Hartnäckiger BKA Trojaner, Kaspersky versagt, Systemwiederherstellung bricht ab...Netbook

dougi · 25.06.2014, 15:32

hallo ich hab das netbook meines onkels hier...

der uns allen bekannte bundetrojaner oder bka trojaner hat ihn erwischt...

diesesmal sein netbook (der trojaner war schon auf seinem notebook, ging dort aber problemlos runter)

bei dem kleinen Acer netbook mit windows 7 und einem atom prozessor, will mir aber alles nicht so recht gelingen, was sonst funktionierte!!! :/

weder die systemwiederherstellung, noch das kasperskytool oder andere tricks...

ich hoffe ihr könnt mir hier ein stück weiterhelfen!!!

das FRST logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-06-2014
Ran by SYSTEM on MININT-2GOT5UF on 25-06-2014 16:18:02
Running from G:\
Platform: Windows 7 Starter (X86) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SuiteTray] => C:\Program Files\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-05-26] (Egis Technology Inc.)
HKLM\...\Run: [EgisUpdate] => C:\Program Files\EgisTec IPS\EgisUpdate.exe [201584 2010-03-10] (Egis Technology Inc.)
HKLM\...\Run: [EgisTecPMMUpdate] => C:\Program Files\EgisTec IPS\PmmUpdate.exe [407920 2010-03-10] (Egis Technology Inc.)
HKLM\...\Run: [mwlDaemon] => C:\Program Files\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-05-26] (Egis Technology Inc.)
HKLM\...\Run: [Norton Online Backup] => C:\Program Files\Symantec\Norton Online Backup\NOBuClient.exe [966488 2010-06-01] (Symantec Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9874024 2010-11-18] (Realtek Semiconductor)
HKLM\...\Run: [LManager] => C:\Program Files\Launch Manager\LManager.exe [975952 2010-08-10] (Dritek System Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1692968 2010-02-05] (Synaptics Incorporated)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files\Bluetooth Suite\BtvStack.exe [486560 2010-09-27] (Atheros Communications)
HKLM\...\Run: [AthBtTray] => C:\Program Files\Bluetooth Suite\AthBtTray.exe [302240 2010-09-27] (Atheros Commnucations)
HKLM\...\Run: [iSyncData] => C:\Program Files\Acer\Android Manager\iSync.exe [407416 2011-02-09] (Insyde Software Corp.)
HKLM\...\Run: [AndroidManager] => C:\Program Files\Acer\Android Manager\AML.exe [508280 2011-02-09] ()
HKLM\...\Run: [iPatchData] => C:\Program Files\Acer\Updater\iUpdate.exe [489848 2011-02-09] (Insyde Software Corp.)
HKLM\...\Run: [Microsoft Default Manager] => C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [714120 2011-01-05] (Acer Incorporated)
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [737872 2014-05-27] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [ApnTBMon] => C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1758160 2014-02-12] (APN)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation)
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files\Acer\Screensaver\run_Acer.exe [154144 2010-07-29] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files\Acer\Screensaver\run_Acer.exe [154144 2010-07-29] ()
ShellIconOverlayIdentifiers: egisPSDP -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files\EgisTec MyWinLocker\x86\psdprotect.dll (Egis Technology Inc.)

========================== Services (Whitelisted) =================

S2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [430160 2014-05-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [430160 2014-05-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\avwebg7.exe [1039952 2014-05-27] (Avira Operations GmbH & Co. KG)
S2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-02-12] (APN LLC.)
S2 ePowerSvc; C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [734592 2011-01-05] (Acer Incorporated)
S2 GREGService; C:\Program Files\Acer\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
S3 MWLService; C:\Program Files\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-05-26] (Egis Technology Inc.)
S2 NOBU; C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe [2057560 2010-06-01] (Symantec Corporation)
S2 RS_Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
S2 Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)
S2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [X]

==================== Drivers (Whitelisted) ====================

S3 AthBTPort; C:\Windows\System32\DRIVERS\btath_flt.sys [37224 2010-09-27] (Atheros)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [93528 2014-05-27] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [136216 2014-05-27] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-09-30] (Avira Operations GmbH & Co. KG)
S2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [69240 2014-02-21] (Avira Operations GmbH & Co. KG)
S3 BTATH_A2DP; C:\Windows\System32\drivers\btath_a2dp.sys [260968 2010-09-27] (Atheros)
S3 BTATH_BUS; C:\Windows\System32\DRIVERS\btath_bus.sys [26984 2010-09-27] (Atheros)
S3 BTATH_HCRP; C:\Windows\System32\DRIVERS\btath_hcrp.sys [178024 2010-09-27] (Atheros)
S3 BTATH_LWFLT; C:\Windows\System32\DRIVERS\btath_lwflt.sys [51560 2010-09-27] (Atheros)
S3 BTATH_RCP; C:\Windows\System32\DRIVERS\btath_rcp.sys [143336 2010-09-27] (Atheros)
S3 BtFilter; C:\Windows\System32\DRIVERS\btfilter.sys [242024 2010-09-27] (Atheros)
S3 EUCR; C:\Windows\system32\DRIVERS\EUCR6SK.SYS [82768 2010-06-16] (ENE Technology Inc.)
S1 mwlPSDFilter; C:\Windows\System32\DRIVERS\mwlPSDFilter.sys [18992 2009-06-02] (Egis Technology Inc.)
S1 mwlPSDNServ; C:\Windows\System32\DRIVERS\mwlPSDNServ.sys [16432 2009-06-02] (Egis Technology Inc.)
S1 mwlPSDVDisk; C:\Windows\System32\DRIVERS\mwlPSDVDisk.sys [60976 2009-06-02] (Egis Technology Inc.)
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-09-30] (Avira GmbH)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-25 16:17 - 2014-06-25 16:18 - 00000000 ____D () C:\FRST
2014-06-25 05:10 - 2014-06-25 05:17 - 00000909 _____ () C:\ProgramData\RUNDLL32.EXE-1240-F.txt
2014-06-25 05:04 - 2014-06-25 05:07 - 00000515 _____ () C:\ProgramData\RUNDLL32.EXE-2352-F.txt
2014-06-25 00:37 - 2014-06-25 01:21 - 00005922 _____ () C:\ProgramData\RUNDLL32.EXE-1348-F.txt
2014-06-25 00:27 - 2014-06-25 00:27 - 00000114 _____ () C:\ProgramData\RUNDLL32.EXE-2188-F.txt
2014-06-24 07:00 - 2014-06-24 07:00 - 00000299 _____ () C:\ProgramData\RUNDLL32.EXE-1964-F.txt
2014-06-23 10:02 - 2014-06-23 10:02 - 00000531 _____ () C:\ProgramData\RUNDLL32.EXE-1436-F.txt
2014-06-22 10:59 - 2014-06-22 11:00 - 00000543 _____ () C:\ProgramData\RUNDLL32.EXE-1912-F.txt
2014-06-22 10:24 - 2014-06-22 10:25 - 00000709 _____ () C:\ProgramData\RUNDLL32.EXE-2476-F.txt
2014-06-22 08:47 - 2014-06-22 08:51 - 00002157 _____ () C:\ProgramData\RUNDLL32.EXE-1580-F.txt
2014-06-20 10:06 - 2014-06-24 23:44 - 00008771 _____ () C:\ProgramData\RUNDLL32.EXE-2140-F.txt
2014-06-20 10:01 - 2014-06-20 10:03 - 00001322 _____ () C:\ProgramData\RUNDLL32.EXE-2512-F.txt
2014-06-20 09:52 - 2014-06-20 09:52 - 00000000 ____D () C:\ProgramData\C4AD2479E048FE6520DE8B89ACDE07D6
2014-05-28 22:40 - 2014-06-13 07:10 - 00000000 ____D () C:\Windows\System32\MRT

==================== One Month Modified Files and Folders =======

2014-06-25 16:18 - 2014-06-25 16:17 - 00000000 ____D () C:\FRST
2014-06-25 15:59 - 2014-05-02 08:25 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-06-25 15:59 - 2011-08-21 08:43 - 00000000 ____D () C:\users\Gudrun Unseld
2014-06-25 15:59 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\wfp
2014-06-25 15:59 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\rescache
2014-06-25 15:59 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\AppCompat
2014-06-25 15:59 - 2009-07-13 18:37 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-06-25 15:57 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\registration
2014-06-25 15:55 - 2011-09-23 09:18 - 00000000 ____D () C:\Users\Gudrun Unseld\AppData\Local\Adobe
2014-06-25 05:17 - 2014-06-25 05:10 - 00000909 _____ () C:\ProgramData\RUNDLL32.EXE-1240-F.txt
2014-06-25 05:14 - 2011-12-09 10:40 - 00000000 ____D () C:\Users\Gudrun Unseld\AppData\Local\CrashDumps
2014-06-25 05:07 - 2014-06-25 05:04 - 00000515 _____ () C:\ProgramData\RUNDLL32.EXE-2352-F.txt
2014-06-25 01:21 - 2014-06-25 00:37 - 00005922 _____ () C:\ProgramData\RUNDLL32.EXE-1348-F.txt
2014-06-25 00:27 - 2014-06-25 00:27 - 00000114 _____ () C:\ProgramData\RUNDLL32.EXE-2188-F.txt
2014-06-24 23:44 - 2014-06-20 10:06 - 00008771 _____ () C:\ProgramData\RUNDLL32.EXE-2140-F.txt
2014-06-24 07:00 - 2014-06-24 07:00 - 00000299 _____ () C:\ProgramData\RUNDLL32.EXE-1964-F.txt
2014-06-23 10:02 - 2014-06-23 10:02 - 00000531 _____ () C:\ProgramData\RUNDLL32.EXE-1436-F.txt
2014-06-22 11:00 - 2014-06-22 10:59 - 00000543 _____ () C:\ProgramData\RUNDLL32.EXE-1912-F.txt
2014-06-22 10:25 - 2014-06-22 10:24 - 00000709 _____ () C:\ProgramData\RUNDLL32.EXE-2476-F.txt
2014-06-22 08:51 - 2014-06-22 08:47 - 00002157 _____ () C:\ProgramData\RUNDLL32.EXE-1580-F.txt
2014-06-20 10:03 - 2014-06-20 10:01 - 00001322 _____ () C:\ProgramData\RUNDLL32.EXE-2512-F.txt
2014-06-20 09:52 - 2014-06-20 09:52 - 00000000 ____D () C:\ProgramData\C4AD2479E048FE6520DE8B89ACDE07D6
2014-06-13 07:10 - 2014-05-28 22:40 - 00000000 ____D () C:\Windows\System32\MRT
2014-05-28 22:39 - 2011-03-01 01:12 - 01749264 _____ () C:\Windows\WindowsUpdate.log
2014-05-28 22:08 - 2009-07-13 20:34 - 00009696 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-28 22:08 - 2009-07-13 20:34 - 00009696 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-28 21:59 - 2011-03-01 01:44 - 00000035 _____ () C:\Users\Public\Documents\AtherosServiceConfig.ini
2014-05-28 21:59 - 2009-07-13 20:39 - 00107205 _____ () C:\Windows\setupact.log
2014-05-27 04:40 - 2014-02-21 04:26 - 00136216 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2014-05-27 04:40 - 2014-02-21 04:26 - 00093528 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys

Some content of TEMP:
====================
C:\Users\Gudrun Unseld\AppData\Local\Temp\avgnt.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-04-19 22:22:35
Restore point made on: 2014-04-20 22:33:47
Restore point made on: 2014-04-21 05:17:16
Restore point made on: 2014-04-21 08:18:58
Restore point made on: 2014-04-26 05:31:28
Restore point made on: 2014-04-28 03:40:32
Restore point made on: 2014-05-02 08:00:21
Restore point made on: 2014-05-03 22:10:33
Restore point made on: 2014-05-16 10:05:12
Restore point made on: 2014-05-28 22:39:40
Restore point made on: 2014-06-08 09:06:36
Restore point made on: 2014-06-13 06:51:25
Restore point made on: 2014-06-24 23:38:01
Restore point made on: 2014-06-24 23:43:33
Restore point made on: 2014-06-24 23:43:38
Restore point made on: 2014-06-24 23:43:39
Restore point made on: 2014-06-24 23:43:40
Restore point made on: 2014-06-24 23:43:47
Restore point made on: 2014-06-24 23:43:50
Restore point made on: 2014-06-24 23:43:51

==================== Memory info =========================== 

Percentage of memory in use: 48%
Total physical RAM: 1013.09 MB
Available physical RAM: 519.5 MB
Total Pagefile: 1013.09 MB
Available Pagefile: 515.03 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.23 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:215.79 GB) (Free:179.7 GB) NTFS
Drive e: () (Fixed) (Total:4 GB) (Free:2.66 GB) FAT32
Drive f: (PQSERVICE) (Fixed) (Total:13 GB) (Free:2.7 GB) NTFS
Drive g: () (Removable) (Total:3.91 GB) (Free:2.39 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: A9AFBF7F)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Not Active) - (Size=4 GB) - (Type=0C)
Partition 3: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=216 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: 8D3FD562)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)


LastRegBack: 2014-06-24 23:30

==================== End Of Log ============================

vielen dank vorab!!!

schrauber · 25.06.2014, 16:32

hi,

ist der Rechner direkt beim Booten gesperrt? kein Safe Mode möglich?

schrauber · 25.06.2014, 16:32

hi,

ist der Rechner direkt beim Booten gesperrt? kein Safe Mode möglich?

dougi · 25.06.2014, 20:07

hy hy. also ich kann den abgesicherten Modus starten, jedoch kommt selbst da dann die Aufforderung der paysafekarte und ein webcamfenster
Hintergrund von Interpol bzw. Bundesamt

schrauber · 26.06.2014, 20:25

frischen FRST scan aus der Recovery bitte, aber mach vorher alle Haken raus unter Whitelist.

25.06.2014, 16:32	#2
schrauber /// the machine /// TB-Ausbilder	Hartnäckiger BKA Trojaner, Kaspersky versagt, Systemwiederherstellung bricht ab...Netbook hi, ist der Rechner direkt beim Booten gesperrt? kein Safe Mode möglich? __________________ __________________

25.06.2014, 16:32	#3
schrauber /// the machine /// TB-Ausbilder	Hartnäckiger BKA Trojaner, Kaspersky versagt, Systemwiederherstellung bricht ab...Netbook hi, ist der Rechner direkt beim Booten gesperrt? kein Safe Mode möglich? __________________ __________________

26.06.2014, 20:25	#5
schrauber /// the machine /// TB-Ausbilder	Hartnäckiger BKA Trojaner, Kaspersky versagt, Systemwiederherstellung bricht ab...Netbook frischen FRST scan aus der Recovery bitte, aber mach vorher alle Haken raus unter Whitelist. __________________ gruß, schrauber *Proud Member of UNITE and ASAP since 2009* Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM!

Hartnäckiger BKA Trojaner, Kaspersky versagt, Systemwiederherstellung bricht ab...Netbook

Log-Analyse und Auswertung: Hartnäckiger BKA Trojaner, Kaspersky versagt, Systemwiederherstellung bricht ab...Netbook