![]() |
|
Log-Analyse und Auswertung: Windows 7: trojaner GVU/Bundespolizei fährt den Pc im abgesicherten Modus runter!Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
![]() | #1 |
| ![]() Windows 7: trojaner GVU/Bundespolizei fährt den Pc im abgesicherten Modus runter! Hallo lieber Helfer, ich habe letzter Woche ein Trojaner Bundespolizei auf mein pc bekommen. Nachdem ich mich einlogge, wird mein Bildschirm durch ein Bild mit der Bundeskanzlerin und ein polizist oben gesperrt. Links und rechts steht das Wort "Interpol". Er hat mein Webcam aktiviert, und ein Bild aufgenommen. Ich habe letztes Jahr schon ein Trojaner gehabt, und ich konnte ihn über den abgesicherten Modus suchen und loschen. Dieses mal gelingt mir das nicht. Wenn ich den Pc über den abgesicherter modus starte,mich einloggt, der Pc fährt nach 2-3 Sekunden runter. Ich kann gar nichts machen. wie kann ich diesen Trojaner entfernen? Bitte helfen Sie mir!!! Ich habe ein Frst-logfile erzeugt und lege es bei: [ FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-04-2014 Ran by SYSTEM on MININT-H0EEBE0 on 15-04-2014 00:49:36 Running from H:\ Windows 7 Professional (X86) OS Language: German Standard Internet Explorer Version 11 Boot Mode: Recovery The current controlset is ControlSet001 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. ==================== Registry (Whitelisted) ================== HKLM\...\Run: [NeroCheck] => C:\Windows\system32\NeroCheck.exe [155648 2003-07-13] (Ahead Software Gmbh) HKLM\...\Run: [WirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard) HKLM\...\Run: [NokiaMServer] => C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup HKLM\...\Run: [NokiaMusic FastStart] => C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe [2090272 2009-11-06] (Nokia) HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation) HKLM\...\Run: [FreePDF Assistant] => C:\Program Files\FreePDF_XP\fpassist.exe [385024 2009-09-05] (shbox.de) HKLM\...\Run: [YSearchProtection] => C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [111856 2009-02-23] (Yahoo! Inc) HKLM\...\Run: [Pulse] => C:\Program Files\Common Files\Juniper Networks\JamUI\Pulse.exe [1698672 2010-10-23] (Juniper Networks) HKLM\...\Run: [ITSecMng] => C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336 2009-07-22] (TOSHIBA CORPORATION) HKLM\...\Run: [DATAMNGR] => C:\Program Files\Searchqu Toolbar\Datamngr\datamngrUI.exe [1890744 2012-09-02] (Bandoo Media, inc) HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [3830224 2013-05-16] (Safer-Networking Ltd.) HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-20] (Avira Operations GmbH & Co. KG) HKLM\...\Run: [ApnTBMon] => C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1558480 2013-07-26] (APN) HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated) Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X] HKU\Default\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1174016 2010-11-20] (Microsoft Corporation) HKU\Default User\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1174016 2010-11-20] (Microsoft Corporation) HKU\Gast\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-06-17] (Hewlett-Packard Company) HKU\Gast\...\Run: [msnmsgr] => C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3883840 2009-07-26] (Microsoft Corporation) HKU\Gast\...\Run: [LowRateVoip] => C:\Program Files\LowRateVoip.com\LowRateVoip\LowRateVoip.exe [19452736 2013-07-20] (LowRateVoip) HKU\Mo.T*******\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-06-17] (Hewlett-Packard Company) HKU\Mo.T*******\...\Run: [msnmsgr] => C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3883840 2009-07-26] (Microsoft Corporation) HKU\Mo.T*******\...\Run: [] => [X] HKU\Mo.T*******\...\Run: [NokiaOviSuite2] => C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe [401728 2009-12-10] (Nokia) HKU\Mo.T*******\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\sidebar.exe [1174016 2010-11-20] (Microsoft Corporation) HKU\Mo.T*******\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [5252408 2010-06-01] (Yahoo! Inc.) HKU\Mo.T*******\...\Run: [Search Protection] => C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [111856 2009-02-23] (Yahoo! Inc) HKU\Mo.T*******\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [354304 2009-07-14] (Microsoft Corporation) HKU\Mo.T*******\...\Run: [DAEMON Tools Lite] => C:\Program Files\DAEMON Tools Lite\DTLite.exe [3672384 2012-04-11] (DT Soft Ltd) HKU\Mo.T*******\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [20584608 2013-11-14] (Skype Technologies S.A.) HKU\Mo.T*******\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-08-28] (Garmin Ltd or its subsidiaries) HKU\Mo.T*******\...\Command Processor: "C:\Users\MOA8BD~1.TCH\AppData\Local\Temp\webyeryb3460vavaw.exe" <===== ATTENTION! AppInit_DLLs: C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll => C:\Program Files\Searchqu Toolbar\Datamngr\datamngr.dll [1723320 2012-09-02] (Bandoo Media, inc) AppInit_DLLs: C:\PROGRA~1\SEARCH~1\Datamngr\IEBHO.dll => C:\Program Files\Searchqu Toolbar\Datamngr\IEBHO.dll [1185208 2012-09-02] (Bandoo Media, inc) Startup: C:\Users\Mo.T*******\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7hbodgmq.lnk ShortcutTarget: 7hbodgmq.lnk -> C:\ProgramData\2992199F9A\qmgdobh7.cpp (Microsoft Corporation) Startup: C:\Users\Mo.T*******\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) Startup: C:\Users\Mo.T*******\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe () ========================== Services (Whitelisted) ================= S2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG) S2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [440400 2014-02-20] (Avira Operations GmbH & Co. KG) S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1017424 2014-02-20] (Avira Operations GmbH & Co. KG) S2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [168400 2013-07-26] (APN LLC.) S2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1528608 2008-08-29] (Cisco Systems, Inc.) S2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [660848 2010-08-27] (Juniper Networks) S2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [246616 2013-08-28] (Garmin Ltd or its subsidiaries) S2 HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [124928 2009-07-09] (Hewlett-Packard) S2 JTAGServer; c:\altera\91\quartus\bin\jtagserver.exe [164352 2009-10-22] () S2 JuniperAccessService; C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [198000 2010-10-22] (Juniper Networks) S2 Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [1378040 2011-04-24] (Lavasoft) S2 matlabserver; C:\MATLAB7\webserver\bin\win32\matlabserver.exe [536576 2004-04-24] () S4 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] () S2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.) S2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.) S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.) S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3048136 2012-05-30] (Skype Technologies S.A.) S2 Winmgmt; C:\ProgramData\2992199F9A\qmgdobh7.cpp [182561 2014-04-08] (Microsoft Corporation) S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X] ==================== Drivers (Whitelisted) ==================== S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [90400 2013-12-17] (Avira Operations GmbH & Co. KG) S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [135648 2013-12-17] (Avira Operations GmbH & Co. KG) S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-12-12] (Avira Operations GmbH & Co. KG) S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.) S2 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306299 2008-08-29] (Cisco Systems, Inc.) S3 DCamUSBNovatek; C:\Windows\System32\Drivers\nvtcam.sys [2704640 2010-09-07] (Novatek) S3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [125328 2008-03-29] (Deterministic Networks, Inc.) S3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2010-06-11] (Juniper Networks) S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2012-04-28] (DT Soft Ltd) S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [15720 2012-04-18] (GARMIN Corp.) S3 jnprna; C:\Windows\System32\DRIVERS\jnprna.sys [420464 2010-07-22] (Juniper Networks, Inc.) S3 jnprva; C:\Windows\System32\DRIVERS\jnprva.sys [25456 2010-07-22] (Juniper Networks, Inc.) S3 JnprVaMgr; C:\Windows\System32\DRIVERS\jnprvamgr.sys [36776 2010-07-22] (Juniper Networks, Inc.) S3 Lavasoft Kernexplorer; C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [15264 2010-11-19] () S3 NPF; C:\Windows\System32\drivers\npf.sys [50704 2009-10-20] (CACE Technologies, Inc.) S2 Sentinel; C:\Windows\System32\Drivers\SENTINEL.SYS [76288 2009-10-21] (Rainbow Technologies, Inc.) S3 Sntnlusb; C:\Windows\System32\DRIVERS\SNTNLUSB.SYS [26120 2009-10-21] (Rainbow Technologies Inc.) S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-09-03] (Avira GmbH) S3 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [7168 2009-11-12] () S3 WinDriver6; C:\Windows\System32\drivers\windrvr6.sys [194362 2010-09-16] (Jungo) S3 XilinxFirmwareEmbeddedLpLoader; C:\Windows\System32\Drivers\xusb_emb.sys [17408 2010-09-16] (Xilinx, Inc.) S2 XilinxPC4Driver; C:\Windows\System32\drivers\xpc4drvr.sys [16000 2010-09-16] (Xilinx, Inc.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-04-15 00:21 - 2014-04-15 00:49 - 00000000 ____D () C:\FRST 2014-04-09 20:29 - 2014-04-09 20:29 - 00000000 ____D () C:\Windows\pss 2014-04-08 21:24 - 2014-04-09 22:50 - 00000000 ____D () C:\ProgramData\2992199F9A ==================== One Month Modified Files and Folders ======= 2014-04-15 00:49 - 2014-04-15 00:21 - 00000000 ____D () C:\FRST 2014-04-14 23:10 - 2013-06-14 01:09 - 00015574 _____ () C:\Windows\setupact.log 2014-04-14 23:10 - 2010-09-27 07:39 - 00280335 _____ () C:\aaw7boot.log 2014-04-14 23:08 - 2010-01-20 00:36 - 01348046 _____ () C:\Windows\WindowsUpdate.log 2014-04-14 23:08 - 2009-07-14 05:34 - 00013792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-04-14 23:08 - 2009-07-14 05:34 - 00013792 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-04-09 23:13 - 2010-12-09 18:51 - 00000000 ____D () C:\Users\Gast\Tracing 2014-04-09 22:52 - 2011-03-24 20:52 - 00000978 _____ () C:\Users\Mo.T*******\Desktop\Bluetooth-Informationsaustausch.lnk 2014-04-09 22:50 - 2014-04-08 21:24 - 00000000 ____D () C:\ProgramData\2992199F9A 2014-04-09 22:50 - 2010-01-31 18:56 - 00000000 ____D () C:\Users\Mo.T*******\Tracing 2014-04-09 21:32 - 2010-02-27 09:46 - 00007605 _____ () C:\Users\Mo.T*******\AppData\Local\Resmon.ResmonCfg 2014-04-09 20:29 - 2014-04-09 20:29 - 00000000 ____D () C:\Windows\pss 2014-04-08 23:22 - 2010-02-15 20:05 - 00000000 ____D () C:\Users\Mo.T*******\AppData\Roaming\Skype 2014-04-08 13:00 - 2014-02-26 22:53 - 00000000 ____D () C:\Program Files\Mozilla Firefox 2014-04-03 20:14 - 2013-05-01 18:21 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared 2014-04-01 19:52 - 2010-01-20 00:50 - 01644734 _____ () C:\Windows\System32\PerfStringBackup.INI 2014-03-20 02:03 - 2010-02-15 20:05 - 00000000 ___RD () C:\Program Files\Skype 2014-03-20 02:02 - 2010-02-15 20:05 - 00000000 ____D () C:\ProgramData\Skype 2014-03-20 02:00 - 2013-08-16 09:13 - 00000000 ____D () C:\Windows\System32\MRT 2014-03-20 01:35 - 2010-01-31 19:43 - 87350280 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe Some content of TEMP: ==================== C:\Users\Gast\AppData\Local\Temp\AskSLib.dll C:\Users\Gast\AppData\Local\Temp\avgnt.exe C:\Users\Gast\AppData\Local\Temp\drm_dialogs.dll C:\Users\Gast\AppData\Local\Temp\drm_dyndata_7410004.dll C:\Users\Gast\AppData\Local\Temp\SkypeSetup.exe C:\Users\Mo.T*******\AppData\Local\Temp\221056.exe C:\Users\Mo.T*******\AppData\Local\Temp\247759.exe C:\Users\Mo.T*******\AppData\Local\Temp\avgnt.exe C:\Users\Mo.T*******\AppData\Local\Temp\~+JF8905281111587704911.dll ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 12% Total physical RAM: 3835.99 MB Available physical RAM: 3344.24 MB Total Pagefile: 3834.27 MB Available Pagefile: 3356.2 MB Total Virtual: 2047.88 MB Available Virtual: 1962.54 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:149.27 GB) (Free:6.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive d: (RECOVERY) (Fixed) (Total:12.85 GB) (Free:2.11 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive e: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 Drive f: (Storage) (Fixed) (Total:135.67 GB) (Free:83.2 GB) NTFS Drive g: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive h: (MYUSB) (Removable) (Total:1.88 GB) (Free:1.87 GB) FAT Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: A6ACC5E4) Partition: GPT Partition Type. ======================================================== Disk: 1 (Size: 2 GB) (Disk ID: 6B736964) No partition Table on disk 1. LastRegBack: 2014-04-03 20:14 ==================== End Of Log ============================ ][/CODE] |
Themen zu Windows 7: trojaner GVU/Bundespolizei fährt den Pc im abgesicherten Modus runter! |
.dll, ad-aware, adobe, antivir, association, avg, avira, bildschirm, desktop, entfernen, explorer, mozilla, opera, registry, scan, sekunden, services.exe, software, suche, svchost.exe, symantec, system, temp, trojaner, windows, winlogon.exe |