PC durch Bundespolizei gesperrt Guten Abend liebes Board Team
Habe hier einen PC der von der Bundespolizei (Schweiz) gesperrt wurde.
Habe FRST 32 Bit eingesetzt und ein entsprechendes Logfile hier.
Im Gegensatz zu einigen Anleitungen kann der PC nicht im abgesicherten Modus mit Netzwerktreibern gestartet werden. Der Bootvorgang startet zwar endet aber mit einem
reboot. Zum Glück geht Windows 7 bald einmal auf Computer reparieren wo dann eine
Eingabeeinforderung zur Verfügung steht.
Es sieht so aus als ob keine Netzwerkverbindung zur Verfügung steht. Norton Power Eraser meldet das dementsprechend. war mein erster Versuch bevor Ich FRST einsetzte
Vielen Dank für eure Hilfe
FRST Logfile: Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-11-2013
Ran by SYSTEM on MININT-C05A7UM on 19-11-2013 15:54:28
Running from M:\
Windows 7 Professional Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9914984 2010-11-30] (Realtek Semiconductor)
HKLM\...\Run: [PDF Complete] - C:\Program Files\PDF Complete\pdfsty.exe [658424 2011-05-05] (PDF Complete Inc)
HKLM\...\Run: [IMSS] - C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [112152 2011-01-17] (Intel Corporation)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [hpsysdrv] - C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [KiesTrayAgent] - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [311152 2013-09-04] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1646216 2013-03-31] (Ask)
HKLM\...\Run: [FreePDF Assistant] - C:\Program Files\FreePDF_XP\fpassist.exe [373760 2013-03-14] (shbox.de)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [253816 2013-03-11] (Oracle Corporation)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [262656 2010-11-20] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\Salvador\...\Run: [] - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [ 2013-09-04] (Samsung)
HKU\Salvador\...\Run: [KiesPreload] - C:\Program Files\Samsung\Kies\Kies.exe [ 2013-09-04] (Samsung)
HKU\Salvador\...\Run: [KiesAirMessage] - C:\Program Files\Samsung\Kies\KiesAirMessage.exe [ 2013-03-20] (Samsung Electronics)
========================== Services (Whitelisted) =================
S2 FPLService; C:\Program Files\HP SimplePass 2011\TrueSuiteService.exe [260424 2011-09-26] (HP)
S2 Intel(R) PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation)
S2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [212944 2011-02-23] (Intel Corporation)
S2 NIS; C:\Program Files\Norton Internet Security\Engine\\diMaster.dll [309688 2012-04-12] (Symantec Corporation)
S2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc)
==================== Drivers (Whitelisted) ====================
S1 BHDrvx86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20110519.002\BHDrvx86.sys [810616 2011-05-13] (Symantec Corporation)
S1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1309010.00E\ccSetx86.sys [132768 2012-06-06] (Symantec Corporation)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2010-12-21] (Intel Corporation)
S3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [37344 2013-02-05] ()
S1 IDSVix86; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20110519.031\IDSVix86.sys [367736 2011-05-13] (Symantec Corporation)
S3 IFCoEMP; C:\Windows\system32\drivers\ifM52x32.sys [264464 2010-08-13] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP52X32.sys [57616 2010-08-13] (Intel(R) Corporation)
S3 MEI; C:\Windows\system32\drivers\HECI.sys [41088 2010-10-19] (Intel Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20110607.003\NAVENG.SYS [86008 2011-06-07] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20110607.003\NAVEX15.SYS [1542392 2011-06-07] (Symantec Corporation)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [816792 2012-10-05] ()
S3 SRTSP; C:\Windows\System32\Drivers\NIS\1309010.00E\SRTSP.SYS [574112 2012-07-05] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NIS\1309010.00E\SRTSPX.SYS [32928 2012-07-05] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\NIS\1309010.00E\SYMDS.SYS [340088 2011-05-16] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\NIS\1309010.00E\SYMEFA.SYS [924320 2012-05-21] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [141944 2012-10-15] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\NIS\1309010.00E\Ironx86.SYS [149624 2012-04-17] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\NIS\1309010.00E\SYMNETS.SYS [318584 2012-04-17] (Symantec Corporation)
S3 dgderdrv; System32\drivers\dgderdrv.sys [x]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2013-11-19 15:54 - 2013-11-19 15:54 - 00000000 ____D C:\FRST
2013-11-19 15:49 - 2013-11-19 15:49 - 00000000 ____D C:\NPE
2013-11-19 14:07 - 2013-11-19 14:07 - 00000000 ____D C:\NBRT
2013-11-19 05:59 - 2013-11-19 05:59 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Adobe
2013-11-18 07:57 - 2013-11-18 07:57 - 00000291 _____ C:\ProgramData\frfj6lcbn.reg
2013-11-18 07:56 - 2013-11-19 06:20 - 95025368 ____T C:\ProgramData\frfj6lcbn.bxx
2013-11-18 07:56 - 2013-11-19 06:20 - 00000000 _____ C:\ProgramData\frfj6lcbn.fvv
2013-11-18 07:56 - 2013-11-18 07:56 - 00180224 _____ C:\ProgramData\nbcl6jfrf.dss
2013-11-14 22:29 - 2013-11-14 22:30 - 00000000 ____D C:\Windows\System32\MRT
2013-11-12 07:44 - 2013-11-12 07:44 - 00000000 ____D C:\Users\Public\Documents\CrashDump
2013-11-08 01:26 - 2013-11-17 21:55 - 00000520 _____ C:\Users\Salvador\Desktop\FOXUSER.DBF
2013-11-08 01:26 - 2013-11-17 21:55 - 00000512 _____ C:\Users\Salvador\Desktop\FOXUSER.FPT
2013-10-28 03:06 - 2013-11-19 15:37 - 00000000 ____D C:\Users\Salvador\AppData\Local\PokerStars
2013-10-28 03:06 - 2013-11-19 15:37 - 00000000 ____D C:\Program Files\PokerStars
2013-10-28 03:06 - 2013-10-28 03:06 - 00001021 _____ C:\Users\Public\Desktop\PokerStars.lnk
2013-10-28 03:05 - 2013-10-28 03:06 - 29026864 _____ (PokerStars) C:\Users\Salvador\Downloads\PokerStarsInstall.exe
==================== One Month Modified Files and Folders =======
2013-11-19 15:54 - 2013-11-19 15:54 - 00000000 ____D C:\FRST
2013-11-19 15:49 - 2013-11-19 15:49 - 00000000 ____D C:\NPE
2013-11-19 15:37 - 2013-10-28 03:06 - 00000000 ____D C:\Users\Salvador\AppData\Local\PokerStars
2013-11-19 15:37 - 2013-10-28 03:06 - 00000000 ____D C:\Program Files\PokerStars
2013-11-19 15:37 - 2012-10-05 12:44 - 00000000 ____D C:\ProgramData\Norton
2013-11-19 15:37 - 2012-10-05 03:54 - 00000000 ____D C:\users\Salvador
2013-11-19 15:37 - 2012-10-05 03:38 - 00000000 ____D C:\users\administrator
2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\de-DE
2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\security
2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-11-19 15:37 - 2009-07-13 18:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2013-11-19 15:36 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-11-19 15:36 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-11-19 15:34 - 2012-10-05 04:08 - 00000000 __RHD C:\MSOCache
2013-11-19 14:07 - 2013-11-19 14:07 - 00000000 ____D C:\NBRT
2013-11-19 06:30 - 2012-10-05 12:43 - 00000000 ____D C:\ProgramData\PDFC
2013-11-19 06:20 - 2013-11-18 07:56 - 95025368 ____T C:\ProgramData\frfj6lcbn.bxx
2013-11-19 06:20 - 2013-11-18 07:56 - 00000000 _____ C:\ProgramData\frfj6lcbn.fvv
2013-11-19 06:20 - 2013-07-01 00:24 - 00000000 ____D C:\Users\Salvador\AppData\Local\FreePDF_XP
2013-11-19 06:03 - 2012-10-05 03:36 - 00000144 _____ C:\Windows\System32\config\netlogon.ftl
2013-11-19 05:59 - 2013-11-19 05:59 - 00000000 ____D C:\Users\administrator\AppData\Roaming\Adobe
2013-11-19 05:59 - 2012-10-05 03:40 - 00109672 _____ C:\Users\administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2013-11-18 07:57 - 2013-11-18 07:57 - 00000291 _____ C:\ProgramData\frfj6lcbn.reg
2013-11-18 07:56 - 2013-11-18 07:56 - 00180224 _____ C:\ProgramData\nbcl6jfrf.dss
2013-11-18 04:18 - 2012-10-14 22:26 - 00000000 ____D C:\Users\Salvador\AppData\Local\CrashDumps
2013-11-17 21:55 - 2013-11-08 01:26 - 00000520 _____ C:\Users\Salvador\Desktop\FOXUSER.DBF
2013-11-17 21:55 - 2013-11-08 01:26 - 00000512 _____ C:\Users\Salvador\Desktop\FOXUSER.FPT
2013-11-14 22:30 - 2013-11-14 22:29 - 00000000 ____D C:\Windows\System32\MRT
2013-11-12 07:44 - 2013-11-12 07:44 - 00000000 ____D C:\Users\Public\Documents\CrashDump
2013-11-12 06:05 - 2012-11-07 06:24 - 00000000 ____D C:\Users\Salvador\Desktop\Retouren 1
2013-11-12 05:12 - 2012-10-05 03:54 - 00000000 ____D C:\Users\Salvador\AppData\Local\PDFC
2013-11-08 01:34 - 2009-07-13 20:34 - 00016976 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-08 01:34 - 2009-07-13 20:34 - 00016976 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-08 01:31 - 2010-11-20 13:01 - 01629212 _____ C:\Windows\System32\PerfStringBackup.INI
2013-11-08 01:30 - 2012-10-05 04:28 - 01989331 _____ C:\Windows\WindowsUpdate.log
2013-11-08 01:27 - 2009-07-13 20:39 - 00062337 _____ C:\Windows\setupact.log
2013-11-08 00:55 - 2013-05-05 21:02 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-11-08 00:55 - 2012-10-09 21:10 - 00000052 _____ C:\Windows\System32\DOErrors.log
2013-10-28 03:06 - 2013-10-28 03:06 - 00001021 _____ C:\Users\Public\Desktop\PokerStars.lnk
2013-10-28 03:06 - 2013-10-28 03:05 - 29026864 _____ (PokerStars) C:\Users\Salvador\Downloads\PokerStarsInstall.exe
2013-10-24 04:47 - 2013-02-15 00:29 - 00000000 ____D C:\Users\Salvador\Documents\SelfMV
2013-10-21 01:46 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
Files to move or delete:
Some content of TEMP:
==================== Known DLLs (Whitelisted) ============
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2013-09-29 20:58:19
Restore point made on: 2013-10-06 20:57:01
Restore point made on: 2013-10-09 07:48:25
Restore point made on: 2013-10-13 20:57:21
Restore point made on: 2013-10-20 21:01:10
Restore point made on: 2013-10-27 22:01:52
Restore point made on: 2013-11-08 01:52:53
Restore point made on: 2013-11-08 05:42:32
Restore point made on: 2013-11-11 21:45:47
Restore point made on: 2013-11-13 08:47:30
Restore point made on: 2013-11-14 22:29:26
==================== Memory info ===========================
Percentage of memory in use: 21%
Total physical RAM: 3984.02 MB
Available physical RAM: 3130.3 MB
Total Pagefile: 3982.3 MB
Available Pagefile: 3138.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1934.83 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:459.1 GB) (Free:420.27 GB) NTFS
Drive e: (HP_RECOVERY) (Fixed) (Total:6.56 GB) (Free:0.92 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (KIS2010_CH) (CDROM) (Total:0.2 GB) (Free:0 GB) CDFS
Drive l: (TREND MICRO USB SECURITY) (CDROM) (Total:0.02 GB) (Free:0 GB) CDFS
Drive m: (RunTMUS) (Removable) (Total:7.44 GB) (Free:2.38 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.12 GB) (Free:0.12 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: CAD7198C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=459 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=7 GB) - (Type=07 NTFS)
Disk: 6 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)
LastRegBack: 2013-11-09 15:41
==================== End Of Log ============================ --- --- --- |