| |
| |||||||
Log-Analyse und Auswertung: BKA Interpol TrojanerWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
10.04.2014, 12:16
| #1 |
 |  BKA Interpol Trojaner Hiho, meine Nachbarin hat sich den guten alten Interpol Trojaner eingefangen hier die logs vom frst check Danke schonmal im vorraus Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014 01 (ATTENTION: ====> FRST version is 28 days old and could be outdated)
Ran by SYSTEM on MINWINPC on 10-04-2014 06:17:19
Running from G:\
Windows Vista (TM) Home Premium Service Pack 1 (X86) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [] - [X]
HKLM\...\Run: [MailCheck IE Broker] - C:\Program Files\WEB.DE MailCheck\IE\WEB.DE_MailCheck_Broker.exe [1766464 2013-10-16] (1und1 Mail und Media GmbH)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2014\avgui.exe [4956176 2013-11-07] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-21] (Avira Operations GmbH & Co. KG)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\ezShellStart.exe
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [972080 2008-09-30] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [972080 2008-09-30] (Hewlett-Packard)
HKU\Melzer\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation)
HKU\Melzer\...\Policies\system: [DisableLockWorkstation] 0
HKU\Melzer\...\Policies\system: [DisableChangePassword] 0
HKU\Melzer\...\Policies\system: [LogonHoursAction] 2
HKU\Melzer\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Melzer\...\Policies\Explorer: [NoLogoff] 0
Startup: C:\Users\Melzer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kowodmqlf.lnk
ShortcutTarget: kowodmqlf.lnk -> C:\ProgramData\2992199F9A\flqmdowok.cpp (Grolsch Corporation)
========================== Services (Whitelisted) =================
S2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [440400 2014-02-21] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-21] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1017424 2014-02-21] (Avira Operations GmbH & Co. KG)
S4 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2013-10-23] (APN LLC.)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3478544 2013-11-11] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
S4 EPSON_EB_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [153600 2009-09-14] (SEIKO EPSON CORPORATION)
S4 EPSON_PM_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [121856 2009-09-14] (SEIKO EPSON CORPORATION)
S4 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-10-09] (Hewlett-Packard)
S2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1028904 2013-04-05] (iolo technologies, LLC)
S2 Recovery Service for Windows; C:\Program Files\SMINST\BLService.exe [365952 2008-10-06] ()
S4 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [241734 2008-09-15] ()
S4 usnjsvc; C:\Program Files\MSN Messenger\usnsvc.exe [97136 2007-01-19] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~2\Internet.exe [X]
==================== Drivers (Whitelisted) ====================
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120600 2013-11-05] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [209176 2013-11-04] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147768 2013-10-24] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22840 2013-09-17] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [222520 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102712 2013-10-01] (AVG Technologies CZ, s.r.o.)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [90400 2013-12-12] (Avira Operations GmbH & Co. KG)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-10] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [135648 2013-12-12] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-11-22] (Avira Operations GmbH & Co. KG)
S1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [26248 2013-04-05] (EldoS Corporation)
S2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2013-04-05] (Raxco Software, Inc.)
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-11-22] (Avira GmbH)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS [X]
S3 NVHDA; system32\drivers\nvhda32v.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S1 SRTSP; \??\C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS [X]
S1 SRTSPX; \??\C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-04-10 06:17 - 2014-04-10 06:17 - 00000000 ____D () C:\FRST
2014-04-09 13:54 - 2014-04-10 03:49 - 00000000 ____D () C:\Program Files\WinZip Malware Protector
2014-04-09 13:54 - 2014-04-09 13:54 - 00000986 _____ () C:\Users\Public\Desktop\WinZip Malware Protector.lnk
2014-04-09 13:54 - 2014-04-09 13:54 - 00000986 _____ () C:\ProgramData\Desktop\WinZip Malware Protector.lnk
2014-04-09 13:54 - 2014-04-09 13:54 - 00000000 ____D () C:\ProgramData\Nico Mak Computing
2014-04-09 13:54 - 2013-03-15 16:01 - 00016384 _____ () C:\Windows\System32\wsusnative32.exe
2014-04-08 18:45 - 2014-04-10 04:52 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-03-15 03:16 - 2014-02-23 06:50 - 12347904 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-03-15 03:16 - 2014-02-23 06:47 - 01806848 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-03-15 03:16 - 2014-02-23 06:43 - 09739264 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-03-15 03:16 - 2014-02-23 06:41 - 01105408 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-03-15 03:16 - 2014-02-23 06:40 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-03-15 03:16 - 2014-02-23 06:39 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-03-15 03:16 - 2014-02-23 06:38 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2014-03-15 03:16 - 2014-02-23 06:38 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-03-15 03:16 - 2014-02-23 06:38 - 00065536 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-03-15 03:16 - 2014-02-23 06:37 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-03-15 03:16 - 2014-02-23 06:37 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-03-15 03:16 - 2014-02-23 06:37 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-03-15 03:16 - 2014-02-23 06:37 - 00421376 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2014-03-15 03:16 - 2014-02-23 06:36 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-03-15 03:16 - 2014-02-23 06:36 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-03-15 03:16 - 2014-02-23 06:35 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-03-14 03:38 - 2014-02-07 11:38 - 02050560 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-03-14 03:38 - 2014-02-03 11:37 - 00505344 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2014-03-14 03:38 - 2014-01-30 08:46 - 00876032 _____ (Microsoft Corporation) C:\Windows\System32\wer.dll
2014-03-14 03:37 - 2013-11-13 01:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\tzres.dll
==================== One Month Modified Files and Folders =======
2014-04-10 06:17 - 2014-04-10 06:17 - 00000000 ____D () C:\FRST
2014-04-10 04:57 - 2010-12-25 16:31 - 01532793 _____ () C:\Windows\WindowsUpdate.log
2014-04-10 04:52 - 2014-04-08 18:45 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-10 04:52 - 2006-11-02 13:47 - 00311720 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-04-10 04:51 - 2013-11-28 19:05 - 00048414 _____ () C:\ProgramData\nvModes.dat
2014-04-10 04:51 - 2013-11-28 19:05 - 00048414 _____ () C:\ProgramData\nvModes.001
2014-04-10 04:51 - 2006-11-02 13:47 - 00003216 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-10 04:51 - 2006-11-02 13:47 - 00003216 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-10 03:49 - 2014-04-09 13:54 - 00000000 ____D () C:\ProgramData\Nico Mak Computing
2014-04-10 03:49 - 2014-04-09 13:54 - 00000000 ____D () C:\Program Files\WinZip Malware Protector
2014-04-09 13:54 - 2014-04-09 13:54 - 00000986 _____ () C:\Users\Public\Desktop\WinZip Malware Protector.lnk
2014-04-09 13:54 - 2014-04-09 13:54 - 00000986 _____ () C:\ProgramData\Desktop\WinZip Malware Protector.lnk
2014-04-08 22:08 - 2013-10-26 02:24 - 00325308 _____ () C:\Windows\PFRO.log
2014-04-08 22:01 - 2011-01-01 18:31 - 00008268 _____ () C:\Users\Melzer\AppData\Local\d3d9caps.dat
2014-04-08 21:53 - 2012-05-13 15:25 - 00000000 ____D () C:\Users\Melzer\AppData\Roaming\WildTangent
2014-04-08 21:53 - 2008-10-27 08:41 - 00000000 ____D () C:\ProgramData\WildTangent
2014-03-19 03:20 - 2013-08-16 02:33 - 00000000 ____D () C:\Windows\System32\MRT
2014-03-19 03:16 - 2006-11-02 11:24 - 87350280 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2014-03-15 03:29 - 2006-11-02 12:18 - 00000000 ____D () C:\Windows\rescache
2014-03-15 03:14 - 2006-11-02 12:18 - 00000000 ____D () C:\Windows\System32\de-DE
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$8f194bdc553c72887cc7cb497d2048dc
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1761348043-3022951597-3060735382-1000\$8f194bdc553c72887cc7cb497d2048dc
Files to move or delete:
====================
C:\Users\Melzer\AppData\Roaming\skype.ini
Some content of TEMP:
====================
C:\Users\Melzer\AppData\Local\Temp\avgnt.exe
C:\Users\Melzer\AppData\Local\Temp\BackupSetup.exe
C:\Users\Melzer\AppData\Local\Temp\FileSystemView.dll
C:\Users\Melzer\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Melzer\AppData\Local\Temp\FlashPlayerUpdate01.exe
C:\Users\Melzer\AppData\Local\Temp\FlashPlayerUpdate02.exe
C:\Users\Melzer\AppData\Local\Temp\FlashPlayerUpdate03.exe
C:\Users\Melzer\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\Melzer\AppData\Local\Temp\HPQSi.exe
C:\Users\Melzer\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Melzer\AppData\Local\Temp\ndyuq_qg.dll
C:\Users\Melzer\AppData\Local\Temp\oi_{DCE5BC09-9F7C-4539-B324-FBB59591C17C}.exe
C:\Users\Melzer\AppData\Local\Temp\setup.exe
C:\Users\Melzer\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Melzer\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Melzer\AppData\Local\Temp\WEB.DE_Softwareaktualisierung_Setup.exe
C:\Users\Melzer\AppData\Local\Temp\WEB.DE_Toolbar_IE_Setup.exe
C:\Users\Melzer\AppData\Local\Temp\_is63B5.exe
C:\Users\Melzer\AppData\Local\Temp\_is9E52.exe
==================== Known DLLs (Whitelisted) ============
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2014-02-23 14:46:00
Restore point made on: 2014-02-26 03:38:06
Restore point made on: 2014-02-28 03:00:47
Restore point made on: 2014-03-15 03:13:58
Restore point made on: 2014-03-19 03:16:05
Restore point made on: 2014-04-08 22:55:52
==================== Memory info ===========================
Percentage of memory in use: 13%
Total physical RAM: 4062.26 MB
Available physical RAM: 3493.7 MB
Total Pagefile: 3746.93 MB
Available Pagefile: 3545.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1948.07 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:287.55 GB) (Free:197.76 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10.53 GB) (Free:1.74 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (STORE N GO) (Removable) (Total:0.96 GB) (Free:0.96 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 7B2D0067)
Partition 1: (Active) - (Size=288 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
========================================================
Disk: 2 (Size: 983 MB) (Disk ID: A9E1B5E3)
Partition: GPT Partition Type.
LastRegBack: 2014-04-10 04:59
==================== End Of Log ============================
|
| Themen zu BKA Interpol Trojaner |
| antivir, association, avg, avira, bka - trojaner, desktop, download, explorer, explorer.exe, google, home, malware, messenger, microsoft, msn, opera, registry, service.exe, services.exe, software, svchost.exe, system, temp, trojaner, vcredist, vista, winlogon, winlogon.exe |
Baum-Darstellung