und eine neue Farbar Service Scanner Log erstellen.

Miyuline · 17.05.2013, 13:44

Code:

ATTFilter

Farbar Service Scanner Version: 14-04-2013
Ran by Miyu (administrator) on 17-05-2013 at 14:43:18
Running from "C:\Users\Miyu\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-14 01:54] - [2009-07-14 03:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

smeenk · 17.05.2013, 14:32

Es sieht schon besser aus, aber irgendwie läuft es noch nicht ganz gut.

Versuch mal diese Microsoft Fix: Automatische Diagnose und Behebung von Problemen mit der Windows-Firewall

Nachher eine neue FSS Log-Datei erstellen.

Miyuline · 17.05.2013, 14:59

Code:

ATTFilter

Farbar Service Scanner Version: 14-04-2013
Ran by Miyu (administrator) on 17-05-2013 at 15:56:41
Running from "C:\Users\Miyu\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2009-07-14 01:54] - [2009-07-14 03:41] - 1011712 ____A () D41D8CD98F00B204E9800998ECF8427E

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Das Programm hat nicht viel gemacht, außer mir zu sagen das wohl irgendwas nicht
funktioniert und ich schauen soll obs jetzt geht^^

17.05.2013, 14:32	#14
smeenk /// Malwareteam / Visitor	$W32/Patched.UC' [virus] in 'C:\Windows\System32\services.exe - Standard$ W32/Patched.UC' [virus] in 'C:\Windows\System32\services.exe Es sieht schon besser aus, aber irgendwie läuft es noch nicht ganz gut. Versuch mal diese Microsoft Fix: Automatische Diagnose und Behebung von Problemen mit der Windows-Firewall Nachher eine neue FSS Log-Datei erstellen.

W32/Patched.UC' [virus] in 'C:\Windows\System32\services.exe

Log-Analyse und Auswertung: W32/Patched.UC' [virus] in 'C:\Windows\System32\services.exe