Weisser Bildschirm Virus

yaman · 02.02.2014, 16:11

Hallo,

der Laptop von einem Freund ist von einem Virus befallen. Beim Starten von Windows ( Win 7)
sieht man nur einen weissen Bildschirm.

Abgesicherter Modus usw. funktioniert auch nicht, da der Rechner sofort herunterfährt.

Ich habe hier einige Themen mit ähnlichen Problemen durchgelesen und habe dann mit frst gescannt.

Hier der frst.txt, ich bitte um Hilfe. Vielen Dank im Voraus.

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2014 04
Ran by SYSTEM on MININT-POKQJ9U on 01-02-2014 21:57:08
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2226280 2011-05-22] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] - C:\Program Files\Elantech\ETDCtrl.exe [2587944 2010-12-31] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Setwallpaper] - c:\programdata\SetWallpaper.cmd
HKLM-x32\...\Run: [Nuance PDF Reader-reminder] - C:\Program Files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe [328992 2008-11-03] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ASUSPRP] - C:\Program Files (x86)\ASUS\APRP\APRP.EXE [2018032 2011-04-12] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSWebStorage] - C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe [731472 2011-02-23] (ecareme)
HKLM-x32\...\Run: [SonicMasterTray] - C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe [984400 2010-07-09] (Virage Logic Corporation / Sonic Focus)
HKLM-x32\...\Run: [ATKOSD2] - C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] - C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)
HKLM-x32\...\Run: [HControlUser] - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] - C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2255360 2011-06-10] (ASUS)
HKLM-x32\...\Run: [UpdateLBPShortCut] - C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] - C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKU\canpolat\...\Run: [Facebook Update] - C:\Users\canpolat\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2012-09-29] (Facebook Inc.)
HKU\canpolat\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [19604072 2013-06-03] (Skype Technologies S.A.)
HKU\canpolat\...\Winlogon: [Shell] explorer.exe,C:\Users\canpolat\AppData\Roaming\skype.dat [106496 2014-01-17] () <==== ATTENTION 

==================== Services (Whitelisted) =================

S2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] ()
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
S2 Mobile Partner. RunOuc; C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [246112 2012-11-17] ()

==================== Drivers (Whitelisted) ====================

S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-01 21:56 - 2014-02-01 21:57 - 00000000 ____D () C:\FRST
2014-01-31 11:00 - 2014-01-31 11:00 - 00003224 ____N () C:\bootsqm.dat
2014-01-19 08:40 - 2013-11-26 02:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-01-19 07:54 - 2013-11-26 03:25 - 00267936 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-01-19 06:55 - 2014-01-19 07:07 - 00002872 _____ () C:\Windows\System32\TmInstall.log
2014-01-19 06:55 - 2014-01-19 06:55 - 00004280 _____ () C:\Windows\SysWOW64\TmInstall.log
2014-01-19 06:45 - 2014-01-19 06:51 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-01-17 16:13 - 2014-02-01 12:32 - 00000004 _____ () C:\Users\canpolat\AppData\Roaming\skype.ini
2014-01-17 16:01 - 2013-11-26 17:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbhub.sys
2014-01-17 16:01 - 2013-11-26 17:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbport.sys
2014-01-17 16:01 - 2013-11-26 17:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbccgp.sys
2014-01-17 16:01 - 2013-11-26 17:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbehci.sys
2014-01-17 16:01 - 2013-11-26 17:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbuhci.sys
2014-01-17 16:01 - 2013-11-26 17:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbohci.sys
2014-01-17 16:01 - 2013-11-26 17:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\usbd.sys

==================== One Month Modified Files and Folders =======

2014-02-01 21:57 - 2014-02-01 21:56 - 00000000 ____D () C:\FRST
2014-02-01 21:29 - 2013-03-02 05:57 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2014-02-01 21:29 - 2012-02-08 15:18 - 00000000 ____D () C:\ProgramData\P4G
2014-02-01 21:29 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-02-01 12:35 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-01 12:35 - 2009-07-13 20:51 - 00172236 _____ () C:\Windows\setupact.log
2014-02-01 12:32 - 2014-01-17 16:13 - 00000004 _____ () C:\Users\canpolat\AppData\Roaming\skype.ini
2014-02-01 12:32 - 2011-04-12 18:33 - 00001120 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-01 12:31 - 2011-09-14 00:17 - 00000000 ____D () C:\users\canpolat
2014-02-01 12:12 - 2011-09-14 00:18 - 00000000 ___HD () C:\ASUS.DAT
2014-01-31 11:00 - 2014-01-31 11:00 - 00003224 ____N () C:\bootsqm.dat
2014-01-31 10:18 - 2011-07-13 21:11 - 01867256 _____ () C:\Windows\WindowsUpdate.log
2014-01-26 11:42 - 2013-03-20 03:54 - 00000000 ____D () C:\Users\canpolat\AppData\Roaming\Skype
2014-01-26 11:42 - 2011-03-17 03:52 - 00008768 _____ () C:\Windows\System32\perfh019.dat
2014-01-26 11:42 - 2011-03-17 03:52 - 00006674 _____ () C:\Windows\System32\perfc019.dat
2014-01-26 11:42 - 2011-02-18 21:02 - 00007706 _____ () C:\Windows\System32\perfh00D.dat
2014-01-26 11:42 - 2011-02-18 21:02 - 00006270 _____ () C:\Windows\System32\perfc00D.dat
2014-01-26 11:42 - 2011-02-18 20:56 - 00563416 _____ () C:\Windows\System32\perfh008.dat
2014-01-26 11:42 - 2011-02-18 20:56 - 00093422 _____ () C:\Windows\System32\perfc008.dat
2014-01-26 11:42 - 2011-02-18 20:51 - 00006414 _____ () C:\Windows\System32\prfh0404.dat
2014-01-26 11:42 - 2011-02-18 20:51 - 00006270 _____ () C:\Windows\System32\prfc0404.dat
2014-01-26 11:42 - 2011-02-18 20:45 - 00008680 _____ () C:\Windows\System32\prfh0816.dat
2014-01-26 11:42 - 2011-02-18 20:45 - 00006510 _____ () C:\Windows\System32\prfc0816.dat
2014-01-26 11:42 - 2011-02-18 20:40 - 00009070 _____ () C:\Windows\System32\perfh013.dat
2014-01-26 11:42 - 2011-02-18 20:40 - 00006648 _____ () C:\Windows\System32\perfc013.dat
2014-01-26 11:42 - 2011-02-18 20:35 - 00008758 _____ () C:\Windows\System32\perfh010.dat
2014-01-26 11:42 - 2011-02-18 20:35 - 00006430 _____ () C:\Windows\System32\perfc010.dat
2014-01-26 11:42 - 2011-02-18 20:29 - 00008890 _____ () C:\Windows\System32\perfh00C.dat
2014-01-26 11:42 - 2011-02-18 20:29 - 00006406 _____ () C:\Windows\System32\perfc00C.dat
2014-01-26 11:42 - 2011-02-18 20:24 - 00665812 _____ () C:\Windows\System32\perfh007.dat
2014-01-26 11:42 - 2011-02-18 20:24 - 00133992 _____ () C:\Windows\System32\perfc007.dat
2014-01-26 11:42 - 2011-02-18 20:19 - 00705100 _____ () C:\Windows\System32\perfh00A.dat
2014-01-26 11:42 - 2011-02-18 20:19 - 00141048 _____ () C:\Windows\System32\perfc00A.dat
2014-01-26 11:42 - 2009-07-13 21:13 - 03071028 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-01-26 11:40 - 2009-07-13 20:45 - 00009696 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-26 11:40 - 2009-07-13 20:45 - 00009696 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-19 13:19 - 2009-07-13 20:45 - 00276600 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-01-19 13:16 - 2013-11-26 02:30 - 00127066 _____ () C:\Windows\IE11_main.log
2014-01-19 13:09 - 2013-03-02 05:56 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-19 13:02 - 2011-04-12 18:33 - 00001124 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-19 12:19 - 2012-09-29 11:14 - 00000940 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2414324467-2871492347-4123017065-1001UA.job
2014-01-19 12:19 - 2012-09-29 11:14 - 00000918 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2414324467-2871492347-4123017065-1001Core.job
2014-01-19 07:07 - 2014-01-19 06:55 - 00002872 _____ () C:\Windows\System32\TmInstall.log
2014-01-19 06:57 - 2011-04-12 17:39 - 00168400 _____ () C:\Windows\PFRO.log
2014-01-19 06:55 - 2014-01-19 06:55 - 00004280 _____ () C:\Windows\SysWOW64\TmInstall.log
2014-01-19 06:54 - 2011-04-12 18:51 - 00000000 ____D () C:\ProgramData\Trend Micro
2014-01-19 06:51 - 2014-01-19 06:45 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-01-18 12:49 - 2013-08-21 10:34 - 00000000 ____D () C:\Windows\System32\MRT
2014-01-18 12:49 - 2011-10-23 10:19 - 86054176 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-01-17 16:08 - 2013-05-31 16:06 - 00106496 ____R () C:\Users\canpolat\AppData\Roaming\skype.dat
2014-01-04 15:02 - 2011-07-13 21:20 - 00000087 _____ () C:\setup.log

Files to move or delete:
====================
C:\Users\canpolat\AppData\Roaming\skype.dat
C:\Users\canpolat\AppData\Roaming\skype.ini


Some content of TEMP:
====================
C:\Users\canpolat\AppData\Local\Temp\devcon.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2011-12-05 12:31:40
Restore point made on: 2011-12-05 12:31:54
Restore point made on: 2011-12-05 12:31:56
Restore point made on: 2011-12-05 12:31:56
Restore point made on: 2011-12-05 12:32:21
Restore point made on: 2011-12-05 12:32:23
Restore point made on: 2011-12-05 12:32:24
Restore point made on: 2013-12-23 01:11:47
Restore point made on: 2013-12-23 03:37:44
Restore point made on: 2013-12-23 13:48:18
Restore point made on: 2013-12-24 05:35:13
Restore point made on: 2013-12-26 02:38:51
Restore point made on: 2013-12-26 06:24:53
Restore point made on: 2013-12-27 09:48:54
Restore point made on: 2013-12-28 15:09:20
Restore point made on: 2014-01-02 14:09:28
Restore point made on: 2014-01-03 13:35:19
Restore point made on: 2014-01-04 10:20:40
Restore point made on: 2014-01-04 12:15:39
Restore point made on: 2014-01-05 23:59:38
Restore point made on: 2014-01-06 01:19:39
Restore point made on: 2014-01-07 04:51:31
Restore point made on: 2014-01-09 11:58:52
Restore point made on: 2014-01-09 13:44:34
Restore point made on: 2014-01-16 11:50:54
Restore point made on: 2014-01-18 12:49:08
Restore point made on: 2014-01-18 14:31:22
Restore point made on: 2014-01-19 13:12:54
Restore point made on: 2014-01-31 10:19:42

==================== Memory info =========================== 

Percentage of memory in use: 15%
Total physical RAM: 3691.66 MB
Available physical RAM: 3116.46 MB
Total Pagefile: 3689.81 MB
Available Pagefile: 3098.01 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:128.18 GB) (Free:31 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:144.91 GB) (Free:144.77 GB) NTFS
Drive g: (canp) (Removable) (Total:1.8 GB) (Free:1.76 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 0CD9B3F5)
Partition 1: (Not Active) - (Size=25 GB) - (Type=1C)
Partition 2: (Active) - (Size=128 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=145 GB) - (Type=OF Extended)

========================================================
Disk: 2 (Size: 2 GB) (Disk ID: 920FBFA0)
Partition 1: (Active) - (Size=2 GB) - (Type=07 NTFS)


LastRegBack: 2012-06-08 03:35

==================== End Of Log ============================

Weisser Bildschirm Virus

Log-Analyse und Auswertung: Weisser Bildschirm Virus

Weisser Bildschirm Virus

Ähnliche Themen: Weisser Bildschirm Virus