Hi zusammen,

ich habe hier den Laptop eines Kollegen stehen. Offensichtlich BKA-Trojaner, hab bereits mit Farbar's Recovery Scan Tool einen Scan laufen lassen.

Code: Alles auswählenAufklappen

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-11-2014
Ran by SYSTEM on MININT-02SBS8N on 15-11-2014 09:01:51
Running from G:\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13374568 2011-12-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_DTS] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2277992 2011-11-15] (Realtek Semiconductor)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [589176 2011-12-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [LoadFUJ02E3] => C:\Program Files\Fujitsu\FUJ02E3\fuj02e3.exe [76104 2011-11-23] (FUJITSU LIMITED)
HKLM\...\Run: [PSUTility] => C:\Program Files\Fujitsu\PSUtility\TrayManager.exe [205168 2011-10-03] (FUJITSU LIMITED)
HKLM\...\Run: [LoadFujitsuQuickTouch] => C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe [158024 2011-09-30] (FUJITSU LIMITED)
HKLM\...\Run: [LoadBtnHnd] => C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe [23368 2011-09-30] (FUJITSU LIMITED)
HKLM\...\Run: [CDAServer] => C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [456704 2012-02-20] ()
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-06] (Intel Corporation)
HKLM-x32\...\Run: [IndicatorUtility] => C:\Program Files (x86)\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe [48752 2010-09-29] (FUJITSU LIMITED)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AVK Client] => C:\Program Files (x86)\G DATA\AVKClient\AVKCl.exe [775752 2007-11-06] (G DATA Software AG)
HKLM-x32\...\Run: [AVMWlanClient] => C:\Program Files (x86)\avmwlanstick\wlangui.exe [2105344 2010-10-22] (AVM Berlin)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ApnUpdater] => C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1646216 2013-03-31] (Ask)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [286720 2007-06-29] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\Admin\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.)
HKU\Admin\...\Run: [DpiSexec] => C:\Users\Admin\AppData\Local\Temp\certnify.exe <===== ATTENTION
HKU\Admin\...\Run: [MyDriveConnect.exe] => C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe [473464 2014-03-17] (TomTom)
HKU\Admin\...\Run: [UgijhAwubo] => regsvr32.exe "C:\ProgramData\UgijhAwubo.dat"
HKU\wfrey\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp ()

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirusKit Client; C:\Program Files (x86)\G DATA\AVKClient\AvkCl.exe [775752 2007-11-06] (G DATA Software AG)
S3 AvkLink32; C:\Program Files (x86)\G DATA\AVKClient\AVKLnk32.exe [91984 2007-03-12] (G DATA Software AG)
S2 AVKProxy; C:\Program Files (x86)\Common Files\G DATA\AVKProxy\AVKProxy.exe [714312 2007-10-02] (G DATA Software AG)
S2 AVKWCtl; C:\Program Files (x86)\G DATA\AVKClient\AVKWCtlX64.exe [1741896 2007-11-05] (G DATA Software AG)
S2 AVM WLAN Connection Service; C:\Program Files (x86)\avmwlanstick\WlanNetService.exe [376832 2010-10-22] (AVM Berlin)
S2 DTSAudioSvc; C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [225280 2011-08-05] (DTS, Inc)
S2 FUJ02E3Service; C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe [76104 2011-11-23] (FUJITSU LIMITED)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2011-12-08] ()
S2 PowerSavingUtilityService; C:\Program Files\Fujitsu\PSUtility\PSUService.exe [63856 2011-10-03] (FUJITSU LIMITED)
S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] ()
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [594704 2011-12-08] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-25] (AVM Berlin)
S0 FBIOSDRV; C:\Windows\System32\Drivers\FBIOSDRV.sys [21104 2009-06-24] (FUJITSU LIMITED)
S3 FUJ02B1; C:\Windows\System32\DRIVERS\FUJ02B1.sys [7808 2006-11-01] (FUJITSU LIMITED)
S3 FUJ02E3; C:\Windows\System32\DRIVERS\FUJ02E3.sys [7296 2006-11-01] (FUJITSU LIMITED)
S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-25] (AVM GmbH)
S3 GDMnIcpt; C:\Windows\system32\drivers\MiniIcpt.sys [56264 2012-12-12] (G DATA Software AG)
S2 GDTdiInterceptor; C:\Windows\system32\drivers\GDTdiIcpt.sys [46800 2012-12-12] ()
S2 GDTdiInterceptor; C:\Windows\SysWOW64\drivers\GDTdiIcpt.sys [40144 2012-12-12] ()
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1812608 2011-12-27] ()

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-15 09:01 - 2014-11-15 09:01 - 00000000 ____D () C:\FRST
2014-10-25 14:28 - 2014-10-25 14:28 - 00431616 _____ () C:\ProgramData\839F3874.cpp
2014-10-25 14:28 - 2014-10-25 14:28 - 00332288 ____T () C:\ProgramData\4783F938.dot

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-15 08:44 - 2012-10-01 13:07 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-15 08:40 - 2009-07-14 05:45 - 00024304 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-15 08:40 - 2009-07-14 05:45 - 00024304 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-15 08:39 - 2012-09-28 14:30 - 01822936 _____ () C:\Windows\WindowsUpdate.log
2014-11-15 08:38 - 2014-10-07 14:40 - 00003558 _____ () C:\logfile
2014-11-15 08:38 - 2014-08-03 12:39 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-15 08:33 - 2014-04-01 22:48 - 00006965 _____ () C:\Windows\setupact.log
2014-11-15 08:33 - 2013-01-22 16:07 - 00065536 _____ () C:\Windows\System32\Ikeext.etl
2014-11-15 08:33 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-26 23:47 - 2012-12-12 10:02 - 00000000 ____D () C:\users\Administrator
2014-10-26 23:47 - 2012-12-12 09:53 - 00000000 ____D () C:\users\wfrey
2014-10-26 23:46 - 2013-09-26 19:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype
2014-10-26 23:46 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\registration
2014-10-26 22:48 - 2012-09-28 14:47 - 00000000 ____D () C:\users\Admin
2014-10-25 16:45 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing
2014-10-25 14:31 - 2014-08-03 12:39 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-24 08:38 - 2012-12-12 09:48 - 00000120 _____ () C:\Windows\System32\config\netlogon.ftl
2014-10-23 22:04 - 2012-12-20 10:55 - 00001442 _____ () C:\Windows\unnamed.adc
2014-10-23 20:52 - 2011-04-12 08:43 - 11060878 _____ () C:\Windows\System32\perfh007.dat
2014-10-23 20:52 - 2011-04-12 08:43 - 03484980 _____ () C:\Windows\System32\perfc007.dat
2014-10-23 20:52 - 2009-07-14 06:13 - 00005378 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-23 20:47 - 2010-11-21 04:47 - 00145148 _____ () C:\Windows\PFRO.log
2014-10-22 22:26 - 2014-08-03 12:39 - 00004106 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-22 22:26 - 2014-08-03 12:39 - 00003854 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-21 20:40 - 2013-06-18 20:41 - 00000400 _____ () C:\Windows\Tasks\EasyShare Registration Task.job
2014-10-20 21:38 - 2014-09-28 19:40 - 00000000 ____D () C:\zzz
2014-10-20 21:26 - 2014-04-25 23:37 - 00000000 ____D () C:\Dillingen Bosch-Dienst
2014-10-16 20:37 - 2014-08-03 12:39 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\xJsw.dll
C:\Users\wfrey\AppData\Local\Temp\7.5.20.2-EasyShrx.Dll
C:\Users\wfrey\AppData\Local\Temp\APNStub.exe
C:\Users\wfrey\AppData\Local\Temp\applnch.exe
C:\Users\wfrey\AppData\Local\Temp\BackupSetup.exe
C:\Users\wfrey\AppData\Local\Temp\ose00000.exe
C:\Users\wfrey\AppData\Local\Temp\SkypeSetup.exe
C:\Users\wfrey\AppData\Local\Temp\uninst1.exe
C:\Users\wfrey\AppData\Local\Temp\vcredist_x64.exe
C:\Users\wfrey\AppData\Local\Temp\vcredist_x86.exe
C:\Users\wfrey\AppData\Local\Temp\~cln81A9.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-08-29 07:19:01
Restore point made on: 2014-09-10 22:02:12
Restore point made on: 2014-09-12 21:55:10
Restore point made on: 2014-09-17 10:19:55
Restore point made on: 2014-09-25 18:37:59
Restore point made on: 2014-09-30 21:02:12
Restore point made on: 2014-10-08 09:27:41
Restore point made on: 2014-10-11 10:08:40
Restore point made on: 2014-10-15 14:01:42
Restore point made on: 2014-10-19 20:54:38
Restore point made on: 2014-10-25 14:50:32

==================== Memory info =========================== 

Percentage of memory in use: 15%
Total physical RAM: 3956.3 MB
Available physical RAM: 3334.94 MB
Total Pagefile: 3954.5 MB
Available Pagefile: 3326.4 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (BOOT) (Fixed) (Total:465.66 GB) (Free:422.81 GB) NTFS
Drive g: () (Removable) (Total:1.91 GB) (Free:1.87 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: B8755651)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 1.9 GB) (Disk ID: 5DB13E1E)
Partition 1: (Not Active) - (Size=1.9 GB) - (Type=07 NTFS)


LastRegBack: 2014-10-16 23:27

==================== End Of Log ============================
         

Was wäre nun zu tun?

Vielen Dank im Voraus.

hi,

Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code: Alles auswählenAufklappen

ATTFilter

HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp ()
S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] ()
C:\ProgramData\839F3874.cpp
C:\ProgramData\4783F938.dot
         

Speichere diese bitte als Fixlist.txt auf deinem USB Stick.

• Starte deinen Rechner erneut in die Reparaturoptionen
• Starte nun die FRST.exe erneut und klicke den Entfernen Button.

Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.


Rechner normal starten.

Danke für die schnelle Hilfe.

Anbei der neue Fixlog

Code: Alles auswählenAufklappen

ATTFilter

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-11-2014
Ran by SYSTEM at 2014-11-15 09:59:01 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp ()
S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] ()
C:\ProgramData\839F3874.cpp
C:\ProgramData\4783F938.dot
*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk => Moved successfully.
C:\ProgramData\839F3874.cpp => Moved successfully.
Winmgmt => Service restored successfully.
"C:\ProgramData\839F3874.cpp" => File/Directory not found.
C:\ProgramData\4783F938.dot => Moved successfully.

==== End of Fixlog ====
         

Startet der REchner normal?

Wenn ja:

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)

• Starte jetzt FRST.
• Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
• Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
• Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)