Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Win7 pro 64bit GUV virus mit Fedpol Meldung (https://www.trojaner-board.de/160351-win7-pro-64bit-guv-virus-fedpol-meldung.html)

actnow 03.11.2014 11:21
Win7 pro 64bit GUV virus mit Fedpol Meldung
 
Habe den GUV Virus auf Win7 pro 64bit eingefangen. Auch im abgesicherten Modus fährt das System gleich wieder runter. Habe hier gelesen man soll mit dem Tool FRST64.exe ein Log erstellen. Habe ich gemacht sieht wie folgt aus:
FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-11-2014
Ran by SYSTEM on MININT-4LGSNLB on 03-11-2014 09:53:07
Running from F:\
Platform: Windows 7 Professional (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8114720 2009-09-12] (Realtek Semiconductor)
HKLM\...\Run: [PrnStatusMX] => C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe [1240064 2012-07-04] (Marvell Semiconductor, Inc.)
HKLM\...\Run: [HPUsageTracking] => "\HP UT\bin\hppusg.exe" "\HP UT"
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] => C:\Windows\KHALMNPR.EXE [134160 2007-09-21] (Logitech, Inc.)
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-09-04] (Sonic Solutions)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\avor 1.WEISS\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-08-05] (Google Inc.)
HKU\avor 1.WEISS\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe -update activex
HKU\Avor 2\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-08-05] (Google Inc.)
HKU\Avor 2\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)
Startup: C:\Users\Avor 1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE (Microsoft Corporation)
Startup: C:\Users\Avor 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE (Microsoft Corporation)
Startup: C:\Users\Avor 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\E7FAA706.cpp ()
Startup: C:\Users\avor1.WEISS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATKRufIdentServer; C:\Program Files (x86)\ATKRufIdent Server\ATKRufIdent.exe [383096 2012-10-01] (RI <hxxp://www.atkrufident.de>)
S2 hasplms; C:\Windows\system32\hasplms.exe [4412872 2012-08-23] (SafeNet Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 Winmgmt; C:\ProgramData\607AAF7E.dot [331776 2014-11-01] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 CBUSB; C:\Windows\System32\drivers\CBUSB_64.sys [80000 2007-02-15] (MARX CryptoTech LP)
S2 hardlock; C:\Windows\system32\drivers\hardlock.sys [323584 2012-10-06] (SafeNet Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 09:52 - 2014-11-03 09:53 - 00000000 ____D () C:\FRST
2014-11-01 06:28 - 2014-11-01 06:28 - 00331776 ____T () C:\ProgramData\607AAF7E.dot
2014-11-01 06:28 - 2014-11-01 06:28 - 00196608 _____ () C:\ProgramData\E7FAA706.cpp
2014-10-31 08:18 - 2014-10-31 08:18 - 00000000 ____H () C:\Windows\System32\Drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2014-10-27 09:47 - 2014-10-27 09:47 - 00000000 ____D () C:\Users\Avor 2\Desktop\Neuer Ordner
2014-10-27 07:20 - 2014-10-28 07:06 - 00000205 ____H () C:\Users\Avor 2\Documents\Zeichnung1.dwl2
2014-10-27 07:20 - 2014-10-28 07:06 - 00000055 ____H () C:\Users\Avor 2\Documents\Zeichnung1.dwl
2014-10-27 07:17 - 2014-10-27 07:17 - 00001396 _____ () C:\Users\Avor 2\Desktop\KW44.xlsx - Verknüpfung.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 09:48 - 2014-07-25 09:59 - 00006679 _____ () C:\Windows\setupact.log
2014-11-03 09:48 - 2013-10-24 12:45 - 00000000 ____D () C:\ProgramData\boost_interprocess
2014-11-03 09:48 - 2011-02-09 11:47 - 00000120 _____ () C:\Windows\System32\config\netlogon.ftl
2014-11-03 09:48 - 2009-07-14 06:10 - 01730406 _____ () C:\Windows\WindowsUpdate.log
2014-11-03 09:48 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-03 09:45 - 2013-08-05 05:56 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-03 09:45 - 2009-07-14 05:45 - 00014256 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-03 09:45 - 2009-07-14 05:45 - 00014256 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-03 09:44 - 2011-02-02 19:25 - 00000000 ____D () C:\ProgramData\Sonic
2014-11-03 09:33 - 2013-04-29 10:09 - 00000000 ____D () C:\Users\Avor 2\AppData\Roaming\SoftGrid Client
2014-11-03 09:32 - 2013-08-05 05:56 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-03 07:09 - 2011-02-09 11:44 - 00000422 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job
2014-11-02 10:29 - 2009-07-14 18:58 - 00711842 _____ () C:\Windows\System32\perfh007.dat
2014-11-02 10:29 - 2009-07-14 18:58 - 00152868 _____ () C:\Windows\System32\perfc007.dat
2014-11-02 10:29 - 2009-07-14 06:13 - 01653084 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-31 06:41 - 2014-07-25 13:35 - 00176456 _____ () C:\Users\Avor 2\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-30 12:25 - 2011-02-09 12:06 - 00275080 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-10-28 08:02 - 2013-04-29 11:29 - 00100767 _____ () C:\Users\Avor 2\Documents\plot.log
2014-10-20 15:40 - 2013-08-05 05:56 - 00004106 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-20 15:40 - 2013-08-05 05:56 - 00003854 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

Some content of TEMP:
====================
C:\Users\administrator\AppData\Local\Temp\AcDeltree.exe
C:\Users\administrator\AppData\Local\Temp\applnch.exe
C:\Users\administrator\AppData\Local\Temp\Regsvr32.exe
C:\Users\Administrator.Avor_Dell01\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\Avor\AppData\Local\Temp\AcDeltree.exe
C:\Users\Avor\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Avor\AppData\Local\Temp\MSNDA1A.exe
C:\Users\Avor 1\AppData\Local\Temp\AcDeltree.exe
C:\Users\Avor 1\AppData\Local\Temp\ApnStub.exe
C:\Users\Avor 1\AppData\Local\Temp\applnch.exe
C:\Users\Avor 1\AppData\Local\Temp\cljCP1215-HB-pd-win64-gep.exe
C:\Users\Avor 1\AppData\Local\Temp\contentDATs.exe
C:\Users\Avor 1\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Avor 1\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Avor 1\AppData\Local\Temp\Regsvr32.exe
C:\Users\Avor 1\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\avor 1.WEISS\AppData\Local\Temp\Messenger-full-installer.exe
C:\Users\avor 1.WEISS\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Avor 2\AppData\Local\Temp\CZhX.dll
C:\Users\avor1.WEISS\AppData\Local\Temp\AcDeltree.exe
C:\Users\avor1.WEISS\AppData\Local\Temp\applnch.exe
C:\Users\avor1.WEISS\AppData\Local\Temp\ContextualTabSelectorRules.dll
C:\Users\avor1.WEISS\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
C:\Users\avor1.WEISS\AppData\Local\Temp\SecurityScan_Release.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-10-02 11:24:07
Restore point made on: 2014-10-02 15:59:16
Restore point made on: 2014-10-06 05:41:59
Restore point made on: 2014-10-09 10:31:55
Restore point made on: 2014-10-13 05:38:51
Restore point made on: 2014-10-16 10:42:41
Restore point made on: 2014-10-20 05:49:02
Restore point made on: 2014-10-23 11:22:02
Restore point made on: 2014-10-27 06:50:33
Restore point made on: 2014-10-30 12:23:31
Restore point made on: 2014-11-03 06:42:23

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 4094.8 MB
Available physical RAM: 3405.48 MB
Total Pagefile: 4092.95 MB
Available Pagefile: 3398.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:285.81 GB) (Free:181.84 GB) NTFS
Drive f: () (Removable) (Total:3.74 GB) (Free:0.03 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (RECOVERY) (Fixed) (Total:12.15 GB) (Free:5.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: B8000000)
Partition 1: (Not Active) - (Size=133 MB) - (Type=DE)
Partition 2: (Active) - (Size=12.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=285.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 3.7 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2014-10-27 09:09

==================== End Of Log ============================
--- --- ---

Wie geht's nun weiter? Besten Dank für Eure Hilfe.

schrauber 03.11.2014 11:37
hi,

Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
Startup: C:\Users\Avor 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\E7FAA706.cpp ()
S2 Winmgmt; C:\ProgramData\607AAF7E.dot [331776 2014-11-01] ()
C:\ProgramData\607AAF7E.dot
C:\ProgramData\E7FAA706.cpp
Speichere diese bitte als Fixlist.txt auf deinem USB Stick.
  • Starte deinen Rechner erneut in die Reparaturoptionen
  • Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.


Alle Zeitangaben in WEZ +1. Es ist jetzt 06:36 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131