| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: BKA Trojaner, Windows fährt im abgesicherten Modus wieder runterWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
09.09.2014, 12:49
| #1 |
 |  BKA Trojaner, Windows fährt im abgesicherten Modus wieder runter Hallo, ich habe mir auf meienm Windows 7 den BKA Trojaner mit dem Merkelbild eingefangen. Der Rechner fährt leider auch im abgesicherten Modus wieder runter. Ich habe die von FRST die Datei erstellen lassen. FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-09-2014 01
Ran by SYSTEM on MININT-JJVIMHG on 09-09-2014 13:35:02
Running from I:\
Platform: Windows 7 Ultimate (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8095776 2009-08-31] (Realtek Semiconductor)
HKLM\...\Run: [PLFSetI] => C:\Windows\PLFSetI.exe [200704 2008-07-29] ()
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [VitaKeyPdtWzd] => C:\Program Files (x86)\Acer Bio Protection\PdtWzd.exe [3570176 2009-09-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] => C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [DataCardMonitor] => C:\Program Files (x86)\T-Mobile\T-Mobile Internet Manager\DataCardMonitor.exe [253952 2010-07-12] (Huawei Technologies Co., Ltd.)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295512 2013-09-26] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM\...\InprocServer32: [Default-wbemess] \\.\globalroot\systemroot\Installer\{d45cd161-b482-47af-506b-450c5f535931}\n. ATTENTION! ====> ZeroAccess?
HKU\Administrator\...\Run: [HW_OPENEYE_OUC_T-Mobile Internet Manager] => C:\Program Files (x86)\T-Mobile\T-Mobile Internet Manager\UpdateDog\ouc.exe [110592 2009-12-31] (Huawei Technologies Co., Ltd.)
HKU\Administrator\...\Run: [BrowserMask] => C:\Program Files (x86)\AntiBrowserSpy\AntiBrowserSpyBrowserMaske.exe [101280 2011-06-21] (Microsoft)
HKU\Administrator\...\Run: [Giupmoal] => C:\Users\Administrator\AppData\Roaming\Xuiwi\xila.exe [241664 2011-09-25] (Acronis)
Lsa: [Notification Packages] C:\Program Files (x86)\Acer Bio Protection\PwdFilterV64
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MFT VCDS Updater.lnk
ShortcutTarget: MFT VCDS Updater.lnk -> C:\Diagnosetool\VCDS-MFT\VCDS.exe (No File)
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\48B46F9.cpp ()
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ross-Tech VCDS DRV Updater.lnk
ShortcutTarget: Ross-Tech VCDS DRV Updater.lnk -> C:\VCDS-Dt\VCDS.exe (No File)
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 IGBASVC; C:\Program Files (x86)\Acer Bio Protection\BASVC.exe [3449856 2009-09-05] (Egis Technology Inc.)
S2 JWC; C:\Program Files (x86)\Jeppesen\JWC\JWC.exe [510512 2012-02-23] (Jeppesen)
S2 nHancer; C:\Program Files\nHancer\nHancerService.exe [39424 2009-10-04] (KSE - Korndörfer Software Engineering)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()
S2 Winmgmt; C:\ProgramData\9F64B84.dot [332532 2014-09-09] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 azvusb; C:\Windows\System32\DRIVERS\azvusb.sys [54784 2009-08-24] (AzureWave Technologies, Inc.)
S3 ElbyDelay; C:\Windows\System32\Drivers\ElbyDelay.sys [14032 2006-12-14] (Elaborate Bytes AG)
S3 ElbyDelay; C:\Windows\SysWOW64\Drivers\ElbyDelay.sys [14032 2006-12-14] (Elaborate Bytes AG)
S5 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [243200 2009-10-21] (Huawei Technologies Co., Ltd.)
S3 FTDIBUS; C:\Windows\System32\drivers\ai-usb.sys [68608 2012-06-07] (FTDI Ltd.)
S3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [114304 2009-10-12] (Huawei Technologies Co., Ltd.)
S2 int15; C:\Windows\SysWOW64\drivers\int15_64.sys [15656 2008-09-09] ()
S3 mod7700; C:\Windows\System32\DRIVERS\mod7700.sys [698376 2008-06-26] (DiBcom SA)
S3 MODRC; C:\Windows\System32\DRIVERS\modrc.sys [24200 2007-10-19] (DiBcom S.A.)
S3 nuvotoncir; C:\Windows\System32\DRIVERS\nuvotoncir.sys [48128 2009-06-24] (Nuvoton Technology Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-09-09 13:34 - 2014-09-09 13:35 - 00000000 ____D () C:\FRST
2014-09-09 10:48 - 2014-09-09 10:48 - 00332532 ____T (Microsoft Corporation) C:\ProgramData\9F64B84.dot
2014-09-09 10:46 - 2014-09-09 10:46 - 00135168 _____ () C:\ProgramData\48B46F9.cpp
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-09-09 13:35 - 2014-09-09 13:34 - 00000000 ____D () C:\FRST
2014-09-09 12:30 - 2012-04-27 18:58 - 00001124 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-09 12:30 - 2012-04-03 09:52 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-09 11:23 - 2014-08-05 17:45 - 00000408 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Administrator.job
2014-09-09 11:23 - 2012-04-27 18:58 - 00001120 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-09 11:23 - 2010-02-27 14:51 - 01547481 _____ () C:\Windows\WindowsUpdate.log
2014-09-09 11:19 - 2014-08-05 17:34 - 00000560 _____ () C:\Windows\setupact.log
2014-09-09 11:19 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-09 11:09 - 2009-07-14 05:45 - 00014016 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-09 11:09 - 2009-07-14 05:45 - 00014016 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-09 10:48 - 2014-09-09 10:48 - 00332532 ____T (Microsoft Corporation) C:\ProgramData\9F64B84.dot
2014-09-09 10:46 - 2014-09-09 10:46 - 00135168 _____ () C:\ProgramData\48B46F9.cpp
2014-09-09 10:30 - 2010-03-27 12:41 - 00003962 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{8AD3AB99-145F-4619-B3CA-9EC578688A25}
2014-08-19 16:46 - 2014-08-05 17:45 - 00000402 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Administrator.job
2014-08-19 16:40 - 2012-03-05 13:08 - 00000000 ____D () C:\Users\Administrator\Documents\Bewerbungen
ZeroAccess:
C:\Windows\Installer\{d45cd161-b482-47af-506b-450c5f535931}
C:\Windows\Installer\{d45cd161-b482-47af-506b-450c5f535931}\@
ZeroAccess:
C:\Users\Administrator\AppData\Local\{d45cd161-b482-47af-506b-450c5f535931}
C:\Users\Administrator\AppData\Local\{d45cd161-b482-47af-506b-450c5f535931}\@
Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\diczmoqw.dll
C:\Users\Administrator\AppData\Local\Temp\kfe.dll
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
==================== Memory info ===========================
Percentage of memory in use: 15%
Total physical RAM: 3838.43 MB
Available physical RAM: 3231.06 MB
Total Pagefile: 3836.57 MB
Available Pagefile: 3218.09 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
==================== Drives ================================
Drive c: (ACER) (Fixed) (Total:144.04 GB) (Free:2.81 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (DATA) (Fixed) (Total:144.04 GB) (Free:142.92 GB) NTFS
Drive f: (PQSERVICE) (Fixed) (Total:10 GB) (Free:1.64 GB) NTFS
Drive i: (extern) (Fixed) (Total:372.61 GB) (Free:85.98 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (DATA) (Fixed) (Total:298.09 GB) (Free:138.52 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 2FB1D8DA)
Partition 1: (Not Active) - (Size=298.1 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 2C74BADC)
Partition 1: (Not Active) - (Size=10 GB) - (Type=27)
Partition 2: (Active) - (Size=144 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=144 GB) - (Type=07 NTFS)
========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 372.6 GB) (Disk ID: E9524FDE)
Partition 1: (Not Active) - (Size=372.6 GB) - (Type=07 NTFS)
LastRegBack: 2014-05-21 20:02
==================== End Of Log ============================
|
Baum-Darstellung