- -
BKA-Trojaner
(
https://www.trojaner-board.de/160782-bka-trojaner.html)
| Shadowseeker | 15.11.2014 10:09 |
BKA-Trojaner
Hi zusammen,
ich habe hier den Laptop eines Kollegen stehen. Offensichtlich BKA-Trojaner, hab bereits mit Farbar's Recovery Scan Tool einen Scan laufen lassen. Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-11-2014
Ran by SYSTEM on MININT-02SBS8N on 15-11-2014 09:01:51
Running from G:\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13374568 2011-12-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_DTS] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2277992 2011-11-15] (Realtek Semiconductor)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [589176 2011-12-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM\...\Run: [LoadFUJ02E3] => C:\Program Files\Fujitsu\FUJ02E3\fuj02e3.exe [76104 2011-11-23] (FUJITSU LIMITED)
HKLM\...\Run: [PSUTility] => C:\Program Files\Fujitsu\PSUtility\TrayManager.exe [205168 2011-10-03] (FUJITSU LIMITED)
HKLM\...\Run: [LoadFujitsuQuickTouch] => C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe [158024 2011-09-30] (FUJITSU LIMITED)
HKLM\...\Run: [LoadBtnHnd] => C:\Program Files\Fujitsu\Application Panel\BtnHnd.exe [23368 2011-09-30] (FUJITSU LIMITED)
HKLM\...\Run: [CDAServer] => C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe [456704 2012-02-20] ()
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-06] (Intel Corporation)
HKLM-x32\...\Run: [IndicatorUtility] => C:\Program Files (x86)\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe [48752 2010-09-29] (FUJITSU LIMITED)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AVK Client] => C:\Program Files (x86)\G DATA\AVKClient\AVKCl.exe [775752 2007-11-06] (G DATA Software AG)
HKLM-x32\...\Run: [AVMWlanClient] => C:\Program Files (x86)\avmwlanstick\wlangui.exe [2105344 2010-10-22] (AVM Berlin)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ApnUpdater] => C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1646216 2013-03-31] (Ask)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [286720 2007-06-29] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\Admin\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.)
HKU\Admin\...\Run: [DpiSexec] => C:\Users\Admin\AppData\Local\Temp\certnify.exe <===== ATTENTION
HKU\Admin\...\Run: [MyDriveConnect.exe] => C:\Program Files (x86)\MyDrive Connect\MyDriveConnect.exe [473464 2014-03-17] (TomTom)
HKU\Admin\...\Run: [UgijhAwubo] => regsvr32.exe "C:\ProgramData\UgijhAwubo.dat"
HKU\wfrey\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp ()
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S2 AntiVirusKit Client; C:\Program Files (x86)\G DATA\AVKClient\AvkCl.exe [775752 2007-11-06] (G DATA Software AG)
S3 AvkLink32; C:\Program Files (x86)\G DATA\AVKClient\AVKLnk32.exe [91984 2007-03-12] (G DATA Software AG)
S2 AVKProxy; C:\Program Files (x86)\Common Files\G DATA\AVKProxy\AVKProxy.exe [714312 2007-10-02] (G DATA Software AG)
S2 AVKWCtl; C:\Program Files (x86)\G DATA\AVKClient\AVKWCtlX64.exe [1741896 2007-11-05] (G DATA Software AG)
S2 AVM WLAN Connection Service; C:\Program Files (x86)\avmwlanstick\WlanNetService.exe [376832 2010-10-22] (AVM Berlin)
S2 DTSAudioSvc; C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [225280 2011-08-05] (DTS, Inc)
S2 FUJ02E3Service; C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe [76104 2011-11-23] (FUJITSU LIMITED)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2011-12-08] ()
S2 PowerSavingUtilityService; C:\Program Files\Fujitsu\PSUtility\PSUService.exe [63856 2011-10-03] (FUJITSU LIMITED)
S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] ()
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [594704 2011-12-08] (Intel® Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 avmeject; C:\Windows\System32\drivers\avmeject.sys [14120 2010-10-25] (AVM Berlin)
S0 FBIOSDRV; C:\Windows\System32\Drivers\FBIOSDRV.sys [21104 2009-06-24] (FUJITSU LIMITED)
S3 FUJ02B1; C:\Windows\System32\DRIVERS\FUJ02B1.sys [7808 2006-11-01] (FUJITSU LIMITED)
S3 FUJ02E3; C:\Windows\System32\DRIVERS\FUJ02E3.sys [7296 2006-11-01] (FUJITSU LIMITED)
S3 fwlanusbn; C:\Windows\System32\DRIVERS\fwlanusbn.sys [714368 2010-10-25] (AVM GmbH)
S3 GDMnIcpt; C:\Windows\system32\drivers\MiniIcpt.sys [56264 2012-12-12] (G DATA Software AG)
S2 GDTdiInterceptor; C:\Windows\system32\drivers\GDTdiIcpt.sys [46800 2012-12-12] ()
S2 GDTdiInterceptor; C:\Windows\SysWOW64\drivers\GDTdiIcpt.sys [40144 2012-12-12] ()
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1812608 2011-12-27] ()
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-11-15 09:01 - 2014-11-15 09:01 - 00000000 ____D () C:\FRST
2014-10-25 14:28 - 2014-10-25 14:28 - 00431616 _____ () C:\ProgramData\839F3874.cpp
2014-10-25 14:28 - 2014-10-25 14:28 - 00332288 ____T () C:\ProgramData\4783F938.dot
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-11-15 08:44 - 2012-10-01 13:07 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-15 08:40 - 2009-07-14 05:45 - 00024304 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-15 08:40 - 2009-07-14 05:45 - 00024304 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-15 08:39 - 2012-09-28 14:30 - 01822936 _____ () C:\Windows\WindowsUpdate.log
2014-11-15 08:38 - 2014-10-07 14:40 - 00003558 _____ () C:\logfile
2014-11-15 08:38 - 2014-08-03 12:39 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-15 08:33 - 2014-04-01 22:48 - 00006965 _____ () C:\Windows\setupact.log
2014-11-15 08:33 - 2013-01-22 16:07 - 00065536 _____ () C:\Windows\System32\Ikeext.etl
2014-11-15 08:33 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-26 23:47 - 2012-12-12 10:02 - 00000000 ____D () C:\users\Administrator
2014-10-26 23:47 - 2012-12-12 09:53 - 00000000 ____D () C:\users\wfrey
2014-10-26 23:46 - 2013-09-26 19:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype
2014-10-26 23:46 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\registration
2014-10-26 22:48 - 2012-09-28 14:47 - 00000000 ____D () C:\users\Admin
2014-10-25 16:45 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing
2014-10-25 14:31 - 2014-08-03 12:39 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-24 08:38 - 2012-12-12 09:48 - 00000120 _____ () C:\Windows\System32\config\netlogon.ftl
2014-10-23 22:04 - 2012-12-20 10:55 - 00001442 _____ () C:\Windows\unnamed.adc
2014-10-23 20:52 - 2011-04-12 08:43 - 11060878 _____ () C:\Windows\System32\perfh007.dat
2014-10-23 20:52 - 2011-04-12 08:43 - 03484980 _____ () C:\Windows\System32\perfc007.dat
2014-10-23 20:52 - 2009-07-14 06:13 - 00005378 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-23 20:47 - 2010-11-21 04:47 - 00145148 _____ () C:\Windows\PFRO.log
2014-10-22 22:26 - 2014-08-03 12:39 - 00004106 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-22 22:26 - 2014-08-03 12:39 - 00003854 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-21 20:40 - 2013-06-18 20:41 - 00000400 _____ () C:\Windows\Tasks\EasyShare Registration Task.job
2014-10-20 21:38 - 2014-09-28 19:40 - 00000000 ____D () C:\zzz
2014-10-20 21:26 - 2014-04-25 23:37 - 00000000 ____D () C:\Dillingen Bosch-Dienst
2014-10-16 20:37 - 2014-08-03 12:39 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Admin\AppData\Local\Temp\xJsw.dll
C:\Users\wfrey\AppData\Local\Temp\7.5.20.2-EasyShrx.Dll
C:\Users\wfrey\AppData\Local\Temp\APNStub.exe
C:\Users\wfrey\AppData\Local\Temp\applnch.exe
C:\Users\wfrey\AppData\Local\Temp\BackupSetup.exe
C:\Users\wfrey\AppData\Local\Temp\ose00000.exe
C:\Users\wfrey\AppData\Local\Temp\SkypeSetup.exe
C:\Users\wfrey\AppData\Local\Temp\uninst1.exe
C:\Users\wfrey\AppData\Local\Temp\vcredist_x64.exe
C:\Users\wfrey\AppData\Local\Temp\vcredist_x86.exe
C:\Users\wfrey\AppData\Local\Temp\~cln81A9.exe
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2014-08-29 07:19:01
Restore point made on: 2014-09-10 22:02:12
Restore point made on: 2014-09-12 21:55:10
Restore point made on: 2014-09-17 10:19:55
Restore point made on: 2014-09-25 18:37:59
Restore point made on: 2014-09-30 21:02:12
Restore point made on: 2014-10-08 09:27:41
Restore point made on: 2014-10-11 10:08:40
Restore point made on: 2014-10-15 14:01:42
Restore point made on: 2014-10-19 20:54:38
Restore point made on: 2014-10-25 14:50:32
==================== Memory info ===========================
Percentage of memory in use: 15%
Total physical RAM: 3956.3 MB
Available physical RAM: 3334.94 MB
Total Pagefile: 3954.5 MB
Available Pagefile: 3326.4 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
==================== Drives ================================
Drive c: (BOOT) (Fixed) (Total:465.66 GB) (Free:422.81 GB) NTFS
Drive g: () (Removable) (Total:1.91 GB) (Free:1.87 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: B8755651)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)
========================================================
Disk: 2 (Size: 1.9 GB) (Disk ID: 5DB13E1E)
Partition 1: (Not Active) - (Size=1.9 GB) - (Type=07 NTFS)
LastRegBack: 2014-10-16 23:27
==================== End Of Log ============================
Was wäre nun zu tun?
Vielen Dank im Voraus. |
| schrauber | 15.11.2014 10:45 |
hi,
Drücke bitte die  + R Taste und schreibe notepad in das Ausführen Fenster.
Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument Code:
HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp ()
S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] ()
C:\ProgramData\839F3874.cpp
C:\ProgramData\4783F938.dot
Speichere diese bitte als Fixlist.txt auf deinem USB Stick. - Starte deinen Rechner erneut in die Reparaturoptionen
- Starte nun die FRST.exe erneut und klicke den Entfernen Button.
Das Tool erstellt eine Fixlog.txt auf deinem USB Stick. Poste den Inhalt bitte hier.
Rechner normal starten. |
| Shadowseeker | 15.11.2014 10:59 |
Danke für die schnelle Hilfe.
Anbei der neue Fixlog Code:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-11-2014
Ran by SYSTEM at 2014-11-15 09:59:01 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\G DATA <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\G DATA <====== ATTENTION
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\839F3874.cpp ()
S2 Winmgmt; C:\ProgramData\4783F938.dot [332288 2014-10-25] ()
C:\ProgramData\839F3874.cpp
C:\ProgramData\4783F938.dot
*****************
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk => Moved successfully.
C:\ProgramData\839F3874.cpp => Moved successfully.
Winmgmt => Service restored successfully.
"C:\ProgramData\839F3874.cpp" => File/Directory not found.
C:\ProgramData\4783F938.dot => Moved successfully.
==== End of Fixlog ====
|
| schrauber | 15.11.2014 20:50 |
Startet der REchner normal?
Wenn ja:
Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop:  FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
- Starte jetzt FRST.
- Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
- Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
- Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)
|
| Alle Zeitangaben in WEZ +1. Es ist jetzt 21:03 Uhr. | |
Copyright ©2000-2025, Trojaner-Board
Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.
