GVU Trojaner - windows 8

anchos · 30.07.2013, 11:53

hat ein bischen gedauert aber ich habs.

FRST Logfile:

FRST Logfile:

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-07-2013 03
Ran by SYSTEM on 30-07-2013 12:49:16
Running from D:\
Windows 8 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13307496 2011-10-17] (Realtek Semiconductor)
HKLM\...\InprocServer32: [Default-cscui]  <==== ATTENTION!
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642728 2012-09-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152544 2012-12-12] (Apple Inc.)
HKU\Anchos\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [3093624 2012-10-30] ()
HKU\Anchos\...\Run: [KPeerNexonEU] - C:\Nexon\NEXON_EU_Downloader\nxEULauncher.exe [x]
HKU\Anchos\...\Run: [Steam] - C:\Program Files (x86)\Steam\Steam.exe [1807272 2013-07-26] (Valve Corporation)
HKU\Anchos\...\Run: [DAEMON Tools Lite] - C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3673728 2012-11-06] (DT Soft Ltd)
HKU\Anchos\...\Run: [Dargon] - C:\Dargon\DargonD.exe [x]
HKU\Anchos\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [19603048 2013-06-03] (Skype Technologies S.A.)
HKU\Anchos\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Anchos\AppData\Local\Temp\vjoavddrqbuqgtyii.exe [74752 2013-07-30] () <===== ATTENTION
HKU\Anchos\...\Winlogon: [Shell] cmd.exe [404992 2012-07-26] (Microsoft Corporation) <==== ATTENTION 
HKU\Anchos\...\Command Processor: "C:\Users\Anchos\AppData\Local\Temp\vjoavddrqbuqgtyii.exe" <===== ATTENTION!
Startup: C:\Users\Anchos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) =================

S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [121344 2012-02-07] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)
S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2013-04-28] ()
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14920 2013-01-29] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [91648 2012-08-21] (Advanced Micro Devices)
S3 BrSerIf; C:\Windows\system32\DRIVERS\BrSerIf.sys [97280 2006-12-12] (Brother Industries Ltd.)
S1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283200 2012-11-13] (DT Soft Ltd)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]
S1 frszqiil; \??\C:\Windows\system32\drivers\frszqiil.sys [x]
S3 X6va011; \??\C:\Windows\SysWOW64\Drivers\X6va011 [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-30 12:49 - 2013-07-30 12:49 - 00000000 ____D C:\FRST
2013-07-30 11:10 - 2013-07-30 11:10 - 00000000 _____ C:\Windows\setuperr.log
2013-07-30 11:10 - 2013-07-30 11:10 - 00000000 _____ C:\Windows\setupact.log
2013-07-30 09:16 - 2013-07-30 09:21 - 00018040 _____ C:\Windows\WindowsUpdate.log
2013-07-30 08:50 - 2013-07-30 08:50 - 00163068 _____ C:\Users\Anchos\AppData\Local\2433f433
2013-07-30 08:50 - 2013-07-30 08:50 - 00163042 _____ C:\Users\Anchos\AppData\Roaming\2433f433
2013-07-30 08:50 - 2013-07-30 08:50 - 00163009 _____ C:\ProgramData\2433f433
2013-07-21 20:32 - 2013-07-21 20:32 - 00000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2013-07-20 12:50 - 2013-07-20 12:50 - 00307904 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-17 13:52 - 2013-06-01 12:33 - 02233600 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-07-17 13:51 - 2013-06-16 23:41 - 00997632 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2013-07-17 13:51 - 2013-06-01 12:54 - 00194816 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\sdbus.sys
2013-07-17 13:51 - 2013-06-01 12:54 - 00125184 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\dumpsd.sys
2013-07-17 13:51 - 2013-06-01 12:34 - 02391280 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2013-07-17 13:51 - 2013-06-01 12:29 - 00337152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\USBXHCI.SYS
2013-07-17 13:51 - 2013-06-01 12:29 - 00213248 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\UCX01000.SYS
2013-07-17 13:51 - 2013-06-01 12:26 - 06987008 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-07-17 13:51 - 2013-06-01 12:26 - 00327936 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys
2013-07-17 13:51 - 2013-06-01 11:24 - 02106176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2013-07-17 13:51 - 2013-06-01 10:25 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-07-17 13:51 - 2013-06-01 10:25 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2013-07-17 13:51 - 2013-06-01 10:24 - 01453568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfcore.dll
2013-07-17 13:51 - 2013-06-01 10:24 - 00850944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfasfsrcsnk.dll
2013-07-17 13:51 - 2013-06-01 10:24 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscms.dll
2013-07-17 13:51 - 2013-06-01 10:23 - 01842176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dwmcore.dll
2013-07-17 13:51 - 2013-06-01 10:23 - 00680960 _____ (Microsoft Corporation) C:\Windows\System32\vds.exe
2013-07-17 13:51 - 2013-06-01 10:22 - 00523264 _____ (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-07-17 13:51 - 2013-06-01 10:22 - 00446976 _____ (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2013-07-17 13:51 - 2013-06-01 10:22 - 00190976 _____ (Microsoft Corporation) C:\Windows\System32\vdsutil.dll
2013-07-17 13:51 - 2013-06-01 10:22 - 00080896 _____ (Microsoft Corporation) C:\Windows\System32\MbaeParserTask.exe
2013-07-17 13:51 - 2013-06-01 10:21 - 00729600 _____ (Microsoft Corporation) C:\Windows\System32\samsrv.dll
2013-07-17 13:51 - 2013-06-01 10:21 - 00106496 _____ (Microsoft Corporation) C:\Windows\System32\samlib.dll
2013-07-17 13:51 - 2013-06-01 10:20 - 02219520 _____ (Microsoft Corporation) C:\Windows\System32\dwmcore.dll
2013-07-17 13:51 - 2013-06-01 10:20 - 01527808 _____ (Microsoft Corporation) C:\Windows\System32\mfcore.dll
2013-07-17 13:51 - 2013-06-01 10:20 - 01048576 _____ (Microsoft Corporation) C:\Windows\System32\mfasfsrcsnk.dll
2013-07-17 13:51 - 2013-06-01 10:20 - 00583168 _____ (Microsoft Corporation) C:\Windows\System32\mscms.dll
2013-07-17 13:51 - 2013-06-01 10:19 - 00785408 _____ (Microsoft Corporation) C:\Windows\System32\audiosrv.dll
2013-07-17 13:51 - 2013-06-01 10:19 - 00207872 _____ (Microsoft Corporation) C:\Windows\System32\DeviceSetupManager.dll
2013-07-17 13:51 - 2013-06-01 04:08 - 00037632 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\BthAvrcpTg.sys
2013-07-17 13:51 - 2013-05-24 23:09 - 01403296 _____ (Microsoft Corporation) C:\Windows\System32\winload.efi
2013-07-17 13:51 - 2013-05-24 23:09 - 01271584 _____ (Microsoft Corporation) C:\Windows\System32\winload.exe
2013-07-17 13:51 - 2013-05-24 23:09 - 01217352 _____ (Microsoft Corporation) C:\Windows\System32\winresume.efi
2013-07-17 13:51 - 2013-05-24 23:09 - 01093904 _____ (Microsoft Corporation) C:\Windows\System32\winresume.exe
2013-07-17 13:51 - 2013-05-20 01:08 - 00386642 _____ C:\Windows\System32\ApnDatabase.xml
2013-07-10 11:34 - 2013-06-12 00:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-10 11:34 - 2013-06-12 00:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-10 11:34 - 2013-06-12 00:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-10 11:34 - 2013-06-12 00:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-10 11:34 - 2013-06-12 00:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-10 11:34 - 2013-06-12 00:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-10 11:34 - 2013-06-12 00:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-10 11:34 - 2013-06-12 00:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-10 11:34 - 2013-06-12 00:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-10 11:34 - 2013-06-12 00:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-10 11:34 - 2013-06-12 00:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-10 11:34 - 2013-06-12 00:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-10 11:34 - 2013-06-12 00:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-10 11:34 - 2013-06-12 00:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-10 11:34 - 2013-06-12 00:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-10 11:34 - 2013-06-12 00:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-10 11:34 - 2013-06-12 00:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-10 11:34 - 2013-06-01 10:25 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-10 11:34 - 2013-06-01 10:21 - 00595968 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 11:34 - 2013-05-31 00:14 - 04036096 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-10 11:34 - 2013-04-11 23:30 - 01421312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-10 11:34 - 2013-04-11 23:22 - 01838080 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-10 11:32 - 2013-05-04 07:59 - 02842112 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-10 11:32 - 2013-05-04 05:57 - 02620928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL

==================== One Month Modified Files and Folders =======

2013-07-30 11:38 - 2012-07-26 08:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-30 11:34 - 2012-07-26 11:27 - 00751892 _____ C:\Windows\System32\perfh007.dat
2013-07-30 11:34 - 2012-07-26 11:27 - 00155620 _____ C:\Windows\System32\perfc007.dat
2013-07-30 11:34 - 2012-07-26 08:28 - 01745416 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-30 11:10 - 2013-07-30 11:10 - 00000000 _____ C:\Windows\setuperr.log
2013-07-30 11:10 - 2013-07-30 11:10 - 00000000 _____ C:\Windows\setupact.log
2013-07-30 11:08 - 2012-10-26 16:19 - 00000868 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2013-07-30 09:21 - 2013-07-30 09:16 - 00018040 _____ C:\Windows\WindowsUpdate.log
2013-07-30 09:21 - 2012-07-26 06:26 - 00262144 ___SH C:\Windows\System32\config\BBI
2013-07-30 09:00 - 2012-07-26 09:12 - 00000000 ____D C:\Windows\System32\sru
2013-07-30 08:50 - 2013-07-30 08:50 - 00163068 _____ C:\Users\Anchos\AppData\Local\2433f433
2013-07-30 08:50 - 2013-07-30 08:50 - 00163042 _____ C:\Users\Anchos\AppData\Roaming\2433f433
2013-07-30 08:50 - 2013-07-30 08:50 - 00163009 _____ C:\ProgramData\2433f433
2013-07-30 08:40 - 2012-11-13 19:21 - 00000000 ____D C:\Program Files (x86)\Steam
2013-07-30 08:34 - 2012-10-30 18:42 - 00000000 ____D C:\Users\Anchos\AppData\Local\PMB Files
2013-07-29 23:46 - 2012-11-14 20:58 - 00000000 ____D C:\Users\Anchos\AppData\Roaming\Skype
2013-07-29 22:23 - 2012-10-30 18:42 - 00000000 ____D C:\ProgramData\PMB Files
2013-07-27 14:05 - 2012-10-26 16:19 - 00000870 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2013-07-27 06:48 - 2012-07-26 09:12 - 00000000 ____D C:\Windows\AUInstallAgent
2013-07-22 17:20 - 2012-10-30 17:54 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3704050743-3055777684-322982769-1001
2013-07-21 20:32 - 2013-07-21 20:32 - 00000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2013-07-20 12:50 - 2013-07-20 12:50 - 00307904 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-15 14:38 - 2012-07-26 06:38 - 00000000 ____D C:\Windows\System32\oobe
2013-07-11 16:59 - 2012-07-26 11:29 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-11 09:44 - 2012-11-14 20:58 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-07-11 09:44 - 2012-11-14 20:58 - 00000000 ____D C:\ProgramData\Skype
2013-07-10 11:58 - 2012-12-13 17:51 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-07 17:28 - 2012-07-26 09:12 - 00000000 __RHD C:\Users\Public\Libraries
2013-07-01 14:23 - 2012-12-28 20:38 - 00000000 ____D C:\Users\Anchos\Documents\StarCraft II

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3704050743-3055777684-322982769-1001\$a3d01b147d7878bced732bb7b3a6ce14

Files to move or delete:
====================
C:\Users\Anchos\AppData\Local\Temp\vjoavddrqbuqgtyii.exe
C:\ProgramData\dsgsdgdsgdsgw.pad
C:\Users\Anchos\8632409.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\de-DE => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-14 22:17:56
Restore point made on: 2013-07-17 18:18:13
Restore point made on: 2013-07-27 10:49:56

==================== Memory info =========================== 

Percentage of memory in use: 10%
Total physical RAM: 8085.03 MB
Available physical RAM: 7266.94 MB
Total Pagefile: 8085.03 MB
Available Pagefile: 7282.08 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.42 GB) (Free:273.03 GB) NTFS (Disk=0 Partition=2)
Drive d: (USB STICK) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System-reserviert) (Fixed) (Total:0.34 GB) (Free:0.11 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected.

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 7F658C67)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: A5A64F94)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)


LastRegBack: 2013-07-22 17:20

==================== End Of Log ============================

--- --- ---

--- --- ---

--- --- ---

[/CODE]

GVU Trojaner - windows 8

Plagegeister aller Art und deren Bekämpfung: GVU Trojaner - windows 8

GVU Trojaner - windows 8

Ähnliche Themen: GVU Trojaner - windows 8