Windows 7 mit Trojaner befallen
Hallo zusammen,
leider hat mich ein Trojaner erwischt, benötige eure Hilfe um diesen wieder los zu werden.
Hier mein Log-File, hoffe Ihr könnt mir helfen :heulen: Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by SYSTEM on MININT-U5EF7GB on 19-10-2013 11:01:03
Running from H:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11895400 2011-06-24] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] - C:\windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2588968 2010-11-12] (ELAN Microelectronics Corp.)
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-10-07] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-05-31] (Symantec Corporation)
HKLM-x32\...\Run: [RemoteControl10] - C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe [87336 2010-09-19] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-11-01] (CyberLink)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-26] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [PDFPrint] - C:\Win Progamme\PDF24\pdf24.exe [162856 2013-03-20] (Geek Software GmbH)
HKU\tut\...\Run: [LicenseValidator] - C:\Users\tut\AppData\Roaming\Identities\{792A6A18-3710-4E75-8873-015294AFC5B3}\LicenseValidator.exe
HKU\tut\...\Run: [Spiele Post] - C:\Program Files (x86)\OXXOGames\GPlayer\GameCenterNotifier.exe [480328 2013-04-24] (Intenium)
HKU\tut\...\Run: [Steam] - C:\Program Files (x86)\Steam\Steam.exe [1814440 2013-09-21] (Valve Corporation)
HKU\tut\...\Winlogon: [Shell] explorer.exe,C:\Users\tut\AppData\Roaming\data.dat [192512 2010-11-20] () <==== ATTENTION
AppInit_DLLs: C:\windows\system32\nvinitx.dll [226920 2011-05-04] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll [192616 2011-05-04] (NVIDIA Corporation)
==================== Services (Whitelisted) =================
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-05-31] (Symantec Corporation)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-11-30] ()
==================== Drivers (Whitelisted) ====================
S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2011-10-13] (Windows (R) 2003 DDK 3790 provider)
S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2011-10-13] (Windows (R) 2003 DDK 3790 provider)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-10-19 11:00 - 2013-10-19 11:00 - 00000000 ____D C:\FRST
2013-10-15 02:03 - 2013-10-17 09:25 - 00000004 _____ C:\Users\tut\AppData\Roaming\settings.ini
2013-10-03 06:19 - 2013-10-03 06:19 - 00000000 ____D C:\Users\tut\Documents\SpellForce2
2013-10-03 04:14 - 2013-10-03 04:14 - 00000221 _____ C:\Users\tut\Desktop\SpellForce 2 - Faith in Destiny.url
2013-10-03 03:51 - 2013-10-14 22:38 - 00000000 ____D C:\Program Files (x86)\Steam
2013-10-03 03:51 - 2013-10-03 03:51 - 00000917 _____ C:\Users\Public\Desktop\Steam.lnk
==================== One Month Modified Files and Folders =======
2013-10-19 11:00 - 2013-10-19 11:00 - 00000000 ____D C:\FRST
2013-10-17 09:25 - 2013-10-15 02:03 - 00000004 _____ C:\Users\tut\AppData\Roaming\settings.ini
2013-10-17 08:42 - 2011-09-06 08:21 - 01415992 _____ C:\Windows\WindowsUpdate.log
2013-10-14 22:45 - 2009-07-13 20:45 - 00020992 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-14 22:45 - 2009-07-13 20:45 - 00020992 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-14 22:38 - 2013-10-03 03:51 - 00000000 ____D C:\Program Files (x86)\Steam
2013-10-14 22:38 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-14 22:38 - 2009-07-13 20:51 - 00080497 _____ C:\Windows\setupact.log
2013-10-03 06:19 - 2013-10-03 06:19 - 00000000 ____D C:\Users\tut\Documents\SpellForce2
2013-10-03 05:11 - 2011-09-05 21:08 - 00643866 _____ C:\Windows\System32\perfh007.dat
2013-10-03 05:11 - 2011-09-05 21:08 - 00126394 _____ C:\Windows\System32\perfc007.dat
2013-10-03 05:11 - 2009-07-13 21:13 - 01472002 _____ C:\Windows\System32\PerfStringBackup.INI
2013-10-03 05:08 - 2011-09-05 17:19 - 00503608 _____ C:\Windows\DirectX.log
2013-10-03 04:14 - 2013-10-03 04:14 - 00000221 _____ C:\Users\tut\Desktop\SpellForce 2 - Faith in Destiny.url
2013-10-03 03:51 - 2013-10-03 03:51 - 00000917 _____ C:\Users\Public\Desktop\Steam.lnk
2013-10-03 03:51 - 2011-12-03 08:50 - 00000000 ____D C:\users\tut
2013-10-03 03:41 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-09-24 21:39 - 2011-12-24 00:39 - 00000000 ____D C:\Users\tut\AppData\Local\CrashDumps
2013-09-20 10:40 - 2012-08-25 23:00 - 00000000 ____D C:\Users\tut\AppData\Roaming\AlawarEntertainment
2013-09-20 09:39 - 2013-08-31 06:05 - 00000000 ____D C:\Users\tut\AppData\Roaming\Deep Shadows
ZeroAccess:
C:\Users\tut\AppData\Local\{d44ba306-5982-5dab-e0a1-b0fdac2f3aba}
C:\Users\tut\AppData\Local\{d44ba306-5982-5dab-e0a1-b0fdac2f3aba}\@
Files to move or delete:
====================
C:\Users\tut\AppData\Roaming\data.dat
C:\Users\tut\AppData\Roaming\settings.ini
C:\Users\tut\AppData\Roaming\i.ini
Some content of TEMP:
====================
C:\Users\tut\AppData\Local\Temp\AskSLib.dll
C:\Users\tut\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\tut\AppData\Local\Temp\LEGOBatman2.exe
C:\Users\tut\AppData\Local\Temp\lmpwcevltqdmtyfoprgpptiegwksf.exe
C:\Users\tut\AppData\Local\Temp\_inst1.exe
C:\Users\tut\AppData\Local\Temp\_inst2.exe
C:\Users\tut\AppData\Local\Temp\_inst3.exe
C:\Users\tut\AppData\Local\Temp\_inst4.exe
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
11
Restore point made on: 2013-01-14 10:23:36
Restore point made on: 2013-01-30 09:12:35
Restore point made on: 2013-01-31 10:12:03
Restore point made on: 2013-08-17 02:27:25
Restore point made on: 2013-08-24 04:15:30
Restore point made on: 2013-09-05 00:39:43
Restore point made on: 2013-09-15 01:31:35
Restore point made on: 2013-09-24 00:31:30
Restore point made on: 2013-10-03 03:46:58
Restore point made on: 2013-10-03 03:51:36
Restore point made on: 2013-10-03 05:07:58
==================== Memory info ===========================
Percentage of memory in use: 15%
Total physical RAM: 4008.19 MB
Available physical RAM: 3392.67 MB
Total Pagefile: 4006.39 MB
Available Pagefile: 3380.17 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:171 GB) (Free:115.13 GB) NTFS
Drive d: () (Fixed) (Total:503.87 GB) (Free:457.63 GB) NTFS
Drive f: (SAMSUNG_REC) (Fixed) (Total:23.67 GB) (Free:0.94 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive h: (INTENSO) (Removable) (Total:7.26 GB) (Free:7.26 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 699 GB) (Disk ID: 817D105E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=171 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=504 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=24 GB) - (Type=27)
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=7 GB) - (Type=0C)
LastRegBack: 2013-09-24 00:24
==================== End Of Log ============================
| 
+ R Taste und schreibe notepad in das Ausführen Fenster.
Malwarebytes Anti-Malware 
AdwCleaner auf deinen Desktop.
FRST 32-Bit | FRST 64-Bit