|
Log-Analyse und Auswertung: BKA-TrojanerWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
15.11.2014, 10:09 | #1 |
| BKA-Trojaner Hi zusammen, ich habe hier den Laptop eines Kollegen stehen. Offensichtlich BKA-Trojaner, hab bereits mit Farbar's Recovery Scan Tool einen Scan laufen lassen. Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-11-2014 Ran by SYSTEM on MININT-02SBS8N on 15-11-2014 09:01:51 Running from G:\ Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland) Internet Explorer Version 11 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log. Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13374568 2011-12-13] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg_DTS] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2277992 2011-11-15] (Realtek Semiconductor) HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [589176 2011-12-20] (Alps Electric Co., Ltd.) HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp HKLM\...\Run: [LoadFUJ02E3] => C:\Program Files\Fujitsu\FUJ02E3\fuj02e3.exe [76104 2011-11-23] (FUJITSU LIMITED) HKLM\...\Run: [PSUTility] => C:\Program Files\Fujitsu\PSUtility\TrayManager.exe [205168 2011-10-03] (FUJITSU LIMITED) HKLM\...\Run: [LoadFujitsuQuickTouch] => C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe [158024 2011-09-30] (FUJITSU LIMITED) HKLM\...\Run: [LoadBtnHnd] => C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe [23368 2011-09-30] (FUJITSU LIMITED) HKLM\...\Run: [CDAServer] => C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [456704 2012-02-20] () HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-06] (Intel Corporation) HKLM-x32\...\Run: [IndicatorUtility] => C:\Program Files (x86)\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe [48752 2010-09-29] (FUJITSU LIMITED) HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated) HKLM-x32\...\Run: [AVK Client] => C:\Program Files (x86)\G DATA\AVKClient\AVKCl.exe [775752 2007-11-06] (G DATA Software AG) HKLM-x32\...\Run: [AVMWlanClient] => C:\Program Files (x86)\avmwlanstick\wlangui.exe [2105344 2010-10-22] (AVM Berlin) HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [ApnUpdater] => C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1646216 2013-03-31] (Ask) HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [286720 2007-06-29] (Apple Inc.) HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1 HKU\Admin\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.) HKU\Admin\...\Run: [DpiSexec] => C:\Users\Admin\AppData\Local\Temp\certnify.exe <===== ATTENTION HKU\Admin\...\Run: [MyDriveConnect.exe] => C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe [473464 2014-03-17] (TomTom) HKU\Admin\...\Run: [UgijhAwubo] => regsvr32.exe "C:\ProgramData\UgijhAwubo.dat" HKU\wfrey\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.) Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp () ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S2 AntiVirusKit Client; C:\Program Files (x86)\G DATA\AVKClient\AvkCl.exe [775752 2007-11-06] (G DATA Software AG) S3 AvkLink32; C:\Program Files (x86)\G DATA\AVKClient\AVKLnk32.exe [91984 2007-03-12] (G DATA Software AG) S2 AVKProxy; C:\Program Files (x86)\Common Files\G DATA\AVKProxy\AVKProxy.exe [714312 2007-10-02] (G DATA Software AG) S2 AVKWCtl; C:\Program Files (x86)\G DATA\AVKClient\AVKWCtlX64.exe [1741896 2007-11-05] (G DATA Software AG) S2 AVM WLAN Connection Service; C:\Program Files (x86)\avmwlanstick\WlanNetService.exe [376832 2010-10-22] (AVM Berlin) S2 DTSAudioSvc; C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [225280 2011-08-05] (DTS, Inc) S2 FUJ02E3Service; C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe [76104 2011-11-23] (FUJITSU LIMITED) S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2011-12-08] () S2 PowerSavingUtilityService; C:\Program Files\Fujitsu\PSUtility\PSUService.exe [63856 2011-10-03] (FUJITSU LIMITED) S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] () S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [594704 2011-12-08] (Intel® Corporation) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-25] (AVM Berlin) S0 FBIOSDRV; C:\Windows\System32\Drivers\FBIOSDRV.sys [21104 2009-06-24] (FUJITSU LIMITED) S3 FUJ02B1; C:\Windows\System32\DRIVERS\FUJ02B1.sys [7808 2006-11-01] (FUJITSU LIMITED) S3 FUJ02E3; C:\Windows\System32\DRIVERS\FUJ02E3.sys [7296 2006-11-01] (FUJITSU LIMITED) S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-25] (AVM GmbH) S3 GDMnIcpt; C:\Windows\system32\drivers\MiniIcpt.sys [56264 2012-12-12] (G DATA Software AG) S2 GDTdiInterceptor; C:\Windows\system32\drivers\GDTdiIcpt.sys [46800 2012-12-12] () S2 GDTdiInterceptor; C:\Windows\SysWOW64\drivers\GDTdiIcpt.sys [40144 2012-12-12] () S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1812608 2011-12-27] () ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-11-15 09:01 - 2014-11-15 09:01 - 00000000 ____D () C:\FRST 2014-10-25 14:28 - 2014-10-25 14:28 - 00431616 _____ () C:\ProgramData\839F3874.cpp 2014-10-25 14:28 - 2014-10-25 14:28 - 00332288 ____T () C:\ProgramData\4783F938.dot ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-11-15 08:44 - 2012-10-01 13:07 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-11-15 08:40 - 2009-07-14 05:45 - 00024304 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-11-15 08:40 - 2009-07-14 05:45 - 00024304 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-11-15 08:39 - 2012-09-28 14:30 - 01822936 _____ () C:\Windows\WindowsUpdate.log 2014-11-15 08:38 - 2014-10-07 14:40 - 00003558 _____ () C:\logfile 2014-11-15 08:38 - 2014-08-03 12:39 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-11-15 08:33 - 2014-04-01 22:48 - 00006965 _____ () C:\Windows\setupact.log 2014-11-15 08:33 - 2013-01-22 16:07 - 00065536 _____ () C:\Windows\System32\Ikeext.etl 2014-11-15 08:33 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-10-26 23:47 - 2012-12-12 10:02 - 00000000 ____D () C:\users\Administrator 2014-10-26 23:47 - 2012-12-12 09:53 - 00000000 ____D () C:\users\wfrey 2014-10-26 23:46 - 2013-09-26 19:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype 2014-10-26 23:46 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\registration 2014-10-26 22:48 - 2012-09-28 14:47 - 00000000 ____D () C:\users\Admin 2014-10-25 16:45 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing 2014-10-25 14:31 - 2014-08-03 12:39 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-10-24 08:38 - 2012-12-12 09:48 - 00000120 _____ () C:\Windows\System32\config\netlogon.ftl 2014-10-23 22:04 - 2012-12-20 10:55 - 00001442 _____ () C:\Windows\unnamed.adc 2014-10-23 20:52 - 2011-04-12 08:43 - 11060878 _____ () C:\Windows\System32\perfh007.dat 2014-10-23 20:52 - 2011-04-12 08:43 - 03484980 _____ () C:\Windows\System32\perfc007.dat 2014-10-23 20:52 - 2009-07-14 06:13 - 00005378 _____ () C:\Windows\System32\PerfStringBackup.INI 2014-10-23 20:47 - 2010-11-21 04:47 - 00145148 _____ () C:\Windows\PFRO.log 2014-10-22 22:26 - 2014-08-03 12:39 - 00004106 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA 2014-10-22 22:26 - 2014-08-03 12:39 - 00003854 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore 2014-10-21 20:40 - 2013-06-18 20:41 - 00000400 _____ () C:\Windows\Tasks\EasyShare Registration Task.job 2014-10-20 21:38 - 2014-09-28 19:40 - 00000000 ____D () C:\zzz 2014-10-20 21:26 - 2014-04-25 23:37 - 00000000 ____D () C:\Dillingen Bosch-Dienst 2014-10-16 20:37 - 2014-08-03 12:39 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk Some content of TEMP: ==================== C:\Users\Admin\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe C:\Users\Admin\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe C:\Users\Admin\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe C:\Users\Admin\AppData\Local\Temp\xJsw.dll C:\Users\wfrey\AppData\Local\Temp\7.5.20.2-EasyShrx.Dll C:\Users\wfrey\AppData\Local\Temp\APNStub.exe C:\Users\wfrey\AppData\Local\Temp\applnch.exe C:\Users\wfrey\AppData\Local\Temp\BackupSetup.exe C:\Users\wfrey\AppData\Local\Temp\ose00000.exe C:\Users\wfrey\AppData\Local\Temp\SkypeSetup.exe C:\Users\wfrey\AppData\Local\Temp\uninst1.exe C:\Users\wfrey\AppData\Local\Temp\vcredist_x64.exe C:\Users\wfrey\AppData\Local\Temp\vcredist_x86.exe C:\Users\wfrey\AppData\Local\Temp\~cln81A9.exe ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== Restore Points ========================= Restore point made on: 2014-08-29 07:19:01 Restore point made on: 2014-09-10 22:02:12 Restore point made on: 2014-09-12 21:55:10 Restore point made on: 2014-09-17 10:19:55 Restore point made on: 2014-09-25 18:37:59 Restore point made on: 2014-09-30 21:02:12 Restore point made on: 2014-10-08 09:27:41 Restore point made on: 2014-10-11 10:08:40 Restore point made on: 2014-10-15 14:01:42 Restore point made on: 2014-10-19 20:54:38 Restore point made on: 2014-10-25 14:50:32 ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 3956.3 MB Available physical RAM: 3334.94 MB Total Pagefile: 3954.5 MB Available Pagefile: 3326.4 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Drives ================================ Drive c: (BOOT) (Fixed) (Total:465.66 GB) (Free:422.81 GB) NTFS Drive g: () (Removable) (Total:1.91 GB) (Free:1.87 GB) NTFS Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: B8755651) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (Size: 1.9 GB) (Disk ID: 5DB13E1E) Partition 1: (Not Active) - (Size=1.9 GB) - (Type=07 NTFS) LastRegBack: 2014-10-16 23:27 ==================== End Of Log ============================ Vielen Dank im Voraus. |
15.11.2014, 10:45 | #2 |
/// the machine /// TB-Ausbilder | BKA-Trojaner hi,
__________________Drücke bitte die + R Taste und schreibe notepad in das Ausführen Fenster. Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
ATTFilter HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp () S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] () C:\ProgramData\839F3874.cpp C:\ProgramData\4783F938.dot
Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier. Rechner normal starten.
__________________ |
15.11.2014, 10:59 | #3 |
| BKA-Trojaner Danke für die schnelle Hilfe.
__________________Anbei der neue Fixlog Code:
ATTFilter Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-11-2014 Ran by SYSTEM at 2014-11-15 09:59:01 Run:1 Running from G:\ Boot Mode: Recovery ============================================== Content of fixlist: ***************** HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp () S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] () C:\ProgramData\839F3874.cpp C:\ProgramData\4783F938.dot ***************** HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk => Moved successfully. C:\ProgramData\839F3874.cpp => Moved successfully. Winmgmt => Service restored successfully. "C:\ProgramData\839F3874.cpp" => File/Directory not found. C:\ProgramData\4783F938.dot => Moved successfully. ==== End of Fixlog ==== |
15.11.2014, 20:50 | #4 |
/// the machine /// TB-Ausbilder | BKA-Trojaner Startet der REchner normal? Wenn ja: Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit (Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
Themen zu BKA-Trojaner |
adobe, adobe flash player, desktop, dll, explorer, explorer.exe, file, flash player, hotkey, microsoft, realtek, registry, rundll, scan, service.exe, services.exe, software, stick, svchost.exe, system, system32, temp, usb, vcredist, windows, winlogon.exe |