| |
| |||||||
Log-Analyse und Auswertung: Weißer BildschirmWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
26.06.2013, 21:31
| #1 |
 |  Weißer Bildschirm Hey, ich bin neu hier und komme gleich mit einem Problem: Das Notebook (Acer Aspire 5750ZG), dass ich hier habe, will nicht mehr so recht. Es startet ganz normal, aber sobald ich mich (automatisch) anmelde, sehe ich nur mehr weiß  Abgesicherter Modus bringt nichts. Der Besitzer meint, er hat den "BKA-Trojaner" (= Überweisen Sie mir Ihr Geld), aber das kann ich nicht bestätigen.Hier die log-Dateien, soweit sie überhaupt sinnvoll sind, da ich sie nur im "Computer-Reparatur-Modus" gestartet habe. defogger_disable.log: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:45 on 26/06/2013 (SYSTEM)
Checking for autostart values...
Unable to open HKCU\~\Run key (2)
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Code:
ATTFilter OTL Extras logfile created on: 26.06.2013 21:46:26 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = F:\
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = )
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
3,86 Gb Total Physical Memory | 3,47 Gb Available Physical Memory | 90,09% Memory free
3,85 Gb Paging File | 3,47 Gb Available in Paging File | 90,04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = X: | %SystemRoot% = X:\windows | %ProgramFiles% = X:\Program Files
Drive C: | 100,00 Mb Total Space | 61,70 Mb Free Space | 61,70% Space Free | Partition Type: NTFS
Drive D: | 465,66 Gb Total Space | 428,41 Gb Free Space | 92,00% Space Free | Partition Type: NTFS
Drive F: | 973,63 Mb Total Space | 969,44 Mb Free Space | 99,57% Space Free | Partition Type: FAT
Drive X: | 33,59 Mb Total Space | 31,16 Mb Free Space | 92,76% Space Free | Partition Type: NTFS
Computer Name: MININT-44D3V55 | User Name: SYSTEM | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- %SystemRoot%\System32\control.exe "%1",%*
.hlp [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found
.hta [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.html [@ = htmlfile] -- Reg Error: Key error. File not found
.url [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- Reg Error: Key error.
htafile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- Reg Error: Key error.
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1"
InternetShortcut [open] -- Reg Error: Key error.
InternetShortcut [print] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe
Folder [open] -- Reg Error: Key error.
Folder [explore] -- Reg Error: Key error.
Drive [find] -- %SystemRoot%\Explorer.exe
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
Error encountered while reading event logs.
< End of report >
Code:
ATTFilter OTL logfile created on: 26.06.2013 21:46:26 - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = F:\ Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation Internet Explorer (Version = ) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,86 Gb Total Physical Memory | 3,47 Gb Available Physical Memory | 90,09% Memory free 3,85 Gb Paging File | 3,47 Gb Available in Paging File | 90,04% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = X: | %SystemRoot% = X:\windows | %ProgramFiles% = X:\Program Files Drive C: | 100,00 Mb Total Space | 61,70 Mb Free Space | 61,70% Space Free | Partition Type: NTFS Drive D: | 465,66 Gb Total Space | 428,41 Gb Free Space | 92,00% Space Free | Partition Type: NTFS Drive F: | 973,63 Mb Total Space | 969,44 Mb Free Space | 99,57% Space Free | Partition Type: FAT Drive X: | 33,59 Mb Total Space | 31,16 Mb Free Space | 92,76% Space Free | Partition Type: NTFS Computer Name: MININT-44D3V55 | User Name: SYSTEM | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2013.06.26 21:33:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- F:\OTL.exe PRC - [2009.07.14 05:03:37 | 000,602,112 | ---- | M] (Microsoft Corporation) -- X:\sources\recovery\RecEnv.exe PRC - [2009.07.14 02:14:45 | 000,565,760 | ---- | M] (Microsoft Corporation) -- X:\Windows\System32\winpeshl.exe PRC - [2009.07.14 02:14:15 | 000,301,568 | ---- | M] (Microsoft Corporation) -- X:\Windows\System32\cmd.exe PRC - [2009.07.14 02:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- X:\Windows\System32\conhost.exe ========== Modules (No Company Name) ========== ========== Services (SafeList) ========== SRV - [2009.07.14 02:16:13 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- X:\Windows\System32\sacsvr.dll -- (sacsvr) ========== Driver Services (SafeList) ========== DRV - [2009.07.14 03:38:07 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- X:\Windows\System32\drivers\vmbus.sys -- (vmbus) DRV - [2009.07.14 03:38:07 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- X:\Windows\System32\drivers\vmstorfl.sys -- (storflt) DRV - [2009.07.14 03:38:07 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- X:\Windows\System32\drivers\storvsc.sys -- (storvsc) DRV - [2009.07.14 03:38:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- X:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID) DRV - [2009.07.14 02:19:03 | 000,080,464 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- X:\Windows\System32\drivers\sacdrv.sys -- (sacdrv) DRV - [2009.07.14 00:46:05 | 000,022,016 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- X:\Windows\System32\drivers\ramdisk.sys -- (Ramdisk) DRV - [2009.07.14 00:18:10 | 000,069,632 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- X:\Windows\System32\drivers\fbwf.sys -- (FBWF) DRV - [2009.07.14 00:17:59 | 000,053,248 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- X:\windows\System32\drivers\wimfsf.sys -- (WimFsf) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== O1 HOSTS File: ([2009.06.10 22:39:37 | 000,000,824 | ---- | M]) - X:\windows\System32\Drivers\etc\hosts O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableMIC = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIPI = 0 O13 - ftp Prefix: missing O13 - gopher Prefix: missing O13 - home Prefix: missing O13 - mosaic Prefix: missing O13 - www Prefix: missing O20 - HKLM Winlogon: Shell - (cmd.exe) - X:\windows\System32\cmd.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (/k start cmd.exe) - File not found O20 - HKLM Winlogon: UserInit - (X:\windows\system32\userinit.exe) - X:\Windows\System32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009.06.10 22:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ] O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013.06.26 21:43:02 | 000,000,000 | ---D | C] -- X:\windows\debug [2013.06.26 21:43:01 | 000,000,000 | --SD | C] -- X:\windows\System32\Microsoft [2013.06.26 21:43:01 | 000,000,000 | ---D | C] -- X:\windows\ServiceProfiles ========== Files - Modified Within 30 Days ========== [2013.06.26 21:47:04 | 000,076,760 | ---- | M] () -- X:\windows\System32\FNTCACHE.DAT [2013.06.26 21:45:33 | 000,000,000 | ---- | M] () -- X:\windows\system32\config\systemprofile\defogger_reenable ========== Files Created - No Company Name ========== [2013.06.26 21:45:33 | 000,000,000 | ---- | C] () -- X:\windows\system32\config\systemprofile\defogger_reenable [2013.06.26 21:43:00 | 000,076,760 | ---- | C] () -- X:\windows\System32\FNTCACHE.DAT [2013.06.26 21:35:14 | 000,377,856 | ---- | C] () -- \gmer_2.1.19163.exe [2013.06.26 21:33:58 | 000,050,477 | ---- | C] () -- \Defogger.exe [2013.06.26 21:33:38 | 000,602,112 | ---- | C] () -- \OTL.exe [2013.06.26 21:07:28 | 001,931,844 | ---- | C] () -- \FRST64.exe [2013.06.26 21:07:13 | 001,370,251 | ---- | C] () -- \FRST.exe ========== ZeroAccess Check ========== [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2009.07.14 02:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2009.07.14 05:05:08 | 000,605,696 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] "" = %systemroot%\system32\wbem\wbemess.dll -- [2009.07.14 05:05:08 | 000,342,528 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both ========== LOP Check ========== ========== Purity Check ========== < End of report > Code:
ATTFilter GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-06-26 22:20:22
Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0001SDM1 465,76GB
Running: gmer_2.1.19163.exe; Driver: X:\windows\TEMP\kgrcqfoc.sys
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8A88F579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8A8B3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName@ComputerName MINWINPC
Reg HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB@CurrentConfig 0
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt
Reg HKLM\SYSTEM\Setup@SetupType 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentType Multiprocessor Checked
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@SystemRoot X:\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit userinit.exe
---- EOF - GMER 2.1 ----
|
| Themen zu Weißer Bildschirm |
| .dll, acer aspire, autorun, besitzer, bildschirm, dll, error, explorer, firewall, format, ftp, geld, homepage, iexplore.exe, install.exe, logfile, microsoft, neu, notebook, problem, registry, rundll, scan, security, software, system, vista, windows, windows 7 weißer bildschirm |
Baum-Darstellung