|
Log-Analyse und Auswertung: PC durch Bundespolizei gesperrtWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
19.11.2013, 16:16 | #1 |
| PC durch Bundespolizei gesperrt Guten Abend liebes Board Team Habe hier einen PC der von der Bundespolizei (Schweiz) gesperrt wurde. Habe FRST 32 Bit eingesetzt und ein entsprechendes Logfile hier. Im Gegensatz zu einigen Anleitungen kann der PC nicht im abgesicherten Modus mit Netzwerktreibern gestartet werden. Der Bootvorgang startet zwar endet aber mit einem reboot. Zum Glück geht Windows 7 bald einmal auf Computer reparieren wo dann eine Eingabeeinforderung zur Verfügung steht. Es sieht so aus als ob keine Netzwerkverbindung zur Verfügung steht. Norton Power Eraser meldet das dementsprechend. war mein erster Versuch bevor Ich FRST einsetzte Vielen Dank für eure Hilfe Renato FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-11-2013 Ran by SYSTEM on MININT-C05A7UM on 19-11-2013 15:54:28 Running from M:\ Windows 7 Professional Service Pack 1 (X86) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9914984 2010-11-30] (Realtek Semiconductor) HKLM\...\Run: [PDF Complete] - C:\Program Files\PDF Complete\pdfsty.exe [658424 2011-05-05] (PDF Complete Inc) HKLM\...\Run: [IMSS] - C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [112152 2011-01-17] (Intel Corporation) HKLM\...\Run: [] - [x] HKLM\...\Run: [hpsysdrv] - C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [KiesTrayAgent] - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [311152 2013-09-04] (Samsung Electronics Co., Ltd.) HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1646216 2013-03-31] (Ask) HKLM\...\Run: [FreePDF Assistant] - C:\Program Files\FreePDF_XP\fpassist.exe [373760 2013-03-14] (shbox.de) HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-11] (Oracle Corporation) HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation) HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1 HKU\Salvador\...\Run: [] - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [ 2013-09-04] (Samsung) HKU\Salvador\...\Run: [KiesPreload] - C:\Program Files\Samsung\Kies\Kies.exe [ 2013-09-04] (Samsung) HKU\Salvador\...\Run: [KiesAirMessage] - C:\Program Files\Samsung\Kies\KiesAirMessage.exe [ 2013-03-20] (Samsung Electronics) ========================== Services (Whitelisted) ================= S2 FPLService; C:\Program Files\HP SimplePass 2011\TrueSuiteService.exe [260424 2011-09-26] (HP) S2 Intel(R) PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation) S2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [212944 2011-02-23] (Intel Corporation) S2 NIS; C:\Program Files\Norton Internet Security\Engine\19.9.1.14\diMaster.dll [309688 2012-04-12] (Symantec Corporation) S2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc) ==================== Drivers (Whitelisted) ==================== S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20110519.002\BHDrvx86.sys [810616 2011-05-13] (Symantec Corporation) S1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1309010.00E\ccSetx86.sys [132768 2012-06-06] (Symantec Corporation) S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2010-12-21] (Intel Corporation) S3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [37344 2013-02-05] () S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20110519.031\IDSVix86.sys [367736 2011-05-13] (Symantec Corporation) S3 IFCoEMP; C:\Windows\system32\drivers\ifM52x32.sys [264464 2010-08-13] (Intel(R) Corporation) S3 IFCoEVB; C:\Windows\system32\drivers\ifP52X32.sys [57616 2010-08-13] (Intel(R) Corporation) S3 MEI; C:\Windows\system32\drivers\HECI.sys [41088 2010-10-19] (Intel Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20110607.003\NAVENG.SYS [86008 2011-06-07] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20110607.003\NAVEX15.SYS [1542392 2011-06-07] (Symantec Corporation) S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [816792 2012-10-05] () S3 SRTSP; C:\Windows\System32\Drivers\NIS\1309010.00E\SRTSP.SYS [574112 2012-07-05] (Symantec Corporation) S1 SRTSPX; C:\Windows\system32\drivers\NIS\1309010.00E\SRTSPX.SYS [32928 2012-07-05] (Symantec Corporation) S0 SymDS; C:\Windows\System32\drivers\NIS\1309010.00E\SYMDS.SYS [340088 2011-05-16] (Symantec Corporation) S0 SymEFA; C:\Windows\System32\drivers\NIS\1309010.00E\SYMEFA.SYS [924320 2012-05-21] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-10-15] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\NIS\1309010.00E\Ironx86.SYS [149624 2012-04-17] (Symantec Corporation) S1 SymNetS; C:\Windows\System32\Drivers\NIS\1309010.00E\SYMNETS.SYS [318584 2012-04-17] (Symantec Corporation) S3 dgderdrv; System32\drivers\dgderdrv.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-19 15:54 - 2013-11-19 15:54 - 00000000 ____D C:\FRST 2013-11-19 15:49 - 2013-11-19 15:49 - 00000000 ____D C:\NPE 2013-11-19 14:07 - 2013-11-19 14:07 - 00000000 ____D C:\NBRT 2013-11-19 05:59 - 2013-11-19 05:59 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Adobe 2013-11-18 07:57 - 2013-11-18 07:57 - 00000291 _____ C:\ProgramData\frfj6lcbn.reg 2013-11-18 07:56 - 2013-11-19 06:20 - 95025368 ____T C:\ProgramData\frfj6lcbn.bxx 2013-11-18 07:56 - 2013-11-19 06:20 - 00000000 _____ C:\ProgramData\frfj6lcbn.fvv 2013-11-18 07:56 - 2013-11-18 07:56 - 00180224 _____ C:\ProgramData\nbcl6jfrf.dss 2013-11-14 22:29 - 2013-11-14 22:30 - 00000000 ____D C:\Windows\System32\MRT 2013-11-12 07:44 - 2013-11-12 07:44 - 00000000 ____D C:\Users\Public\Documents\CrashDump 2013-11-08 01:26 - 2013-11-17 21:55 - 00000520 _____ C:\Users\Salvador\Desktop\FOXUSER.DBF 2013-11-08 01:26 - 2013-11-17 21:55 - 00000512 _____ C:\Users\Salvador\Desktop\FOXUSER.FPT 2013-10-28 03:06 - 2013-11-19 15:37 - 00000000 ____D C:\Users\Salvador\AppData\Local\PokerStars 2013-10-28 03:06 - 2013-11-19 15:37 - 00000000 ____D C:\Program Files\PokerStars 2013-10-28 03:06 - 2013-10-28 03:06 - 00001021 _____ C:\Users\Public\Desktop\PokerStars.lnk 2013-10-28 03:05 - 2013-10-28 03:06 - 29026864 _____ (PokerStars) C:\Users\Salvador\Downloads\PokerStarsInstall.exe ==================== One Month Modified Files and Folders ======= 2013-11-19 15:54 - 2013-11-19 15:54 - 00000000 ____D C:\FRST 2013-11-19 15:49 - 2013-11-19 15:49 - 00000000 ____D C:\NPE 2013-11-19 15:37 - 2013-10-28 03:06 - 00000000 ____D C:\Users\Salvador\AppData\Local\PokerStars 2013-11-19 15:37 - 2013-10-28 03:06 - 00000000 ____D C:\Program Files\PokerStars 2013-11-19 15:37 - 2012-10-05 12:44 - 00000000 ____D C:\ProgramData\Norton 2013-11-19 15:37 - 2012-10-05 03:54 - 00000000 ____D C:\users\Salvador 2013-11-19 15:37 - 2012-10-05 03:38 - 00000000 ____D C:\users\administrator 2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp 2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE 2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\security 2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache 2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat 2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared 2013-11-19 15:36 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration 2013-11-19 15:36 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET 2013-11-19 15:34 - 2012-10-05 04:08 - 00000000 __RHD C:\MSOCache 2013-11-19 14:07 - 2013-11-19 14:07 - 00000000 ____D C:\NBRT 2013-11-19 06:30 - 2012-10-05 12:43 - 00000000 ____D C:\ProgramData\PDFC 2013-11-19 06:20 - 2013-11-18 07:56 - 95025368 ____T C:\ProgramData\frfj6lcbn.bxx 2013-11-19 06:20 - 2013-11-18 07:56 - 00000000 _____ C:\ProgramData\frfj6lcbn.fvv 2013-11-19 06:20 - 2013-07-01 00:24 - 00000000 ____D C:\Users\Salvador\AppData\Local\FreePDF_XP 2013-11-19 06:03 - 2012-10-05 03:36 - 00000144 _____ C:\Windows\System32\config\netlogon.ftl 2013-11-19 05:59 - 2013-11-19 05:59 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Adobe 2013-11-19 05:59 - 2012-10-05 03:40 - 00109672 _____ C:\Users\administrator\AppData\Local\GDIPFONTCACHEV1.DAT 2013-11-18 07:57 - 2013-11-18 07:57 - 00000291 _____ C:\ProgramData\frfj6lcbn.reg 2013-11-18 07:56 - 2013-11-18 07:56 - 00180224 _____ C:\ProgramData\nbcl6jfrf.dss 2013-11-18 04:18 - 2012-10-14 22:26 - 00000000 ____D C:\Users\Salvador\AppData\Local\CrashDumps 2013-11-17 21:55 - 2013-11-08 01:26 - 00000520 _____ C:\Users\Salvador\Desktop\FOXUSER.DBF 2013-11-17 21:55 - 2013-11-08 01:26 - 00000512 _____ C:\Users\Salvador\Desktop\FOXUSER.FPT 2013-11-14 22:30 - 2013-11-14 22:29 - 00000000 ____D C:\Windows\System32\MRT 2013-11-12 07:44 - 2013-11-12 07:44 - 00000000 ____D C:\Users\Public\Documents\CrashDump 2013-11-12 06:05 - 2012-11-07 06:24 - 00000000 ____D C:\Users\Salvador\Desktop\Retouren 1 2013-11-12 05:12 - 2012-10-05 03:54 - 00000000 ____D C:\Users\Salvador\AppData\Local\PDFC 2013-11-08 01:34 - 2009-07-13 20:34 - 00016976 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-11-08 01:34 - 2009-07-13 20:34 - 00016976 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-11-08 01:31 - 2010-11-20 13:01 - 01629212 _____ C:\Windows\System32\PerfStringBackup.INI 2013-11-08 01:30 - 2012-10-05 04:28 - 01989331 _____ C:\Windows\WindowsUpdate.log 2013-11-08 01:27 - 2009-07-13 20:39 - 00062337 _____ C:\Windows\setupact.log 2013-11-08 00:55 - 2013-05-05 21:02 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt 2013-11-08 00:55 - 2012-10-09 21:10 - 00000052 _____ C:\Windows\System32\DOErrors.log 2013-10-28 03:06 - 2013-10-28 03:06 - 00001021 _____ C:\Users\Public\Desktop\PokerStars.lnk 2013-10-28 03:06 - 2013-10-28 03:05 - 29026864 _____ (PokerStars) C:\Users\Salvador\Downloads\PokerStarsInstall.exe 2013-10-24 04:47 - 2013-02-15 00:29 - 00000000 ____D C:\Users\Salvador\Documents\SelfMV 2013-10-21 01:46 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF Files to move or delete: ==================== C:\ProgramData\frfj6lcbn.bxx C:\ProgramData\frfj6lcbn.fvv C:\ProgramData\frfj6lcbn.reg C:\ProgramData\nbcl6jfrf.dss Some content of TEMP: ==================== C:\Users\administrator\AppData\Local\Temp\applnch.exe C:\Users\Salvador\AppData\Local\Temp\APNStub.exe C:\Users\Salvador\AppData\Local\Temp\applnch.exe C:\Users\Salvador\AppData\Local\Temp\Execute2App.exe C:\Users\Salvador\AppData\Local\Temp\FileSystemView.dll C:\Users\Salvador\AppData\Local\Temp\Kies2RemoveAll.exe C:\Users\Salvador\AppData\Local\Temp\msvcp90.dll C:\Users\Salvador\AppData\Local\Temp\msvcr90.dll C:\Users\Salvador\AppData\Local\Temp\ose00000.exe C:\Users\Salvador\AppData\Local\Temp\SAV2RemoveAll.exe C:\Users\Salvador\AppData\Local\Temp\sp58915.exe C:\Users\Salvador\AppData\Local\Temp\UninstallHPSA.exe ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= 11 Restore point made on: 2013-09-29 20:58:19 Restore point made on: 2013-10-06 20:57:01 Restore point made on: 2013-10-09 07:48:25 Restore point made on: 2013-10-13 20:57:21 Restore point made on: 2013-10-20 21:01:10 Restore point made on: 2013-10-27 22:01:52 Restore point made on: 2013-11-08 01:52:53 Restore point made on: 2013-11-08 05:42:32 Restore point made on: 2013-11-11 21:45:47 Restore point made on: 2013-11-13 08:47:30 Restore point made on: 2013-11-14 22:29:26 ==================== Memory info =========================== Percentage of memory in use: 21% Total physical RAM: 3984.02 MB Available physical RAM: 3130.3 MB Total Pagefile: 3982.3 MB Available Pagefile: 3138.04 MB Total Virtual: 2047.88 MB Available Virtual: 1934.83 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:459.1 GB) (Free:420.27 GB) NTFS Drive e: (HP_RECOVERY) (Fixed) (Total:6.56 GB) (Free:0.92 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive f: (KIS2010_CH) (CDROM) (Total:0.2 GB) (Free:0 GB) CDFS Drive l: (TREND MICRO USB SECURITY) (CDROM) (Total:0.02 GB) (Free:0 GB) CDFS Drive m: (RunTMUS) (Removable) (Total:7.44 GB) (Free:2.38 GB) FAT32 Drive x: (Boot) (Fixed) (Total:0.12 GB) (Free:0.12 GB) NTFS Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: CAD7198C) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=459 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=7 GB) - (Type=07 NTFS) ======================================================== Disk: 6 (Size: 7 GB) (Disk ID: 00000000) Partition 1: (Not Active) - (Size=7 GB) - (Type=0B) LastRegBack: 2013-11-09 15:41 ==================== End Of Log ============================ |
20.11.2013, 00:18 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | PC durch Bundespolizei gesperrt Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.
__________________Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter C:\ProgramData\frfj6lcbn.bxx C:\ProgramData\frfj6lcbn.fvv C:\ProgramData\frfj6lcbn.reg C:\ProgramData\nbcl6jfrf.dss C:\Users\administrator\AppData\Local\Temp\applnch.exe C:\Users\Salvador\AppData\Local\Temp\APNStub.exe C:\Users\Salvador\AppData\Local\Temp\applnch.exe C:\Users\Salvador\AppData\Local\Temp\Execute2App.exe C:\Users\Salvador\AppData\Local\Temp\FileSystemView.dll C:\Users\Salvador\AppData\Local\Temp\Kies2RemoveAll.exe C:\Users\Salvador\AppData\Local\Temp\msvcp90.dll C:\Users\Salvador\AppData\Local\Temp\msvcr90.dll C:\Users\Salvador\AppData\Local\Temp\ose00000.exe C:\Users\Salvador\AppData\Local\Temp\SAV2RemoveAll.exe C:\Users\Salvador\AppData\Local\Temp\sp58915.exe C:\Users\Salvador\AppData\Local\Temp\UninstallHPSA.exe
Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.
__________________ |
Themen zu PC durch Bundespolizei gesperrt |
32 bit, abend, abgesicherte, abgesicherten, anleitungen, association, board, bootvorgang, compu, computer, farbar recovery scan tool, gesetzt, gesperrt, gestartet, guten, logfile, melde, meldet, modus, monitor.exe, netzwerk, netzwerktreiber, netzwerkverbindung, norton, norton power eraser, power, reparieren, schweiz, windows, windows 7 |