Windows 7: GVU/BKA Trojaner mit Sperrbildschirm

Decoho · 28.06.2014, 13:34

Guten Tag.

Ich habe mir beim surfen leider den oben genannten Trojaner eingefangen. Ich bin somit stolzer Besitzer eines Bildes der Kanzlerin auf meinem Sperrbildschirm. Nach durchlesen einiger Beiträge bzw. Anleitungen habe ich bereits versucht in den abgesicherten Modus zu gelangen (mit und ohne Eingabe), alles ohne Erfolg. Sämtliche Versuche führten lediglich wieder zum Sperrbildschirm oder aber zur Eingabemaske für mein Passwort. Ich habe daraufhin nach Anleitung das Farbar Recovery Scan Tool benutzt um einen Logfile zu erzeugen. Über Hilfe würde ich mich sehr freuen.

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-05-2014 (ATTENTION: ====> FRST version is 55 days old and could be outdated)
Ran by SYSTEM on MININT-SUA4DNP on 28-06-2014 11:20:46
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ 
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9644576 2009-12-14] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2074408 2010-02-26] (Synaptics Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-02-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [UpdateLBPShortCut] => C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-06-03] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDRShortCut] => C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [222504 2008-01-03] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePPShortCut] => C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] => C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [210216 2009-07-20] (CyberLink Corp.)
HKLM-x32\...\Run: [UCam_Menu] => C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [Samsung PanelMgr] => C:\windows\Samsung\PanelMgr\ssmmgr.exe [606208 2009-08-27] ()
HKLM-x32\...\Run: [UnlockerAssistant] => "C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe"
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-01-27] (McAfee, Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-01-27] (McAfee, Inc.)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll [1355552 2014-04-08] (Conduit)
AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32Loader.dll [1050912 2014-04-08] (Conduit)
AppInit_DLLs-x32:  c:\progra~2\optimi~1\optpro~1.dll => C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll [1651696 2013-06-21] ()
Startup: C:\Users\Kati\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\Kati\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eysj6hr.lnk
ShortcutTarget: eysj6hr.lnk -> C:\ProgramData\2992199F9A\rh6jsye.cpp (Microsoft Corporation)

==================== Services (Whitelisted) =================

S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [2470688 2014-04-08] (Conduit)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-01-27] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1025712 2014-01-20] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-01-26] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [185792 2014-01-26] (McAfee, Inc.)
S2 MOBKbackup; C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [231224 2010-04-13] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-07] ()
S2 Winmgmt; C:\ProgramData\2992199F9A\eysj6hr.faa [332020 2014-04-16] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70592 2014-01-26] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-01-26] (McAfee, Inc.)
S2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-01-26] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [520696 2014-01-26] (McAfee, Inc.)
S2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [783864 2014-01-26] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [422712 2014-01-20] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-01-20] (McAfee, Inc.)
S2 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344688 2014-01-26] (McAfee, Inc.)
S1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [66040 2010-04-13] (Mozy, Inc.)
S3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
S2 DgiVecp; \??\C:\windows\system32\Drivers\DgiVecp.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-28 11:20 - 2014-06-28 11:20 - 00000000 ____D () C:\FRST

==================== One Month Modified Files and Folders =======

2014-06-28 11:20 - 2014-06-28 11:20 - 00000000 ____D () C:\FRST
2014-06-28 01:08 - 2011-12-03 10:03 - 00000000 ___RD () C:\Users\Kati\Dropbox
2014-06-28 01:08 - 2011-12-03 10:00 - 00000000 ____D () C:\Users\Kati\AppData\Roaming\Dropbox
2014-06-28 01:08 - 2011-03-29 10:05 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-28 01:08 - 2011-03-29 10:05 - 00001102 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-28 01:07 - 2014-04-16 12:23 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-06-28 01:07 - 2010-10-06 00:21 - 00000380 _____ () C:\Windows\Tasks\Registry Reviver64-Kati-Startup.job
2014-06-28 01:06 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-28 01:06 - 2009-07-13 20:51 - 00192807 _____ () C:\Windows\setupact.log
2014-06-28 01:03 - 2011-03-29 10:05 - 00004102 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-06-28 01:03 - 2011-03-29 10:05 - 00003850 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-06-28 01:03 - 2010-04-01 08:43 - 01772572 _____ () C:\Windows\WindowsUpdate.log
2014-06-28 01:03 - 2009-07-13 20:45 - 00014144 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-28 01:03 - 2009-07-13 20:45 - 00014144 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

Files to move or delete:
====================
C:\Users\Kati\FreeVideoToMP3Converter5.0.30.1029.exe
C:\Users\Kati\VideoDownloadConvert.exe
C:\Users\Kati\xmind-win-3.2.1.201011212218.exe


Some content of TEMP:
====================
C:\Users\Kati\AppData\Local\Temp\alJz.dll
C:\Users\Kati\AppData\Local\Temp\nsaDC14.exe
C:\Users\Kati\AppData\Local\Temp\nsfDFDC.exe
C:\Users\Kati\AppData\Local\Temp\nsl985D.exe
C:\Users\Kati\AppData\Local\Temp\nsq9D5D.exe
C:\Users\Kati\AppData\Local\Temp\SPSetup.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info =========================== 

Percentage of memory in use: 14%
Total physical RAM: 4094.23 MB
Available physical RAM: 3484.06 MB
Total Pagefile: 4092.38 MB
Available Pagefile: 3479.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:82.07 GB) (Free:26.54 GB) NTFS
Drive e: () (Fixed) (Total:200.92 GB) (Free:134.98 GB) NTFS
Drive f: (RECOVERY) (Fixed) (Total:15 GB) (Free:1.1 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive h: (HOPKINS) (Removable) (Total:3.63 GB) (Free:0.15 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 096716B2)
Partition 1: (Not Active) - (Size=15 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=82 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=201 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0C)


LastRegBack: 2013-02-15 06:55

==================== End Of Log ============================

Windows 7: GVU/BKA Trojaner mit Sperrbildschirm

Log-Analyse und Auswertung: Windows 7: GVU/BKA Trojaner mit Sperrbildschirm

Windows 7: GVU/BKA Trojaner mit Sperrbildschirm

Ähnliche Themen: Windows 7: GVU/BKA Trojaner mit Sperrbildschirm