Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 26.09.2015, 09:23   #1
rolandbr
 
ich habe einen Virus eingefangen der aus FRST.txt ein  FRST.txt!___prosschiff@gmail.com_ macht - Standard

ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht



Ich habe auf diesen Forum etliche Hinweise aufgenommen, und demzufolge den Farbar Scanning Tool laufen lassen. Die ergebene Dateien findet Ihr anbei.

Ich habe mit Microsoft Essentials gescanned und einen Trojaner gefunden, Skeeyah.A!bit. Dieser wurde entfernt

Hiernach wurden Textdateien nicht mehr umbenennt, mit einem Anhänger !___prosschiff@gmail.com_, das heißt bis jetzt.


Was muss ich tun um meinen Rechner sicher zu stellen.

Vielen Dank für Hilfe
Angehängte Dateien
Dateityp: txt FRST.txt (17,8 KB, 117x aufgerufen)
Dateityp: txt Addition.txt (15,3 KB, 107x aufgerufen)

Alt 26.09.2015, 10:42   #2
schrauber
/// the machine
/// TB-Ausbilder
 

ich habe einen Virus eingefangen der aus FRST.txt ein  FRST.txt!___prosschiff@gmail.com_ macht - Standard

ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 26.09.2015, 21:34   #3
rolandbr
 
ich habe einen Virus eingefangen der aus FRST.txt ein  FRST.txt!___prosschiff@gmail.com_ macht - Standard

ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht



hier sind dann die Logfiles


FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-09-2015
Ran by roland (administrator) on ITACTWIN7VM (26-09-2015 08:55:12)
Running from C:\Users\roland\Downloads
Loaded Profiles: roland (Available Profiles: roland & dries & glenn)
Platform: Microsoft Windows 7 Professional  (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Deerfield Communications Inc.) C:\Program Files\DNS2Go\DNS2GoService.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn Hamachi\LMIGuardianSvc.exe
(Nitro PDF Software) C:\Program Files\Nitro\Reader 3\NitroPDFReaderDriverService3.exe
(LogMeIn Inc.) C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(LogMeIn Inc.) C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(DNS2Go) C:\Program Files\DNS2Go\DNS2GoClient.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.149\SSScheduler.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [LogMeIn Hamachi Ui] => C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe [5579624 2015-08-03] (LogMeIn Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [981688 2015-04-30] (Microsoft Corporation)
HKU\S-1-5-21-3370153980-2594067740-2661373390-1000\...\Run: [Jing] => C:\Program Files\TechSmith\Jing\Jing.exe [2909640 2013-01-07] (TechSmith Corporation)
HKU\S-1-5-21-3370153980-2594067740-2661373390-1000\...\MountPoints2: {3266e048-bd25-11e4-b205-806e6f6e6963} - D:\setup.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DNS2Go*.lnk [2015-03-16]
ShortcutTarget: DNS2Go*.lnk -> C:\Program Files\DNS2Go\DNS2GoClient.exe (DNS2Go)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-04-27]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.149\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\roland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oFlMucDQ.lnk!___prosschiff@gmail.com_.crypt [2015-09-26]

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1	mssplus.mcafee.com
Tcpip\..\Interfaces\{87641ADA-9DCF-494A-9221-03687BC48AF8}: [NameServer] 195.238.2.21,195.238.2.22

Internet Explorer:
==================
HKU\S-1-5-21-3370153980-2594067740-2661373390-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/nl-be/?ocid=iehp
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\roland\AppData\Roaming\Mozilla\Firefox\Profiles\l26ypwo9.default
FF Plugin: @nitropdf.com/NitroPDF -> C:\Program Files\Nitro\Reader 3\npnitromozilla.dll [2013-05-01] (Nitro PDF)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin: @vmware.com/vmrc,version=5.5.0.00000 -> C:\Program Files\Common Files\VMware\VMware Remote Console Plug-in 5.5\Firefox\np-vmware-vmrc.dll [2014-06-13] (VMware, Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-07-03] (Adobe Systems Inc.)

Chrome: 
=======
CHR Profile: C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-03]
CHR Extension: (Google Docs) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-03]
CHR Extension: (Google Drive) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-03]
CHR Extension: (YouTube) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-03]
CHR Extension: (Google Search) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-03]
CHR Extension: (Google Sheets) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-03]
CHR Extension: (Google Docs Offline) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-22]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-12]
CHR Extension: (Gmail) - C:\Users\roland\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-03]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 DNS2GoClient; C:\Program Files\DNS2Go\DNS2GoService.exe [402208 2013-01-06] (Deerfield Communications Inc.)
R2 Hamachi2Svc; C:\Program Files\LogMeIn Hamachi\hamachi-2.exe [1883496 2015-08-03] (LogMeIn Inc.)
R2 LMIGuardianSvc; C:\Program Files\LogMeIn Hamachi\LMIGuardianSvc.exe [411920 2015-08-03] (LogMeIn, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.149\McCHSvc.exe [235696 2015-06-26] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2015-04-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [284504 2015-04-30] (Microsoft Corporation)
R2 NitroReaderDriverReadSpool3; C:\Program Files\Nitro\Reader 3\NitroPDFReaderDriverService3.exe [196624 2013-05-01] (Nitro PDF Software)
R3 TermService; C:\Windows\System32\termsrv.dll [543232 2009-07-14] (Microsoft Corporation) [File not signed]
R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [714832 2013-08-05] (VMware, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2015-02-16] (LogMeIn, Inc.)
R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [41936 2013-08-05] (VMware, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [245096 2015-03-04] (Microsoft Corporation)
R1 MpKslb7fd2ba4; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AAB1AAE9-8CDE-4ECF-8C08-C3D49DBFD2D8}\MpKslb7fd2ba4.sys [39168 2015-09-26] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-26 08:55 - 2015-09-26 08:55 - 00009312 _____ C:\Users\roland\Downloads\FRST.txt
2015-09-26 08:55 - 2015-09-26 08:55 - 00000000 ____D C:\FRST
2015-09-26 08:54 - 2015-09-26 08:54 - 01695744 _____ (Farbar) C:\Users\roland\Downloads\FRST.exe
2015-09-26 08:34 - 2012-06-03 00:19 - 01933848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-09-26 08:34 - 2012-06-03 00:19 - 00053784 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-09-26 08:34 - 2012-06-03 00:19 - 00045080 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-09-26 08:34 - 2012-06-03 00:12 - 02422272 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-09-26 08:34 - 2012-06-02 15:19 - 00171904 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-09-26 08:34 - 2012-06-02 15:12 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-09-26 08:32 - 2015-09-26 08:32 - 00000020 ___SH C:\Users\roland\ntuser.ini
2015-09-26 08:24 - 2015-09-26 08:24 - 00114832 _____ C:\Users\roland\AppData\Local\GDIPFONTCACHEV1.DAT
2015-09-26 08:24 - 2015-09-26 08:24 - 00002154 _____ C:\Windows\epplauncher.mif
2015-09-26 08:23 - 2015-09-26 08:23 - 00002117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-09-26 08:23 - 2015-09-26 08:23 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-09-26 08:23 - 2010-04-09 09:24 - 01285000 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2015-09-26 08:23 - 2010-04-09 09:24 - 00240008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2015-09-26 08:20 - 2015-09-26 08:21 - 11588952 _____ (Microsoft Corporation) C:\Users\roland\Downloads\mseinstall.exe
2015-09-26 08:14 - 2015-09-26 08:15 - 00017085 _____ C:\Users\roland\Downloads\Addition.txt!___prosschiff@gmail.com_.crypt
2015-09-26 08:13 - 2015-09-26 08:15 - 00001352 _____ C:\Users\roland\Downloads\FRST.txt!___prosschiff@gmail.com_.crypt
2015-09-26 08:11 - 2015-09-26 08:11 - 01696994 _____ C:\Users\roland\Downloads\FRST.exe!___prosschiff@gmail.com_.crypt
2015-09-26 07:37 - 2015-09-26 07:37 - 00000000 ____D C:\Users\roland\AppData\Roaming\Macromedia
2015-09-26 07:37 - 2015-09-26 07:37 - 00000000 ____D C:\Users\roland\AppData\Roaming\Adobe
2015-09-26 00:56 - 2015-08-28 20:28 - 00020706 _____ C:\Users\roland\Desktop\RotoCrypt.exe!___prosschiff@gmail.com_.crypt
2015-09-22 16:01 - 2015-09-22 16:20 - 00002812 _____ C:\Users\roland\Desktop\mysql.txt.txt!___prosschiff@gmail.com_.crypt
2015-09-03 22:56 - 2015-09-03 22:56 - 00000000 ____D C:\Users\dries\AppData\Roaming\Macromedia
2015-09-03 22:55 - 2015-09-03 22:55 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-09-03 22:55 - 2015-09-03 22:55 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-09-03 22:55 - 2015-09-03 22:55 - 00000000 ____D C:\Windows\system32\Macromed
2015-09-03 01:45 - 2015-09-26 08:24 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-02 19:05 - 2015-09-02 19:05 - 01697405 ____R C:\Users\dries\Desktop\IMG_3574.mp4

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-26 08:48 - 2015-03-23 13:46 - 00000000 ____D C:\public
2015-09-26 08:44 - 2015-03-03 12:07 - 00000000 ____D C:\Users\roland\AppData\Local\LogMeIn Hamachi
2015-09-26 08:39 - 2015-03-03 12:07 - 00001044 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-26 08:34 - 2015-02-25 21:38 - 00363927 _____ C:\Windows\WindowsUpdate.log
2015-09-26 08:33 - 2015-04-29 11:13 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2015-09-26 08:33 - 2015-03-03 12:07 - 00001040 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-26 08:33 - 2015-03-03 12:07 - 00000000 ____D C:\Users\roland\AppData\Local\LogMeIn
2015-09-26 08:33 - 2009-07-14 06:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-09-26 08:32 - 2015-02-25 21:38 - 00000000 ____D C:\Users\roland
2015-09-26 08:31 - 2009-07-14 06:34 - 00020688 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-26 08:31 - 2009-07-14 06:34 - 00020688 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-26 08:29 - 2015-02-25 21:41 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-26 08:24 - 2015-03-14 10:27 - 00017888 _____ C:\Windows\PFRO.log
2015-09-26 08:24 - 2015-02-26 19:13 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-09-26 08:24 - 2009-07-14 06:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-26 08:24 - 2009-07-14 06:39 - 00015307 _____ C:\Windows\setupact.log
2015-09-26 08:07 - 2015-02-26 22:29 - 00000000 ____D C:\temp
2015-09-26 08:01 - 2015-02-26 19:25 - 00116082 _____ C:\Users\roland\AppData\Local\GDIPFONTCACHEV1.DAT!___prosschiff@gmail.com_.crypt
2015-09-26 07:59 - 2015-04-27 23:03 - 00001850 _____ C:\Users\roland\AppData\Local\PUTTY.RND!___prosschiff@gmail.com_.crypt
2015-09-26 07:53 - 2015-03-14 11:56 - 00000000 ____D C:\Users\dries\AppData\Local\LogMeIn Hamachi
2015-09-26 07:52 - 2015-04-13 23:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-09-26 07:52 - 2015-04-13 23:12 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-09-26 07:37 - 2015-02-25 21:43 - 01678542 ____H C:\Users\roland\AppData\Local\IconCache.db!___prosschiff@gmail.com_.crypt
2015-09-26 07:35 - 2015-02-25 21:38 - 00001270 ___SH C:\Users\roland\ntuser.ini!___prosschiff@gmail.com_.crypt
2015-09-26 05:07 - 2015-03-16 16:31 - 00000000 ____D C:\ProgramData\DNS2Go
2015-09-26 00:59 - 2009-07-14 09:49 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-09-26 00:59 - 2009-07-14 04:37 - 00000000 __RHD C:\Users\Public\Libraries
2015-09-26 00:59 - 2009-07-14 04:37 - 00000000 ___RD C:\Users\Public
2015-09-26 00:58 - 2015-02-25 21:38 - 00000000 ____D C:\Users\roland\AppData\Local\VirtualStore
2015-09-26 00:57 - 2015-08-26 15:28 - 00000000 ____D C:\Users\roland\Downloads\icons
2015-09-26 00:57 - 2015-02-26 19:26 - 00000000 ____D C:\Users\roland\AppData\Roaming\VMware
2015-09-26 00:57 - 2015-02-26 19:25 - 00000000 ____D C:\Users\roland\Downloads\vmware_vsphere_client
2015-09-26 00:57 - 2015-02-25 21:38 - 00000000 ___RD C:\Users\roland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-09-26 00:57 - 2015-02-25 21:38 - 00000000 ___RD C:\Users\roland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-09-26 00:55 - 2015-08-13 14:20 - 00000000 ____D C:\Users\glenn\AppData\Local\VirtualStore
2015-09-26 00:55 - 2015-08-13 14:20 - 00000000 ____D C:\Users\glenn\AppData\Local\LogMeIn Hamachi
2015-09-26 00:55 - 2015-06-27 07:47 - 00012172 _____ C:\Users\roland\Desktop\readme.txt.txt!___prosschiff@gmail.com_.crypt
2015-09-25 00:52 - 2015-03-03 12:07 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-24 14:33 - 2015-04-27 10:53 - 00000306 _____ C:\Windows\ricdb.ini
2015-09-03 22:56 - 2015-04-27 14:30 - 00000000 ____D C:\Users\dries\AppData\Roaming\Adobe
2015-09-03 22:55 - 2015-04-27 10:52 - 00000000 ____D C:\Users\dries\AppData\Local\Adobe
2015-09-03 22:55 - 2015-03-14 11:56 - 00000000 ____D C:\Users\dries\AppData\Local\Google

==================== Files in the root of some directories =======

2015-04-27 23:03 - 2015-09-26 07:59 - 0001850 _____ () C:\Users\roland\AppData\Local\PUTTY.RND!___prosschiff@gmail.com_.crypt

Some files in TEMP:
====================
C:\Users\dries\AppData\Local\Temp\JingSetup.exe
C:\Users\dries\AppData\Local\Temp\nitro_reader3.exe
C:\Users\dries\AppData\Local\Temp\nitro_reader3_64.exe
C:\Users\roland\AppData\Local\Temp\JingSetup.exe
C:\Users\roland\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-09-21 00:46

==================== End of FRST.txt ============================
         
--- --- ---


[CODE]Additional
FRST Logfile:
Code:
ATTFilter
scan result of Farbar Recovery Scan Tool (x86) Version:23-09-2015
Ran by roland (2015-09-26 08:55:46)
Running from C:\Users\roland\Downloads
Microsoft Windows 7 Professional  (X86) (2015-02-25 19:38:05)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3370153980-2594067740-2661373390-500 - Administrator - Disabled)
dries (S-1-5-21-3370153980-2594067740-2661373390-1002 - Administrator - Enabled) => C:\Users\dries
glenn (S-1-5-21-3370153980-2594067740-2661373390-1004 - Limited - Enabled) => C:\Users\glenn
Guest (S-1-5-21-3370153980-2594067740-2661373390-501 - Limited - Disabled)
roland (S-1-5-21-3370153980-2594067740-2661373390-1000 - Administrator - Enabled) => C:\Users\roland

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC - Nederlands (HKLM\...\{AC76BA86-7AD7-1043-7B44-AC0F074E4100}) (Version: 15.008.20082 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated)
AniTa Terminal (HKLM\...\AniTa Terminal) (Version:  - )
DNS2Go Client (HKLM\...\DNS2Go) (Version: 4.3.4.9 - Deerfield Communications Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.101 - Google Inc.)
Google Update Helper (Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
Jing (HKLM\...\{22800204-9E53-45C7-B6F3-5BB0F1C1A147}) (Version: 2.8.13007.1 - TechSmith Corporation)
LogMeIn Hamachi (HKLM\...\LogMeIn Hamachi) (Version: 2.2.0.383 - LogMeIn, Inc.)
LogMeIn Hamachi (Version: 2.2.0.383 - LogMeIn, Inc.) Hidden
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.149.2 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package - SE (HKLM\...\Microsoft Visual J# 2.0 Redistributable Package - SE) (Version:  - Microsoft Corporation)
Mozilla Firefox 40.0.3 (x86 nl) (HKLM\...\Mozilla Firefox 40.0.3 (x86 nl)) (Version: 40.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 40.0.3.5716 - Mozilla)
Nitro Reader 3 (HKLM\...\{1A383F2E-BB47-460E-ADC0-FEFBE5822680}) (Version: 3.5.3.14 - Nitro)
OpenOffice 4.1.1 (HKLM\...\{89FD914D-4472-4E4F-8638-69E857E82DC9}) (Version: 4.11.9775 - Apache Software Foundation)
PuTTY release 0.64 (HKLM\...\PuTTY_is1) (Version: 0.64 - Simon Tatham)
VMware vSphere Client 5.5 (HKLM\...\{4CFB0494-2E96-4631-8364-538E2AA91324}) (Version: 5.5.0.4216 - VMware, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

26-09-2015 08:34:03 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:04 - 2015-07-16 17:50 - 00000854 ____A C:\Windows\system32\Drivers\etc\hosts
0.0.0.1	mssplus.mcafee.com

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {072AE657-8277-4E9A-B5FC-C171903D7E76} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {163FFD3B-9F06-4534-B5CA-81EEB7A000AD} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {BD13B839-1AA5-4006-BE56-F7E71964472B} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)
Task: {F2DB5923-A687-4634-B3FE-E42062482D79} - System32\Tasks\{E2483FAB-48D7-4402-9D46-94799D63A810} => pcalua.exe -a C:\Users\dries\Documents\setup.exe -d C:\Users\dries\Documents

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Hamachi2Svc => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3370153980-2594067740-2661373390-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\roland\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 195.238.2.21 - 195.238.2.22
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{8C05F13D-1942-45F4-AFC8-52418B5504EB}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{406B3EE4-5C8C-4E38-91E9-30415FBAC295}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{D4A3102A-938F-48F2-A412-64D7ECB9B0E9}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{09470014-4DC7-4FD6-972C-98F8E464CE72}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============

Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/26/2015 08:54:47 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:54:02 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:53:35 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:52:21 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:51:06 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:50:51 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:48:14 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:47:50 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:46:46 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (09/26/2015 08:44:26 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.


System errors:
=============
Error: (09/26/2015 08:34:52 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error: 
%%5

Error: (09/26/2015 08:33:18 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Kyocera ECOSYS M6026cdn KX required for printer Kyocera ECOSYS M6026cdn KX is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/26/2015 08:33:11 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver 7-PDF Printer required for printer 7-PDF Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/26/2015 08:33:10 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Snagit 12 Printer required for printer Snagit 12 is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/26/2015 08:29:37 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

Error: (09/26/2015 08:24:12 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (09/26/2015 07:56:22 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Kyocera ECOSYS M6026cdn KX required for printer Kyocera ECOSYS M6026cdn KX is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/26/2015 07:56:19 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Snagit 12 Printer required for printer Snagit 12 is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/26/2015 07:56:17 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver 7-PDF Printer required for printer 7-PDF Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/26/2015 07:50:22 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Snagit 12 Printer required for printer Snagit 12 is unknown. Contact the administrator to install the driver before you log in again.


CodeIntegrity:
===================================
  Date: 2015-09-26 08:55:00.967
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-26 08:44:08.887
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-26 08:33:13.002
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-26 08:21:33.079
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-26 08:05:21.815
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-26 07:50:10.508
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-26 07:35:22.671
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-26 00:55:07.384
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-25 17:51:18.832
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-09-25 17:23:37.904
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


==================== Memory info =========================== 

Processor: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz
Percentage of memory in use: 81%
Total physical RAM: 1023.55 MB
Available physical RAM: 192.87 MB
Total Virtual: 2047.55 MB
Available Virtual: 888 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:23.9 GB) (Free:5.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 24 GB) (Disk ID: 84BC1B05)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=23.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================
         
--- --- ---
__________________

Alt 27.09.2015, 14:53   #4
schrauber
/// the machine
/// TB-Ausbilder
 

ich habe einen Virus eingefangen der aus FRST.txt ein  FRST.txt!___prosschiff@gmail.com_ macht - Standard

ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht



Alle Daten, die verschlüsselt wurden, sind leider nicht mehr zu entschlüsseln.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Antwort

Themen zu ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht
dateien, eingefangen, entfern, essen, essentials, etliche, forum, gefangen, gefunde, gen, hinweise, hänger, laufe, laufen, microsoft, microsoft essentials, nicht mehr, prosschiff, rechner, scan, scanning, stelle, tool, troja, trojaner, virus, virus eingefangen



Ähnliche Themen: ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht


  1. Please Help __prosschiff@gmail.com_.crypt strikes again...
    Plagegeister aller Art und deren Bekämpfung - 02.10.2015 (7)
  2. All Programmen und Dateien sind verschlüsselt in einer Datie von 62 Gb mit mail adresse prosschiff@gmail.com_.crypt
    Log-Analyse und Auswertung - 13.09.2015 (3)
  3. __prosschiff@gmail.com_.crypt
    Plagegeister aller Art und deren Bekämpfung - 04.09.2015 (6)
  4. hatte keine Internetverbundung und habe mit FRST was versucht und weiß nicht weiter
    Log-Analyse und Auswertung - 03.12.2014 (3)
  5. GVU Trojaner sehr hartnäckig- habe frst.txt erstellt und weiß nun nicht weiter
    Log-Analyse und Auswertung - 11.11.2014 (44)
  6. Habe ich mir einen Virus eingefangen? Was nun?
    Antiviren-, Firewall- und andere Schutzprogramme - 25.09.2014 (3)
  7. FRST.exe (Farbar) -> probably unknown NewHeur_PE virus [7] ?
    Log-Analyse und Auswertung - 13.04.2014 (5)
  8. Interpol Virus - FRST.exe
    Plagegeister aller Art und deren Bekämpfung - 25.03.2014 (21)
  9. FRST Scan bei Bka Virus
    Plagegeister aller Art und deren Bekämpfung - 09.12.2013 (14)
  10. FRST.txt nach Interpol-Polizei Trojaner/Virus
    Plagegeister aller Art und deren Bekämpfung - 28.11.2013 (3)
  11. KOBIK-Trojaner eingefangen.. FRST-Logfile bereits vorhanden
    Plagegeister aller Art und deren Bekämpfung - 03.10.2013 (12)
  12. Ich habe 2 DllHost.exe Prozesse, Habe ich mir einen Virus eingefangen?
    Log-Analyse und Auswertung - 29.08.2013 (9)
  13. Weißer Bildschirm nach Neustart, scan via FRST.exe --> FRST.txt
    Log-Analyse und Auswertung - 06.08.2013 (5)
  14. _CIM.EXE Habe ich mir einen Virus eingefangen?
    Log-Analyse und Auswertung - 06.04.2013 (5)
  15. Habe ich mir einen Virus eingefangen ?
    Plagegeister aller Art und deren Bekämpfung - 14.02.2012 (1)
  16. Habe mir einen Virus eingefangen!
    Log-Analyse und Auswertung - 04.09.2008 (1)
  17. HULFE! habe mir einen virus eingefangen
    Plagegeister aller Art und deren Bekämpfung - 28.06.2005 (12)

Zum Thema ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht - Ich habe auf diesen Forum etliche Hinweise aufgenommen, und demzufolge den Farbar Scanning Tool laufen lassen. Die ergebene Dateien findet Ihr anbei. Ich habe mit Microsoft Essentials gescanned und einen - ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht...
Archiv
Du betrachtest: ich habe einen Virus eingefangen der aus FRST.txt ein FRST.txt!___prosschiff@gmail.com_ macht auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.