Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert

samthron · 15.07.2019, 16:05

Hallo,

ein Bekannter hat einen "Microsoft Mitarbeiter" auf sein Notebook gelassen, weil sein Rechner (auch tatsächlich) so langsam ist und sich einen Virus eingefangen hat. Er hat sich dann einen TimeViewer geladen und der "SupportMitarbeiter" hat sich auf den Rechner verbunden und sich 3 Tage lang gearbeitet. Eine neue Seriennummer installiert, die Postfächer bereinigt, das Onlinebanking geprüft, als mit allen Schikanen verarscht... Rechner und Handy gekapert, Router gekapert und dann munter Überweisungen getätigt...

Den Rechner habe ich mal mit der ESET-Rescue CD gebootet, gescannt und folgende schöne Dinge gefunden (Archivzugriffsfehler sind ausgeblendet):

Code:

ATTFilter

/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Downloaded Installers/{BA219F82-20BF-49AD-A279-E2D69D3B9D3F}/setup.msi » MSI » msi.cab » CAB » SlimCleanerPlus.exe - a variant of Win32/Slimware.B potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Mozilla/Firefox/Profiles/pebjh2p5.default-1398088373925-1513167997011/cache2/entries/ADF4825969C0D1FD5FC2A9F6F2C1A2315149DA5F » ZIP » js/PartnerId.js - JS/Mindspark.G potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/Downloads/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLMonitor.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLService.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUninstall.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUtil.dll - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPL.exe - a variant of MSIL/Tlapia.A potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{6FF69967-0BFE-4F14-B6DF-E73783E52340}/setup.msi » MSI » app.cab » CAB » F5fedfdf90c2b4567a5edbf92262a6182 - a variant of Win32/UwS.SlimDrivers.A application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{8AE269B5-4133-4FFC-9896-D718886D7D8F}/setup.msi » MSI » app.cab » CAB » Fe40ebec7b471432eaedb98be7633658b - a variant of Win32/UwS.SlimDrivers.A application - action selection postponed until scan completion
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Downloaded Installers/{BA219F82-20BF-49AD-A279-E2D69D3B9D3F}/setup.msi » MSI » msi.cab » CAB » SlimCleanerPlus.exe - a variant of Win32/Slimware.B potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/AppData/Local/Mozilla/Firefox/Profiles/pebjh2p5.default-1398088373925-1513167997011/cache2/entries/ADF4825969C0D1FD5FC2A9F6F2C1A2315149DA5F » ZIP » js/PartnerId.js - JS/Mindspark.G potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/Downloads/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLMonitor.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLService.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUninstall.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPLUtil.dll - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Downloads/java.exe » ADVANCEDINSTALLER » sysTPL.msi » MSI » disk1.cab » CAB » sysTPL.exe - a variant of MSIL/Tlapia.A potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite PS-E9NV5-CFKHK-UCGC7-CQZ85-L6BH4-K6YFP.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\rb.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/powersuite.exe » INNO » {tmp}\sp.exe » INNO » {app}\sump.exe - a variant of Win32/SpeedUpMyPC.H potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\Launcher.exe - a variant of Win32/RegistryBooster potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/Programme/Uniblue Programme/registrybooster RB-83KVK-GTYBA-V2K22-ZUWPM-DQK4P-2C32Z.exe » INNO » {app}\registrybooster.exe - a variant of Win32/RegistryBooster.D potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Elmar/Documents/StellarPhoenixWindowsDataRecovery-Home_PPCS.exe » WISE » stubWrapperRemote.exe » NSIS » Script.nsi - Win32/Toolbar.Conduit potentially unwanted application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{6FF69967-0BFE-4F14-B6DF-E73783E52340}/setup.msi » MSI » app.cab » CAB » F5fedfdf90c2b4567a5edbf92262a6182 - a variant of Win32/UwS.SlimDrivers.A application
/media/sdc1-usb-WDC_WD3200AAJB-0/Users/Public/Documents/Downloaded Installers/{8AE269B5-4133-4FFC-9896-D718886D7D8F}/setup.msi » MSI » app.cab » CAB » Fe40ebec7b471432eaedb98be7633658b - a variant of Win32/UwS.SlimDrivers.A application

Macht es jetzt Sinn hier mal zu versuchen, ESET das bereinigen zu lassen, oder ist es besser nach eurem Schema zu versuchen, den Rechner wieder sauber zu bekommen.
Die HDD habe ich schon mal auf eine externe Festplatte kopiert.

Vielen Dank für eure gute Arbeit und Hilfe!!

M-K-D-B · 15.07.2019, 19:31

Diese Masche gibt es nun schon seit über 8 Jahren... es wundert mich schon sehr, dass es immer noch genügend Menschen gibt, die darauf hereinfallen.

Alle betroffenen Geräte sind auf Werkseinstellungen zurücksetzen bzw. es ist eine Neuinstallation durchzuführen und alle Passwörter sind zu ändern.
Alles andere ist nicht zu vertreten.

Bitte lesen:
Betrüger geben sich als Mitarbeiter des Microsoft-Supports aus

samthron · 21.07.2019, 09:13

Hallo M-K-D-B,

das mit der Neuinstallation hatte ich fast befürchtet..
Es ist halt leider noch nicht wirklich in den Allerwelts-Medien angekommen, dass das doch viele nicht auf dem Schirm haben (leider).

Trotzdem Danke für deine Mühe und die gute Arbeit, die ihr mit diesem Dienst leistet!

Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert

Diskussionsforum: Windows 10 Notebook von "Microsoft Mitarbeiter" gekapert