Bundespolizei Trojaner eingefangen/Logfiles vorhanden

RazieLX87 · 11.06.2013, 23:15

Hallo zusammen erstmal ein großes Lob an die Helfer hier, super Arbeit

Habe mir auf meinem Laptop ebenfalls den Bundespolizeitrojaner eingefangen und bereits wie in den Themen zuvor die Logfile per Frst64.exe erstellt.

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2013
Ran by SYSTEM on 11-06-2013 23:25:21
Running from E:\
Windows 7 Professional (X64) OS Language: German Standard
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Acrobat Assistant 7.0] "C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [483328 2005-09-24] (Adobe Systems Inc.)
HKLM-x32\...\Run: [avgnt] "C:\Avira\AntiVir Desktop\avgnt.exe" /min [209153 2009-03-02] (Avira GmbH)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [RoccatKone+] "C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.EXE" [552960 2011-07-12] (ROCCAT GmbH)
HKU\RazieL\...\Run: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 120\axcmd.exe" /automount [203928 2009-09-30] (Alcohol Soft Development Team)
HKU\RazieL\...\Run: [WindowsSysGuard] C:\Users\Public\winvcsn.exe [x]
HKU\RazieL\...\Run: [DAEMON Tools Lite] "C:\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
HKU\RazieL\...\Run: [KeApplet] C:\Users\RazieL\AppData\Roaming\Dropbox\{0BA20AB9-D6FD-4CC3-8B09-09075F317D56}\Validator.exe [x]
HKU\RazieL\...\Run: [casa] "C:\Users\RazieL\AppData\Roaming\casa\guni.bat" [194 2013-05-24] ()
HKU\RazieL\...\Run: [Adobe Reader] C:\Users\RazieL\AppData\Roaming\hUuRe\svchost.exe [21504 2013-05-24] ()
HKU\RazieL\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\RazieL\7825604.exe [45056 2013-06-10] (Adobe Systems Incorporated)
HKU\RazieL\...\Winlogon: [Shell] cmd.exe [344576 2009-07-14] (Microsoft Corporation) <==== ATTENTION
HKU\RazieL\...\Command Processor: "C:\Users\RazieL\7825604.exe" <===== ATTENTION!
Startup: C:\Users\RazieL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()

==================== Services (Whitelisted) =================

S2 Akamai; c:\program files (x86)\common files\akamai/netsession_win_ca0e279.dll [4561152 2013-04-21] (Akamai Technologies, Inc.)
S2 AntiVirSchedulerService; C:\Avira\AntiVir Desktop\sched.exe [108289 2009-05-13] (Avira GmbH)
S2 AntiVirService; C:\Avira\AntiVir Desktop\avguard.exe [185089 2009-07-21] (Avira GmbH)
S2 ICQ Service; C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe [247608 2010-11-21] ()
S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-01-02] ()
S2 StarWindServiceAE; C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [275968 2007-05-28] (Rocket Division Software)
S2 WTGService; C:\Program Files (x86)\Verbindungsassistent\WTGService.exe [330696 2010-11-18] ()
S2 XS Stick Service; C:\Windows\service4g.exe [125200 2009-06-17] (4G Systems GmbH & Co. KG)

==================== Drivers (Whitelisted) ====================

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [74880 2009-12-07] (Avira GmbH)
S3 cmnsusbser; C:\Windows\System32\DRIVERS\cmnsusbser.sys [117888 2012-03-18] (Mobile Connector)
S3 ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [33280 2005-05-03] (SlySoft, Inc.)
S3 ElbyDelay; C:\Windows\System32\Drivers\ElbyDelay.sys [6656 2005-04-12] (Elaborate Bytes AG)
S3 ewsercd; C:\Windows\System32\DRIVERS\ewsercd.sys [112896 2011-09-06] (Huawei Technologies Co., Ltd.)
S3 NetHook_ControlCenter; C:\PingFu Iris\ControlCenter.sys [104048 2010-08-26] ()
S3 NetHook_ControlCenter; C:\PingFu Iris\ControlCenter.sys [104048 2010-08-26] ()
S3 NetHook_Interceptor; C:\PingFu Iris\Interceptor.sys [46704 2010-08-26] ()
S3 NetHook_Interceptor; C:\PingFu Iris\Interceptor.sys [46704 2010-08-26] ()
S0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows (R) Server 2003 DDK provider)
S0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows (R) Server 2003 DDK provider)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-08-10] (Duplex Secure Ltd.)
S3 X6va006; \??\C:\Users\RazieL\AppData\Local\Temp\0062EE.tmp [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-11 23:25 - 2013-06-11 23:25 - 00000000 ____D C:\FRST
2013-06-10 23:04 - 2013-06-10 23:04 - 00163063 ____A C:\Users\RazieL\AppData\Roaming\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163047 ____A C:\ProgramData\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163042 ____A C:\Users\RazieL\AppData\Local\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00045056 ____A (Adobe Systems Incorporated) C:\Users\RazieL\7825604.exe
2013-05-24 23:44 - 2013-05-24 23:45 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\hUuRe
2013-05-24 23:26 - 2013-05-24 23:26 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\ERbLK
2013-05-24 22:23 - 2013-05-24 22:23 - 00600377 ____A C:\Users\RazieL\9hlwhkyey94vk.exe
2013-05-24 22:22 - 2013-05-24 22:23 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\casa
2013-05-24 22:22 - 2013-05-24 22:22 - 00600377 ____A C:\Users\RazieL\l9kg5zdc94fho.exe
2013-05-24 22:22 - 2013-05-24 22:22 - 00147456 ____A (TechSmith Corporation) C:\Users\RazieL\rapohl17o0myk.exe
2013-05-22 13:31 - 2013-05-22 13:31 - 00262144 ____N C:\Windows\Minidump\052213-27015-01.dmp
2013-05-22 13:30 - 2013-05-22 13:30 - 00262144 ___AH C:\Windows\DUMPe28a.DMP
2013-05-22 13:08 - 2013-05-22 13:08 - 00262144 ___AH C:\Windows\DUMP4202.DMP
2013-05-22 13:05 - 2013-05-22 13:05 - 00000000 ____D C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP

==================== One Month Modified Files and Folders =======

2013-06-11 23:25 - 2013-06-11 23:25 - 00000000 ____D C:\FRST
2013-06-11 22:04 - 2010-05-18 01:40 - 00001106 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-11 22:04 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-11 22:04 - 2009-07-14 05:51 - 00139881 ____A C:\Windows\setupact.log
2013-06-11 21:57 - 2010-05-18 01:40 - 00001110 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-10 23:20 - 2009-07-14 05:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-10 23:20 - 2009-07-14 05:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-10 23:16 - 2009-10-28 00:37 - 01822008 ____A C:\Windows\WindowsUpdate.log
2013-06-10 23:04 - 2013-06-10 23:04 - 00163063 ____A C:\Users\RazieL\AppData\Roaming\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163047 ____A C:\ProgramData\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163042 ____A C:\Users\RazieL\AppData\Local\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00045056 ____A (Adobe Systems Incorporated) C:\Users\RazieL\7825604.exe
2013-06-10 23:04 - 2009-10-28 00:54 - 00000000 ____D C:\users\RazieL
2013-06-10 22:54 - 2009-12-23 18:07 - 00000000 ____D C:\Users\RazieL\AppData\Local\Deployment
2013-06-09 23:50 - 2009-10-28 01:39 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\vlc
2013-05-27 22:11 - 2010-03-30 20:06 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\Skype
2013-05-27 19:12 - 2012-02-28 15:18 - 00000000 ____D C:\Users\RazieL\AppData\Local\PMB Files
2013-05-27 18:41 - 2012-02-28 15:18 - 00000000 ____D C:\ProgramData\PMB Files
2013-05-27 18:38 - 2010-03-30 20:08 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\skypePM
2013-05-24 23:45 - 2013-05-24 23:44 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\hUuRe
2013-05-24 23:26 - 2013-05-24 23:26 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\ERbLK
2013-05-24 22:23 - 2013-05-24 22:23 - 00600377 ____A C:\Users\RazieL\9hlwhkyey94vk.exe
2013-05-24 22:23 - 2013-05-24 22:22 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\casa
2013-05-24 22:22 - 2013-05-24 22:22 - 00600377 ____A C:\Users\RazieL\l9kg5zdc94fho.exe
2013-05-24 22:22 - 2013-05-24 22:22 - 00147456 ____A (TechSmith Corporation) C:\Users\RazieL\rapohl17o0myk.exe
2013-05-22 18:36 - 2009-12-07 00:38 - 00000584 ___AH C:\Windows\Tasks\Norton Security Scan for RazieL.job
2013-05-22 16:17 - 2009-10-28 02:15 - 00000000 ____D C:\Call of Duty 4 - Modern Warfare
2013-05-22 16:16 - 2009-10-28 03:28 - 00215104 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2013-05-22 16:16 - 2009-10-28 03:03 - 00215104 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2013-05-22 16:16 - 2009-10-28 03:03 - 00215104 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2013-05-22 13:39 - 2009-10-28 00:08 - 00000000 ____D C:\ProgramData\NVIDIA
2013-05-22 13:32 - 2009-10-28 23:48 - 00000000 ____D C:\Windows\Minidump
2013-05-22 13:31 - 2013-05-22 13:31 - 00262144 ____N C:\Windows\Minidump\052213-27015-01.dmp
2013-05-22 13:31 - 2009-10-28 00:07 - 00023968 ____A C:\Windows\PFRO.log
2013-05-22 13:30 - 2013-05-22 13:30 - 00262144 ___AH C:\Windows\DUMPe28a.DMP
2013-05-22 13:08 - 2013-05-22 13:08 - 00262144 ___AH C:\Windows\DUMP4202.DMP
2013-05-22 13:05 - 2013-05-22 13:05 - 00000000 ____D C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP

Files to move or delete:
====================
C:\Users\RazieL\7825604.exe
C:\Users\RazieL\9hlwhkyey94vk.exe
C:\Users\RazieL\l9kg5zdc94fho.exe
C:\Users\RazieL\rapohl17o0myk.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-26 01:56:29
Restore point made on: 2013-04-22 02:07:21
Restore point made on: 2013-05-01 02:14:51
Restore point made on: 2013-05-16 01:43:39
Restore point made on: 2013-05-25 02:43:46

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 2815.37 MB
Available physical RAM: 2314.46 MB
Total Pagefile: 2813.52 MB
Available Pagefile: 2310.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.76 GB) (Free:20.01 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]
Drive e: (INTENSO) (Removable) (Total:7.21 GB) (Free:7.17 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or (Size: 466 GB) (Disk ID: C344177E)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: E6FDB69D)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2013-05-25 02:36

==================== End Of Log ============================

--- --- ---

Bundespolizei Trojaner eingefangen/Logfiles vorhanden

Plagegeister aller Art und deren Bekämpfung: Bundespolizei Trojaner eingefangen/Logfiles vorhanden

Bundespolizei Trojaner eingefangen/Logfiles vorhanden

Ähnliche Themen: Bundespolizei Trojaner eingefangen/Logfiles vorhanden