| |
| |||||||
Log-Analyse und Auswertung: Vista - weisser Bildschirm nach dem Hochfahren (angeblich BKA-Trojaner)Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
14.07.2013, 10:00
| #1 |
 |  Vista - weisser Bildschirm nach dem Hochfahren (angeblich BKA-Trojaner) Moin zusammen, habe ein Problem mit dem Laptop eines Bekannten. Er sagte er habe gesehen das da etwas von BKA stand... Ich kann es nicht mehr nachvollziehen es kommt nur ein weisser Bildschirm. Hier der Scan von FRST: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-07-2013
Ran by SYSTEM on 14-07-2013 10:55:36
Running from G:\
Windows Vista (TM) Home Premium (X86) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-17] (Synaptics, Inc.)
HKLM\...\Run: [UCam_Menu] - "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0" [222504 2007-12-24] (CyberLink Corp.)
HKLM\...\Run: [QPService] - "C:\Program Files\HP\QuickPlay\QPService.exe" [468264 2008-06-11] (CyberLink Corp.)
HKLM\...\Run: [Windows Defender] - %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [202032 2008-05-12] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Health Check Scheduler] - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [70912 2008-04-15] (Hewlett-Packard)
HKLM\...\Run: [HP Software Update] - C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [SunJavaUpdateSched] - "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [144784 2008-02-22] (Sun Microsystems, Inc.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2569616 2010-07-25] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenuEx] - C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1213848 2010-09-14] (CANON INC.)
HKLM\...\Run: [IJNetworkScannerSelectorEX] - C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE [452016 2010-09-09] (CANON INC.)
HKLM\...\Run: [AVG_UI] - "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13543968 2008-06-09] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [92704 2008-06-09] (NVIDIA Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\ezShellStart.exe
HKU\Manfred\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2008-02-26] (Hewlett-Packard Company)
HKU\Manfred\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-21] (Microsoft Corporation)
HKU\Manfred\...\Policies\system: [DisableLockWorkstation] 0
HKU\Manfred\...\Policies\system: [DisableChangePassword] 0
HKU\Manfred\...\Winlogon: [Shell] explorer.exe,C:\Users\Manfred\AppData\Roaming\cache.dat <==== ATTENTION
Startup: C:\Users\Manfred\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
========================== Services (Whitelisted) =================
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-04-15] (Hewlett-Packard)
S2 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [137680 2010-07-27] ()
S2 Realtek11nSU; C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [36864 2010-04-16] (Realtek)
S2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-04-26] ()
S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
S3 usnjsvc; C:\Program Files\MSN Messenger\usnsvc.exe [97136 2007-01-19] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-03-29] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [170808 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [245048 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 netr28u; system32\DRIVERS\netr28u.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 RTSTOR; system32\drivers\RTSTOR.SYS [x]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-07-14 10:55 - 2013-07-14 10:55 - 00000000 ____D C:\FRST
2013-07-11 13:49 - 2013-07-14 09:31 - 00000004 _____ C:\Users\Manfred\AppData\Roaming\cache.ini
2013-07-11 06:56 - 2013-05-29 02:56 - 12333568 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 06:56 - 2013-05-29 02:50 - 01800704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 06:56 - 2013-05-29 02:48 - 09738752 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 06:56 - 2013-05-29 02:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-07-11 06:56 - 2013-05-29 02:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 06:56 - 2013-05-29 02:41 - 01104384 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 06:56 - 2013-05-29 02:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-07-11 06:56 - 2013-05-29 02:38 - 00065024 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-11 06:56 - 2013-05-29 02:37 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-07-11 06:56 - 2013-05-29 02:36 - 00420864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-07-11 06:56 - 2013-05-29 02:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 06:56 - 2013-05-29 02:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 06:56 - 2013-05-29 02:33 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-11 06:56 - 2013-05-29 02:33 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 06:56 - 2013-05-29 02:33 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-07-11 06:56 - 2013-05-29 02:29 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-10 21:23 - 2013-06-04 02:50 - 02049024 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-10 21:23 - 2013-04-17 11:10 - 01069056 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-10 21:22 - 2013-06-01 05:06 - 00505344 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 21:22 - 2013-05-08 05:04 - 01548288 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-10 21:22 - 2013-04-17 12:28 - 01029120 _____ (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-07-10 21:22 - 2013-04-17 12:28 - 00219648 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-07-10 21:22 - 2013-04-17 12:28 - 00189952 _____ (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-07-10 21:22 - 2013-04-17 12:28 - 00160768 _____ (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-07-10 21:22 - 2013-04-17 11:34 - 01172480 _____ (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-07-10 21:22 - 2013-04-17 11:33 - 00486400 _____ (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-07-10 21:22 - 2013-04-17 11:14 - 00683008 _____ (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-07-10 21:22 - 2013-04-17 11:10 - 00798208 _____ (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-07-05 17:05 - 2013-07-05 17:05 - 00000000 ____D C:\Program Files\Mozilla Firefox
==================== One Month Modified Files and Folders =======
2013-07-14 10:55 - 2013-07-14 10:55 - 00000000 ____D C:\FRST
2013-07-14 09:31 - 2013-07-11 13:49 - 00000004 _____ C:\Users\Manfred\AppData\Roaming\cache.ini
2013-07-14 09:29 - 2013-03-23 16:49 - 00007592 _____ C:\Users\Manfred\AppData\Local\d3d9caps.dat
2013-07-14 09:29 - 2013-03-23 09:07 - 00000249 _____ C:\Users\Public\Documents\hpqp.ini
2013-07-14 09:29 - 2013-03-23 09:07 - 00000249 _____ C:\ProgramData\Documents\hpqp.ini
2013-07-14 09:29 - 2013-03-23 09:00 - 00158629 _____ C:\ProgramData\nvModes.dat
2013-07-14 09:29 - 2013-03-23 09:00 - 00158629 _____ C:\ProgramData\nvModes.001
2013-07-14 09:29 - 2006-11-02 13:47 - 00003216 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-14 09:29 - 2006-11-02 13:47 - 00003216 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-14 09:25 - 2013-03-23 08:44 - 02056192 _____ C:\Windows\WindowsUpdate.log
2013-07-13 16:36 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-07-13 16:15 - 2013-03-25 17:59 - 00000000 ____D C:\ProgramData\MFAData
2013-07-11 18:18 - 2006-11-02 11:33 - 00005552 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-11 13:30 - 2013-03-25 20:01 - 00003320 _____ C:\Users\Manfred\AppData\Roaming\wklnhst.dat
2013-07-11 07:22 - 2006-11-02 13:47 - 00321456 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 07:19 - 2006-11-02 13:37 - 00000000 ____D C:\Windows\System32\XPSViewer
2013-07-11 06:58 - 2006-11-02 11:24 - 75699896 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-07-11 06:49 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-09 13:40 - 2013-03-25 18:10 - 00000858 _____ C:\Users\Public\Desktop\AVG 2013.lnk
2013-07-09 13:40 - 2013-03-25 18:10 - 00000858 _____ C:\ProgramData\Desktop\AVG 2013.lnk
2013-07-09 13:40 - 2006-11-02 12:18 - 00000000 __RHD C:\Users\Public\Desktop
2013-07-09 07:47 - 2013-03-23 16:32 - 00000000 ____D C:\ProgramData\CanonIJPLM
2013-07-06 16:11 - 2013-03-25 17:28 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-05 17:05 - 2013-07-05 17:05 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-21 15:30 - 2013-03-23 15:08 - 00000052 _____ C:\Windows\System32\DOErrors.log
Files to move or delete:
====================
C:\ProgramData\nvModes.dat
==================== Known DLLs (Whitelisted) ============
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2013-04-04 16:21:57
Restore point made on: 2013-04-11 16:37:25
Restore point made on: 2013-04-22 18:59:10
Restore point made on: 2013-04-25 09:22:00
Restore point made on: 2013-05-10 13:35:57
Restore point made on: 2013-05-14 12:35:02
Restore point made on: 2013-05-17 09:09:00
Restore point made on: 2013-05-26 07:38:16
Restore point made on: 2013-06-13 17:57:57
Restore point made on: 2013-06-15 16:35:43
Restore point made on: 2013-06-18 17:50:30
Restore point made on: 2013-06-20 15:01:16
Restore point made on: 2013-07-11 06:48:40
==================== Memory info ===========================
Percentage of memory in use: 16%
Total physical RAM: 3068.57 MB
Available physical RAM: 2554.38 MB
Total Pagefile: 2801.52 MB
Available Pagefile: 2601.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.49 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:223.9 GB) (Free:161.29 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (PRESARIO_RP) (Fixed) (Total:8.98 GB) (Free:0.93 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (RICO_1GB) (Removable) (Total:0.95 GB) (Free:0.94 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 1163E3AD)
Partition 1: (Active) - (Size=224 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=9 GB) - (Type=07 NTFS)
========================================================
Disk: 2 (Size: 977 MB) (Disk ID: 00369EBA)
Partition 1: (Active) - (Size=968 MB) - (Type=06)
LastRegBack: 2013-07-13 16:25
==================== End Of Log ============================
|
| Themen zu Vista - weisser Bildschirm nach dem Hochfahren (angeblich BKA-Trojaner) |
| adobe, association, avg, bildschirm, cache.dat, defender, desktop, dll, explorer, farbar, farbar recovery scan tool, frst.txt, launch, log, microsoft, mozilla, nvidia, problem, realtek, registry, services.exe, software, svchost.exe, system, trojan.agent, trojan.ransom.rre, vista, weisser bildschirm bka trojaner vista, winlogon, winlogon.exe |
Baum-Darstellung