Bundestrojaner, Windows startet nicht im abgesicherten Modus

Hesse45 · 27.04.2014, 09:12

Mein Kumpel hat sich den Bundestrojaner eingefangen

Ich wollte im abgesicheten Modus starten, aber da hängt er sich mit der Zeile

"windows\system32\drivers\aswrvrt.sys auf.

Habe frst drüber laufen lassen, hier das Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-04-2014 03
Ran by SYSTEM on MININT-OK2ITK0 on 27-04-2014 09:45:53
Running from E:\
Windows 7 Starter (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1594664 2010-04-12] (Synaptics Incorporated)
HKLM\...\Run: [SynAsusAcpi] => C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [83240 2010-04-12] (Synaptics Incorporated)
HKLM\...\Run: [EeeSplendidAgent] => C:\Program Files\ASUS\EPC\EeeSplendid\AsAgent.exe
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [HotkeyMon] => C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe [100328 2009-09-11] (ASUSTeK Computer Inc.)
HKLM\...\Run: [HotkeyService] => C:\Program Files\EeePC\HotkeyService\HotkeyService.exe [1166768 2010-04-07] (ASUSTeK Computer Inc.)
HKLM\...\Run: [SuperHybridEngine] => C:\Program Files\EeePC\SHE\SuperHybridEngine.exe [413688 2009-10-26] (ASUSTeK Computer Inc.)
HKLM\...\Run: [LiveUpdate] => C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe [1095080 2011-07-12] (AsusTek Computer Inc.)
HKLM\...\Run: [CapsHook] => C:\Program Files\EeePC\CapsHook\CapsHook.exe [439712 2010-03-09] (ASUS)
HKLM\...\Run: [Eee Docking] => C:\Program Files\ASUS\Eee Docking\Eee Docking.exe [415920 2010-03-29] ()
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [8555040 2010-04-09] (Realtek Semiconductor)
HKLM\...\Run: [Boingo Wi-Fi] => C:\Program Files\Boingo\Boingo Wi-Fi\Boingo.lnk [2429 2010-10-09] ()
HKLM\...\Run: [ASUSPRP] => C:\Program Files\ASUS\APRP\APRP.EXE [2018032 2010-04-26] (ASUSTek Computer Inc.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [avast] => C:\Program Files\Alwil Software\Avast5\avastUI.exe [4858968 2013-05-09] (AVAST Software)
HKLM\...\Run: [ASUSWebStorage] => C:\Program Files\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe [740736 2012-08-03] (ASUS Cloud Corporation)
HKU\Default\...\RunOnce: [Reboot] - AsusSender.exe C:\Windows\AP\Reboot.exe 60
HKU\Default User\...\RunOnce: [Reboot] - AsusSender.exe C:\Windows\AP\Reboot.exe 60
HKU\Roland Gerlach\...\Run: [Google Update] => C:\Users\Roland Gerlach\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-08-04] (Google Inc.)
HKU\Roland Gerlach\...\Run: [msnmsgr] => C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3883840 2009-07-26] (Microsoft Corporation)
Startup: C:\Users\Roland Gerlach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lcgod8zse.lnk
ShortcutTarget: lcgod8zse.lnk -> C:\ProgramData\2992199F9A\esz8dogcl.cpp (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 AsusService; C:\Windows\System32\AsusService.exe [219136 2009-08-18] ()
S2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [46808 2013-05-09] (AVAST Software)
S2 KMService; C:\windows\system32\srvany.exe [8192 2003-04-18] ()
S2 Winmgmt; C:\ProgramData\2992199F9A\esz8dogcl.cpp [139337 2014-04-24] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S1 AsUpIO; C:\Windows\System32\drivers\AsUpIO.sys [11832 2011-02-09] ()
S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-05-09] (AVAST Software)
S1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [21576 2013-03-06] (AVAST Software)
S2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [66336 2013-05-09] (AVAST Software)
S1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [61680 2013-05-09] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-05-09] ()
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-06-28] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-06-28] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-05-09] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [175176 2013-06-28] ()
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [13880 2010-04-12] ( )

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-27 09:45 - 2014-04-27 09:45 - 00000000 ____D () C:\FRST
2014-04-24 11:05 - 2014-04-26 23:06 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-09 13:11 - 2014-03-04 01:17 - 00868352 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2014-04-09 13:11 - 2014-02-03 18:07 - 00234432 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\msiscsi.sys
2014-04-09 13:11 - 2014-02-03 18:07 - 00149440 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\storport.sys
2014-04-09 13:11 - 2014-02-03 18:07 - 00027072 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Diskdump.sys
2014-04-09 13:11 - 2014-02-03 18:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\iologmsg.dll
2014-04-09 13:11 - 2014-01-23 18:18 - 01212352 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2014-04-05 01:28 - 2014-04-05 01:28 - 00011804 _____ () C:\Users\Roland Gerlach\Documents\Ord123.xlsx

==================== One Month Modified Files and Folders =======

2014-04-27 09:45 - 2014-04-27 09:45 - 00000000 ____D () C:\FRST
2014-04-26 23:31 - 2009-07-13 20:39 - 00156868 _____ () C:\Windows\setupact.log
2014-04-26 23:14 - 2009-07-13 20:34 - 00009696 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-26 23:14 - 2009-07-13 20:34 - 00009696 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-26 23:07 - 2011-12-29 11:56 - 00000000 ____D () C:\Users\Roland Gerlach\Tracing
2014-04-26 23:06 - 2014-04-24 11:05 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-26 22:58 - 2010-10-09 17:51 - 01325497 _____ () C:\Windows\WindowsUpdate.log
2014-04-26 22:53 - 2013-11-19 14:07 - 02012162 _____ () C:\Windows\IE11_main.log
2014-04-21 17:09 - 2013-04-30 17:06 - 01010761 _____ () C:\Windows\IE10_main.log
2014-04-21 10:09 - 2009-07-24 23:50 - 01620684 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-18 07:50 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\rescache
2014-04-11 11:18 - 2011-08-12 23:23 - 00002367 _____ () C:\Users\Roland Gerlach\Desktop\Google Chrome.lnk
2014-04-10 12:47 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\de-DE
2014-04-09 14:35 - 2010-04-26 04:59 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-09 14:29 - 2013-08-13 10:32 - 00000000 ____D () C:\Windows\System32\MRT
2014-04-09 14:29 - 2010-11-08 12:48 - 88028728 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-04-05 01:29 - 2014-01-26 04:07 - 00012337 _____ () C:\Users\Roland Gerlach\Documents\ord122.xlsx
2014-04-05 01:28 - 2014-04-05 01:28 - 00011804 _____ () C:\Users\Roland Gerlach\Documents\Ord123.xlsx

Files to move or delete:
====================
C:\ProgramData\4693231.pad


Some content of TEMP:
====================
C:\Users\Roland Gerlach\AppData\Local\Temp\$browser$.update.exe
C:\Users\Roland Gerlach\AppData\Local\Temp\atl80.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\bwr.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\DataCard_Setup.exe
C:\Users\Roland Gerlach\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Roland Gerlach\AppData\Local\Temp\FlashPlayerUpdate01.exe
C:\Users\Roland Gerlach\AppData\Local\Temp\mfc80.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\mfc80u.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\mfcm80.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\mfcm80u.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\msvcm80.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\msvcp80.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\msvcr80.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\ose00000.exe
C:\Users\Roland Gerlach\AppData\Local\Temp\ResetDevice.exe
C:\Users\Roland Gerlach\AppData\Local\Temp\TmDbg32.dll
C:\Users\Roland Gerlach\AppData\Local\Temp\Uni000.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2014-04-19 15:52:23
Restore point made on: 2014-04-20 16:34:10
Restore point made on: 2014-04-21 06:47:11
Restore point made on: 2014-04-21 17:07:45
Restore point made on: 2014-04-22 13:53:22
Restore point made on: 2014-04-26 22:50:10

==================== Memory info =========================== 

Percentage of memory in use: 37%
Total physical RAM: 1014.18 MB
Available physical RAM: 631.83 MB
Total Pagefile: 1014.18 MB
Available Pagefile: 636.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.95 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:100 GB) (Free:52.39 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:117.86 GB) (Free:117.62 GB) NTFS
Drive e: () (Removable) (Total:1.88 GB) (Free:1.56 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 29133921)
Partition 1: (Active) - (Size=100 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=15 GB) - (Type=1B)
Partition 3: (Not Active) - (Size=118 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=20 MB) - (Type=EF)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 04DD5721)
Partition 1: (Active) - (Size=2 GB) - (Type=06)


LastRegBack: 2014-04-21 10:57

==================== End Of Log ============================

Bundestrojaner, Windows startet nicht im abgesicherten Modus

Log-Analyse und Auswertung: Bundestrojaner, Windows startet nicht im abgesicherten Modus

Bundestrojaner, Windows startet nicht im abgesicherten Modus

Ähnliche Themen: Bundestrojaner, Windows startet nicht im abgesicherten Modus