Bundespolizei Trojaner eingefangen/Logfiles vorhanden

RazieLX87 · 11.06.2013, 23:15

Hallo zusammen erstmal ein großes Lob an die Helfer hier, super Arbeit

Habe mir auf meinem Laptop ebenfalls den Bundespolizeitrojaner eingefangen und bereits wie in den Themen zuvor die Logfile per Frst64.exe erstellt.

FRST Logfile:

Code:

ATTFilter

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2013
Ran by SYSTEM on 11-06-2013 23:25:21
Running from E:\
Windows 7 Professional (X64) OS Language: German Standard
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Acrobat Assistant 7.0] "C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [483328 2005-09-24] (Adobe Systems Inc.)
HKLM-x32\...\Run: [avgnt] "C:\Avira\AntiVir Desktop\avgnt.exe" /min [209153 2009-03-02] (Avira GmbH)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [RoccatKone+] "C:\Program Files (x86)\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.EXE" [552960 2011-07-12] (ROCCAT GmbH)
HKU\RazieL\...\Run: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 120\axcmd.exe" /automount [203928 2009-09-30] (Alcohol Soft Development Team)
HKU\RazieL\...\Run: [WindowsSysGuard] C:\Users\Public\winvcsn.exe [x]
HKU\RazieL\...\Run: [DAEMON Tools Lite] "C:\DAEMON Tools Lite\DTLite.exe" -autorun [357696 2010-04-01] (DT Soft Ltd)
HKU\RazieL\...\Run: [KeApplet] C:\Users\RazieL\AppData\Roaming\Dropbox\{0BA20AB9-D6FD-4CC3-8B09-09075F317D56}\Validator.exe [x]
HKU\RazieL\...\Run: [casa] "C:\Users\RazieL\AppData\Roaming\casa\guni.bat" [194 2013-05-24] ()
HKU\RazieL\...\Run: [Adobe Reader] C:\Users\RazieL\AppData\Roaming\hUuRe\svchost.exe [21504 2013-05-24] ()
HKU\RazieL\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] C:\Users\RazieL\7825604.exe [45056 2013-06-10] (Adobe Systems Incorporated)
HKU\RazieL\...\Winlogon: [Shell] cmd.exe [344576 2009-07-14] (Microsoft Corporation) <==== ATTENTION
HKU\RazieL\...\Command Processor: "C:\Users\RazieL\7825604.exe" <===== ATTENTION!
Startup: C:\Users\RazieL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()

==================== Services (Whitelisted) =================

S2 Akamai; c:\program files (x86)\common files\akamai/netsession_win_ca0e279.dll [4561152 2013-04-21] (Akamai Technologies, Inc.)
S2 AntiVirSchedulerService; C:\Avira\AntiVir Desktop\sched.exe [108289 2009-05-13] (Avira GmbH)
S2 AntiVirService; C:\Avira\AntiVir Desktop\avguard.exe [185089 2009-07-21] (Avira GmbH)
S2 ICQ Service; C:\Program Files (x86)\ICQ6Toolbar\ICQ Service.exe [247608 2010-11-21] ()
S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-01-02] ()
S2 StarWindServiceAE; C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [275968 2007-05-28] (Rocket Division Software)
S2 WTGService; C:\Program Files (x86)\Verbindungsassistent\WTGService.exe [330696 2010-11-18] ()
S2 XS Stick Service; C:\Windows\service4g.exe [125200 2009-06-17] (4G Systems GmbH & Co. KG)

==================== Drivers (Whitelisted) ====================

S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [74880 2009-12-07] (Avira GmbH)
S3 cmnsusbser; C:\Windows\System32\DRIVERS\cmnsusbser.sys [117888 2012-03-18] (Mobile Connector)
S3 ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [33280 2005-05-03] (SlySoft, Inc.)
S3 ElbyDelay; C:\Windows\System32\Drivers\ElbyDelay.sys [6656 2005-04-12] (Elaborate Bytes AG)
S3 ewsercd; C:\Windows\System32\DRIVERS\ewsercd.sys [112896 2011-09-06] (Huawei Technologies Co., Ltd.)
S3 NetHook_ControlCenter; C:\PingFu Iris\ControlCenter.sys [104048 2010-08-26] ()
S3 NetHook_ControlCenter; C:\PingFu Iris\ControlCenter.sys [104048 2010-08-26] ()
S3 NetHook_Interceptor; C:\PingFu Iris\Interceptor.sys [46704 2010-08-26] ()
S3 NetHook_Interceptor; C:\PingFu Iris\Interceptor.sys [46704 2010-08-26] ()
S0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows (R) Server 2003 DDK provider)
S0 speedfan; C:\Windows\SysWow64\speedfan.sys [14104 2007-02-07] (Windows (R) Server 2003 DDK provider)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-08-10] (Duplex Secure Ltd.)
S3 X6va006; \??\C:\Users\RazieL\AppData\Local\Temp\0062EE.tmp [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-11 23:25 - 2013-06-11 23:25 - 00000000 ____D C:\FRST
2013-06-10 23:04 - 2013-06-10 23:04 - 00163063 ____A C:\Users\RazieL\AppData\Roaming\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163047 ____A C:\ProgramData\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163042 ____A C:\Users\RazieL\AppData\Local\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00045056 ____A (Adobe Systems Incorporated) C:\Users\RazieL\7825604.exe
2013-05-24 23:44 - 2013-05-24 23:45 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\hUuRe
2013-05-24 23:26 - 2013-05-24 23:26 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\ERbLK
2013-05-24 22:23 - 2013-05-24 22:23 - 00600377 ____A C:\Users\RazieL\9hlwhkyey94vk.exe
2013-05-24 22:22 - 2013-05-24 22:23 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\casa
2013-05-24 22:22 - 2013-05-24 22:22 - 00600377 ____A C:\Users\RazieL\l9kg5zdc94fho.exe
2013-05-24 22:22 - 2013-05-24 22:22 - 00147456 ____A (TechSmith Corporation) C:\Users\RazieL\rapohl17o0myk.exe
2013-05-22 13:31 - 2013-05-22 13:31 - 00262144 ____N C:\Windows\Minidump\052213-27015-01.dmp
2013-05-22 13:30 - 2013-05-22 13:30 - 00262144 ___AH C:\Windows\DUMPe28a.DMP
2013-05-22 13:08 - 2013-05-22 13:08 - 00262144 ___AH C:\Windows\DUMP4202.DMP
2013-05-22 13:05 - 2013-05-22 13:05 - 00000000 ____D C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP

==================== One Month Modified Files and Folders =======

2013-06-11 23:25 - 2013-06-11 23:25 - 00000000 ____D C:\FRST
2013-06-11 22:04 - 2010-05-18 01:40 - 00001106 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-11 22:04 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-11 22:04 - 2009-07-14 05:51 - 00139881 ____A C:\Windows\setupact.log
2013-06-11 21:57 - 2010-05-18 01:40 - 00001110 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-10 23:20 - 2009-07-14 05:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-10 23:20 - 2009-07-14 05:45 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-10 23:16 - 2009-10-28 00:37 - 01822008 ____A C:\Windows\WindowsUpdate.log
2013-06-10 23:04 - 2013-06-10 23:04 - 00163063 ____A C:\Users\RazieL\AppData\Roaming\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163047 ____A C:\ProgramData\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00163042 ____A C:\Users\RazieL\AppData\Local\2433f433
2013-06-10 23:04 - 2013-06-10 23:04 - 00045056 ____A (Adobe Systems Incorporated) C:\Users\RazieL\7825604.exe
2013-06-10 23:04 - 2009-10-28 00:54 - 00000000 ____D C:\users\RazieL
2013-06-10 22:54 - 2009-12-23 18:07 - 00000000 ____D C:\Users\RazieL\AppData\Local\Deployment
2013-06-09 23:50 - 2009-10-28 01:39 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\vlc
2013-05-27 22:11 - 2010-03-30 20:06 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\Skype
2013-05-27 19:12 - 2012-02-28 15:18 - 00000000 ____D C:\Users\RazieL\AppData\Local\PMB Files
2013-05-27 18:41 - 2012-02-28 15:18 - 00000000 ____D C:\ProgramData\PMB Files
2013-05-27 18:38 - 2010-03-30 20:08 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\skypePM
2013-05-24 23:45 - 2013-05-24 23:44 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\hUuRe
2013-05-24 23:26 - 2013-05-24 23:26 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\ERbLK
2013-05-24 22:23 - 2013-05-24 22:23 - 00600377 ____A C:\Users\RazieL\9hlwhkyey94vk.exe
2013-05-24 22:23 - 2013-05-24 22:22 - 00000000 ____D C:\Users\RazieL\AppData\Roaming\casa
2013-05-24 22:22 - 2013-05-24 22:22 - 00600377 ____A C:\Users\RazieL\l9kg5zdc94fho.exe
2013-05-24 22:22 - 2013-05-24 22:22 - 00147456 ____A (TechSmith Corporation) C:\Users\RazieL\rapohl17o0myk.exe
2013-05-22 18:36 - 2009-12-07 00:38 - 00000584 ___AH C:\Windows\Tasks\Norton Security Scan for RazieL.job
2013-05-22 16:17 - 2009-10-28 02:15 - 00000000 ____D C:\Call of Duty 4 - Modern Warfare
2013-05-22 16:16 - 2009-10-28 03:28 - 00215104 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2013-05-22 16:16 - 2009-10-28 03:03 - 00215104 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2013-05-22 16:16 - 2009-10-28 03:03 - 00215104 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2013-05-22 13:39 - 2009-10-28 00:08 - 00000000 ____D C:\ProgramData\NVIDIA
2013-05-22 13:32 - 2009-10-28 23:48 - 00000000 ____D C:\Windows\Minidump
2013-05-22 13:31 - 2013-05-22 13:31 - 00262144 ____N C:\Windows\Minidump\052213-27015-01.dmp
2013-05-22 13:31 - 2009-10-28 00:07 - 00023968 ____A C:\Windows\PFRO.log
2013-05-22 13:30 - 2013-05-22 13:30 - 00262144 ___AH C:\Windows\DUMPe28a.DMP
2013-05-22 13:08 - 2013-05-22 13:08 - 00262144 ___AH C:\Windows\DUMP4202.DMP
2013-05-22 13:05 - 2013-05-22 13:05 - 00000000 ____D C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP

Files to move or delete:
====================
C:\Users\RazieL\7825604.exe
C:\Users\RazieL\9hlwhkyey94vk.exe
C:\Users\RazieL\l9kg5zdc94fho.exe
C:\Users\RazieL\rapohl17o0myk.exe

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-03-26 01:56:29
Restore point made on: 2013-04-22 02:07:21
Restore point made on: 2013-05-01 02:14:51
Restore point made on: 2013-05-16 01:43:39
Restore point made on: 2013-05-25 02:43:46

==================== Memory info ===========================

Percentage of memory in use: 17%
Total physical RAM: 2815.37 MB
Available physical RAM: 2314.46 MB
Total Pagefile: 2813.52 MB
Available Pagefile: 2310.02 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.76 GB) (Free:20.01 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]
Drive e: (INTENSO) (Removable) (Total:7.21 GB) (Free:7.17 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or (Size: 466 GB) (Disk ID: C344177E)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: E6FDB69D)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2013-05-25 02:36

==================== End Of Log ============================

--- --- ---

markusg · 11.06.2013, 23:44

hi
kommst du an nen pc mit brenner?
download:
ISO Burner - Download - Filepony
isoburner anleitung:
http://www.trojaner-board.de/83208-b...ei-cd-dvd.html
• Wenn der Download fertig ist mache ein doppel Klick auf die OTLPENet.exe, was ISOBurner öffnet um es auf die CD zu brennen.
Starte dein System neu und boote von der CD die du gerade erstellt hast.
Wenn du nicht weist wie du deinen Computer dazu bringst von der CD zu booten,
http://www.trojaner-board.de/81857-c...cd-booten.html

• Dein System sollte jetzt einen REATOGO-X-PE Desktop anzeigen.
• Mache einen doppel Klick auf das OTLPE Icon.
• Wenn du gefragt wirst "Do you wish to load the remote registry", dann wähle Yes.
• Wenn du gefragt wirst "Do you wish to load remote user profile(s) for scanning", dann wähle Yes.
• entferne den haken bei "Automatically Load All Remaining Users" wenn er gesetzt ist.

• OTL sollte nun starten.
Kopiere nun den Inhalt in die

Textbox.

Code:

ATTFilter

activex
netsvcs
msconfig
%SYSTEMDRIVE%\*.
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%systemroot%\*. /mp /s
/md5start
userinit.exe
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
ws2ifsl.sys
sceclt.dll
ntelogon.dll
winlogon.exe
logevent.dll
user32.DLL
explorer.exe
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\*.dll /lockedfiles
%USERPROFILE%\*.*
%USERPROFILE%\Local Settings\Temp\*.exe
%USERPROFILE%\Local Settings\Temp\*.dll
%USERPROFILE%\Application Data\*.exe

• Drücke Run Scan um den Scan zu starten.
• Wenn er fertig ist werden die Dateien in C:\otl.txt gesichert
• Kopiere diesen Ordner auf deinen USB-Stick wenn du keine Internetverbindung auf diesem System hast.
poste beide logs

RazieLX87 · 11.06.2013, 23:49

Hey

ja komme ich ran. Werde Schritte morgen durchführen, der Lappi ist zur Zeit bei meiner Freundinn.

markusg · 11.06.2013, 23:50

itte lass solche zwischenposts weg, da neue an den angefügt werden, muss ich sonst immer hier reingucken, bei Problemen etc natürlich melden

Bundespolizei Trojaner eingefangen/Logfiles vorhanden

Plagegeister aller Art und deren Bekämpfung: Bundespolizei Trojaner eingefangen/Logfiles vorhanden