Trojaner-Board - Wieder einmal GVU-Trojaner

FRST Logfile:

FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-09-2013

Ran by SYSTEM on MINWINPC on 24-09-2013 21:50:24

Running from L:\

Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery
 

The current controlset is ControlSet001
 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 

==================== Registry (Whitelisted) ==================
 

HKLM\...\Run: [StartCCC] - c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-01-21] (Advanced Micro Devices, Inc.)

HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [6266880 2008-07-03] (Realtek Semiconductor)

HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-04] (Google)

HKLM\...\Run: [Google EULA Launcher] - c:\Program Files\Google\Google EULA\GoogleEULALauncher.exe [20480 2008-05-28] ( )

HKLM\...\Run: [SSBkgdUpdate] - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)

HKLM\...\Run: [PaperPort PTD] - C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [29984 2007-10-11] (Nuance Communications, Inc.)

HKLM\...\Run: [IndexSearch] - C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [46368 2007-10-11] (Nuance Communications, Inc.)

HKLM\...\Run: [PPort11reminder] - C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe [328992 2007-08-31] (Nuance Communications, Inc.)

HKLM\...\Run: [BrMfcWnd] - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [741376 2007-11-05] (Brother Industries, Ltd.)

HKLM\...\Run: [ControlCenter3] - C:\Program Files\Brother\ControlCenter3\brctrcen.exe [77824 2007-10-30] (Brother Industries, Ltd.)

HKLM\...\Run: [AVMWlanClient] - C:\Program Files\avmwlanstick\wlangui.exe [1794048 2008-09-04] (AVM Berlin)

HKLM\...\Run: [Skytel] - C:\Windows\Skytel.exe [1826816 2008-06-25] (Realtek Semiconductor Corp.)

HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM\...\Run: [] - [x]

HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)

HKLM\...\Run: [LexwareInfoService] - C:\Program Files\Common Files\Lexware\Update Manager\LxUpdateManager.exe [189808 2011-07-31] (Haufe-Lexware GmbH & Co. KG)

HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)

HKLM\...\Run: [MailCheck IE Broker] - C:\Program Files\WEB.DE MailCheck\IE\WEB.DE_MailCheck_Broker.exe [1519680 2013-06-27] (1und1 Mail und Media GmbH)

HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ac16fd183d33e34befde7d36c5d8a7dd\n. ATTENTION! ====> ZeroAccess?

HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0

HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\RB\...\Run: [Picasa Media Detector] - C:\Program Files\Picasa2\PicasaMediaDetector.exe [ 2008-02-25] (Google Inc.)

HKU\RB\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-20] (Microsoft Corporation)

HKU\RB\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2009-02-21] (Google Inc.)

HKU\RB\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-20] (Microsoft Corporation)

HKU\RB\...\Run: [Ybepzoi] - C:\Users\RB\AppData\Roaming\Eqsya\oboq.exe

HKU\RB\...\Winlogon: [Shell] Explorer.exe <==== ATTENTION 

Startup: C:\Users\RB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk

ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\RB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w8lfodqd.lnk

ShortcutTarget: w8lfodqd.lnk -> C:\PROGRA~2\dqdofl8w.plz (Hof, Inc)
 

========================== Services (Whitelisted) =================
 

S2 AVM WLAN Connection Service; C:\Program Files\avmwlanstick\WlanNetService.exe [364544 2008-09-04] (AVM Berlin)

S3 FirebirdServerMAGIXInstance; C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [1527900 2005-11-17] (MAGIX®)

S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-04] (Google)

S3 HRService; C:\Program Files\Haufe\iDesk\iDeskService\iDeskService.exe [70336 2008-08-19] ()

S2 NIS; C:\Program Files\Norton Internet Security\Engine\18.7.2.3\diMaster.dll [262584 2011-03-31] (Symantec Corporation)

S2 TestHandler; C:\Program Files\Fujitsu Siemens Computers\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe [303104 2008-04-25] (Fujitsu Siemens Computers)

S3 UPnPService; C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [544768 2006-12-14] (Magix AG)

S2 Winmgmt; C:\PROGRA~2\dqdofl8w.plz [131416 2013-09-11] (Hof, Inc)
 

==================== Drivers (Whitelisted) ====================
 

S2 acedrv11; C:\Windows\system32\drivers\acedrv11.sys [185472 2010-02-24] (Protect Software GmbH)

S4 ahcix86s; C:\Windows\system32\drivers\ahcix86s.sys [173576 2008-05-27] (AMD Technologies Inc.)

S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [4352 2007-12-19] (AVM Berlin)

S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20130903.002\BHDrvx86.sys [1097816 2013-09-03] (Symantec Corporation)

S0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation)

S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-08-30] (Symantec Corporation)

S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-08-30] (Symantec Corporation)

S3 FWLANUSB; C:\Windows\System32\DRIVERS\fwlanusb.sys [265088 2007-01-25] (AVM GmbH)

S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20130910.001\IDSvix86.sys [392792 2013-08-13] (Symantec Corporation)

S4 JRAID; C:\Windows\system32\drivers\jraid.sys [76688 2008-04-03] (JMicron Technology Corp.)

S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20130910.016\NAVENG.SYS [93272 2013-08-30] (Symantec Corporation)

S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20130910.016\NAVEX15.SYS [1612376 2013-08-30] (Symantec Corporation)

S3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [147168 2008-06-18] (Realtek Semiconductor Corp.)

S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [57328 2007-11-07] (Sonic Solutions)

S1 SRTSP; C:\Windows\System32\Drivers\NIS\1207020.003\SRTSP.SYS [516216 2011-03-30] (Symantec Corporation)

S1 SRTSPX; C:\Windows\system32\drivers\NIS\1207020.003\SRTSPX.SYS [50168 2011-03-30] (Symantec Corporation)

S0 SymDS; C:\Windows\System32\drivers\NIS\1207020.003\SYMDS.SYS [340088 2011-01-26] (Symantec Corporation)

S0 SymEFA; C:\Windows\System32\drivers\NIS\1207020.003\SYMEFA.SYS [744568 2011-03-14] (Symantec Corporation)

S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [126584 2011-05-13] (Symantec Corporation)

S1 SymIRON; C:\Windows\system32\drivers\NIS\1207020.003\Ironx86.SYS [136312 2011-01-26] (Symantec Corporation)

S1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1207020.003\SYMTDIV.SYS [331384 2011-04-20] (Symantec Corporation)

S3 IpInIp; system32\DRIVERS\ipinip.sys [x]

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]

S3 SYMDNS; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMDNS.SYS [x]

S3 SYMFW; \SystemRoot\System32\Drivers\NIS\1007020.00B\SYMFW.SYS [x]

S3 SYMNDISV; \SystemRoot\System32\Drivers\NIS\1007020.00B\SYMNDISV.SYS [x]

S3 SYMREDRV; \SystemRoot\System32\Drivers\NIS\1002000.007\SYMREDRV.SYS [x]
 

==================== NetSvcs (Whitelisted) ===================
 
 

==================== One Month Created Files and Folders ========
 

2013-09-19 18:27 - 2013-09-19 18:27 - 00000000 ____D C:\FRST

2013-09-19 13:02 - 2013-09-19 13:08 - 184283352 _____ C:\Program Files\setup_11.0.1.1245.x01_2013_09_19_20_32.exe

2013-09-11 04:34 - 2013-09-11 04:34 - 00086168 ____T C:\ProgramData\jrlr.exe

2013-09-11 04:34 - 2013-09-11 04:34 - 00000000 ____D C:\Users\RB\AppData\Local\Minrd

2013-09-11 04:30 - 2013-09-19 11:32 - 95025368 ____T C:\ProgramData\w8lfodqd.pff

2013-09-11 04:30 - 2013-09-19 11:28 - 00000000 _____ C:\ProgramData\w8lfodqd.ctrl

2013-09-11 04:30 - 2013-09-11 04:30 - 00131416 _____ (Hof, Inc) C:\ProgramData\dqdofl8w.plz

2013-09-11 04:20 - 2013-09-11 04:20 - 00000000 ____D C:\Users\RB\AppData\Local\WarThunder

2013-09-11 04:20 - 2013-09-11 04:20 - 00000000 ____D C:\ProgramData\WarThunder

2013-08-30 03:38 - 2013-08-01 20:09 - 01548288 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL

2013-08-25 06:19 - 2013-08-25 06:19 - 00012297 _____ C:\Users\RB\Documents\abzugsfähige Handwerkerleistungen.xlsx
 

==================== One Month Modified Files and Folders =======
 

2013-09-19 18:27 - 2013-09-19 18:27 - 00000000 ____D C:\FRST

2013-09-19 13:08 - 2013-09-19 13:02 - 184283352 _____ C:\Program Files\setup_11.0.1.1245.x01_2013_09_19_20_32.exe

2013-09-19 12:29 - 2008-11-09 03:14 - 01718627 _____ C:\Windows\WindowsUpdate.log

2013-09-19 12:29 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2013-09-19 12:29 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2013-09-19 11:32 - 2013-09-11 04:30 - 95025368 ____T C:\ProgramData\w8lfodqd.pff

2013-09-19 11:28 - 2013-09-11 04:30 - 00000000 _____ C:\ProgramData\w8lfodqd.ctrl

2013-09-19 11:14 - 2006-11-02 04:52 - 00117233 _____ C:\Windows\setupact.log

2013-09-11 04:34 - 2013-09-11 04:34 - 00086168 ____T C:\ProgramData\jrlr.exe

2013-09-11 04:34 - 2013-09-11 04:34 - 00000000 ____D C:\Users\RB\AppData\Local\Minrd

2013-09-11 04:33 - 2008-01-20 18:47 - 00070048 _____ C:\Windows\PFRO.log

2013-09-11 04:30 - 2013-09-11 04:30 - 00131416 _____ (Hof, Inc) C:\ProgramData\dqdofl8w.plz

2013-09-11 04:25 - 2012-06-11 02:10 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-09-11 04:24 - 2012-10-07 03:13 - 00000000 ____D C:\Program Files\WEB.DE MailCheck

2013-09-11 04:20 - 2013-09-11 04:20 - 00000000 ____D C:\Users\RB\AppData\Local\WarThunder

2013-09-11 04:20 - 2013-09-11 04:20 - 00000000 ____D C:\ProgramData\WarThunder

2013-09-11 03:55 - 2012-09-18 08:47 - 00001977 _____ C:\Users\Public\Desktop\Google Chrome.lnk

2013-09-11 03:27 - 2012-06-29 00:02 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-09-11 03:27 - 2012-02-04 03:43 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-09-09 07:59 - 2008-01-20 23:16 - 01445546 _____ C:\Windows\System32\PerfStringBackup.INI

2013-08-30 08:10 - 2008-11-09 03:31 - 00000000 ____D C:\Users\RB\AppData\Local\Google

2013-08-26 08:15 - 2010-09-16 08:14 - 00000000 ____D C:\Users\RB\Desktop\Förderverein

2013-08-25 06:19 - 2013-08-25 06:19 - 00012297 _____ C:\Users\RB\Documents\abzugsfähige Handwerkerleistungen.xlsx

2013-08-25 05:49 - 2008-11-09 04:12 - 00002633 _____ C:\Users\RB\Desktop\Microsoft Office Excel 2007.lnk
 

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-1544186704-2650546804-3012174185-1000\$ac16fd183d33e34befde7d36c5d8a7dd
 

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$ac16fd183d33e34befde7d36c5d8a7dd
 

Files to move or delete:

====================

C:\Users\RB\AppData\Roaming\skype.ini

C:\ProgramData\dqdofl8w.plz

C:\ProgramData\jrlr.exe

C:\ProgramData\w8lfodqd.ctrl

C:\ProgramData\w8lfodqd.pff
 
 

Some content of TEMP:

====================

C:\Users\RB\AppData\Local\Temp\ApnStub.exe

C:\Users\RB\AppData\Local\Temp\FileSystemView.dll

C:\Users\RB\AppData\Local\Temp\FlashPlayerUpdate.exe

C:\Users\RB\AppData\Local\Temp\FlashPlayerUpdate01.exe

C:\Users\RB\AppData\Local\Temp\FlashPlayerUpdate02.exe

C:\Users\RB\AppData\Local\Temp\InstallAX.exe

C:\Users\RB\AppData\Local\Temp\InstallFlashPlayer.exe

C:\Users\RB\AppData\Local\Temp\install_flashplayer11x32axau_chra_awa_aih.exe

C:\Users\RB\AppData\Local\Temp\jre-6u17-windows-i586-iftw-rv.exe

C:\Users\RB\AppData\Local\Temp\jre-6u20-windows-i586-iftw-rv.exe

C:\Users\RB\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe

C:\Users\RB\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe

C:\Users\RB\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe

C:\Users\RB\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe

C:\Users\RB\AppData\Local\Temp\ose00000.exe

C:\Users\RB\AppData\Local\Temp\SearchWithGoogleUpdate.exe

C:\Users\RB\AppData\Local\Temp\setup.exe

C:\Users\RB\AppData\Local\Temp\unwise.exe

C:\Users\RB\AppData\Local\Temp\WEB.DE_Sicherheitsupdate_Sep2012_Setup.exe

C:\Users\RB\AppData\Local\Temp\WEB.DE_Toolbar_IE_Setup.exe

C:\Users\RB\AppData\Local\Temp\WEB.DE_Toolbar_IE_Setup_quiet.exe

C:\Users\RB\AppData\Local\Temp\WEB.DE_Toolbar_IE_Special.exe

C:\Users\RB\AppData\Local\Temp\xfdvykemhcqwjfvruue.bfg

C:\Users\RB\AppData\Local\Temp\_is119D.exe

C:\Users\RB\AppData\Local\Temp\_is2116.exe

C:\Users\RB\AppData\Local\Temp\_is2AA9.exe

C:\Users\RB\AppData\Local\Temp\_is3247.exe

C:\Users\RB\AppData\Local\Temp\_is3468.exe

C:\Users\RB\AppData\Local\Temp\_is46A1.exe

C:\Users\RB\AppData\Local\Temp\_is52EF.exe

C:\Users\RB\AppData\Local\Temp\_is5494.exe

C:\Users\RB\AppData\Local\Temp\_is608.exe

C:\Users\RB\AppData\Local\Temp\_is621C.exe

C:\Users\RB\AppData\Local\Temp\_is6805.exe

C:\Users\RB\AppData\Local\Temp\_is750.exe

C:\Users\RB\AppData\Local\Temp\_is8095.exe

C:\Users\RB\AppData\Local\Temp\_is865E.exe

C:\Users\RB\AppData\Local\Temp\_isAA63.exe

C:\Users\RB\AppData\Local\Temp\_isB98F.exe

C:\Users\RB\AppData\Local\Temp\_isC20.exe

C:\Users\RB\AppData\Local\Temp\_isC7C2.exe

C:\Users\RB\AppData\Local\Temp\_isDACA.exe

C:\Users\RB\AppData\Local\Temp\_isEDF8.exe

C:\Users\RB\AppData\Local\Temp\_isF037.exe
 
 

==================== Known DLLs (Whitelisted) ============
 
 

==================== Bamital & volsnap Check =================
 

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 

==================== EXE ASSOCIATION =====================
 

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK
 

==================== Restore Points  =========================
 

Restore point made on: 2013-02-17 03:46:47

Restore point made on: 2013-03-13 08:43:39

Restore point made on: 2013-03-18 04:20:42

Restore point made on: 2013-04-11 10:18:24

Restore point made on: 2013-04-26 05:30:19

Restore point made on: 2013-05-16 07:31:20

Restore point made on: 2013-06-12 07:40:39

Restore point made on: 2013-06-16 05:23:49

Restore point made on: 2013-07-12 08:16:43

Restore point made on: 2013-07-29 02:20:23

Restore point made on: 2013-08-14 10:15:53

Restore point made on: 2013-08-30 03:56:26
 

==================== Memory info =========================== 
 

Percentage of memory in use: 14%

Total physical RAM: 3326.51 MB

Available physical RAM: 2856.79 MB

Total Pagefile: 3074.3 MB

Available Pagefile: 2923.69 MB

Total Virtual: 2047.88 MB

Available Virtual: 1972.92 MB
 

==================== Drives ================================
 

Drive c: (SYSTEM) (Fixed) (Total:197.1 GB) (Free:115.95 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive d: (DATA) (Fixed) (Total:390.28 GB) (Free:390.07 GB) NTFS

Drive f: (WinRE) (Fixed) (Total:8.79 GB) (Free:1.35 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Drive l: (WIN7) (Removable) (Total:14.88 GB) (Free:14.88 GB) FAT32

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 

==================== MBR & Partition Table ==================
 

========================================================

Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596 GB) (Disk ID: 5D970B5E)

Partition 1: (Not Active) - (Size=9 GB) - (Type=27)

Partition 2: (Active) - (Size=197 GB) - (Type=07 NTFS)

Partition 4: (Not Active) - (Size=390 GB) - (Type=07 NTFS)
 

========================================================

Disk: 6 (MBR Code: Windows 7 or 8) (Size: 15 GB) (Disk ID: 00000000)

Partition 1: (Active) - (Size=15 GB) - (Type=0C)
 
 

LastRegBack: 2013-09-19 12:32
 

==================== End Of Log ============================
--- --- ---

--- --- ---