Sperrbildschirm Trojaner Windows Vista
Guten Abend,
ich habe ein Laptop von einem Freund bekommen. Dieser hat sich ein BKA-Trojaner eingefangen.
Ich habe schon alle mir bekannten Mittel eingesetzt, nur das leider ohne Erfolg.
- In den abgesicherten Modus komme ich nicht hinein.
- Kaspersky Rescue Disk konnte das Problem ebenfalls nicht beheben
- Hitmanpro via USB-Stick konnte auch nicht vernünftig starten
Ich bin nun durch dieses Forum darauf gestoßen, dass ich mit dem Programm FRST eine Logfile erstellen kann und durch diese dann etwas herraus gefunden werden konnte und mit einer FIX Textdatei man zumindestens den Sperrbildschirm entfernen konnte.
Nur weiß ich nicht wonach ich genau suchen muss. Wenn mir dabei jemand helfen könnte wäre ich sehr dankbar.
Anbei ist die Logdatei Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-05-2014
Ran by SYSTEM on MINWINPC on 07-05-2014 18:38:54
Running from F:\
Windows Vista (TM) Home Basic (X86) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint2K\Apoint.exe [159744 2006-11-07] (Alps Electric Co., Ltd.)
HKLM\...\Run: [QlbCtrl] => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [184320 2007-06-11] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [472776 2007-03-01] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [WAWifiMessage] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [317128 2007-01-11] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [29984 2007-10-11] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] => C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [46368 2007-10-11] (Nuance Communications, Inc.)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [3825176 2012-11-13] (Safer-Networking Ltd.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [3117384 2012-11-16] (ESET)
HKLM\...\Run: [SweetIM] => C:\Program Files\SweetIM\Messenger\SweetIM.exe [115032 2012-10-04] (SweetIM Technologies Ltd.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [Updater] => C:\ProgramData\Updater\Updater.exe [486264 2013-12-18] (Updater)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\RunOnce: [Launcher] - %WINDIR%\SMINST\launcher.exe [44128 2006-11-08] (soft thinks)
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\Axel\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [484904 2007-04-19] (Hewlett-Packard Company)
HKU\Axel\...\Run: [Spybot-S&D Cleaning] => C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [3713032 2012-11-13] (Safer-Networking Ltd.)
HKU\Axel\...\Run: [msnmsgr] => ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
HKU\Axel\...\Run: [Updater] => C:\ProgramData\Updater\updater.exe [486264 2013-12-18] (Updater)
HKU\Default\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
AppInit_DLLs: C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll [1050400 2014-03-30] (Conduit)
Startup: C:\Users\Axel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
ShortcutTarget: runctf.lnk -> C:\Users\Axel\wgsdgsdgdsgsd.dll (No File)
Startup: C:\Users\Axel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wzjmq0kv.lnk
ShortcutTarget: wzjmq0kv.lnk -> C:\ProgramData\vk0qmjzw.cpp\vk0qmjzw.cpp (Microsoft Corporation)
========================== Services (Whitelisted) =================
S2 CltMngSvc; C:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe [2466080 2014-03-30] (Conduit)
S3 Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913184 2012-11-16] (ESET)
S2 HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [62984 2007-03-14] (Hewlett-Packard)
S2 InternetUpdater; C:\ProgramData\InternetUpdater\InternetUpdaterService.exe [40448 2013-12-06] ()
S2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.)
S2 Web Assistant Updater; C:\Program Files\Web Assistant\ExtensionUpdaterService.exe [188760 2012-07-29] ()
S2 Winmgmt; C:\ProgramData\vk0qmjzw.cpp\vk0qmjzw.cpp [115230 2014-05-06] (Microsoft Corporation)
S2 Automatisches LiveUpdate - Scheduler; "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [X]
==================== Drivers (Whitelisted) ====================
S1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
S3 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [169120 2012-11-16] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [160768 2007-04-30] (Conexant Systems Inc.)
S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [587096 2012-10-25] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25824 2010-05-07] ()
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S5 klflt; C:\Windows\System32\Drivers\klflt.sys [75096 2012-08-13] (Kaspersky Lab)
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S1 SYMTDI; \SystemRoot\System32\Drivers\SYMTDI.SYS [X]
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-05-07 18:38 - 2014-05-07 18:38 - 00000000 ____D () C:\FRST
2014-05-07 15:31 - 2014-05-07 15:31 - 00138376 _____ () C:\Windows\Minidump\Mini050714-03.dmp
2014-05-07 15:30 - 2014-05-07 15:30 - 00138376 _____ () C:\Windows\Minidump\Mini050714-02.dmp
2014-05-07 15:28 - 2014-05-07 15:29 - 00138376 _____ () C:\Windows\Minidump\Mini050714-01.dmp
2014-05-06 09:21 - 2014-05-06 09:56 - 00000000 ____D () C:\ProgramData\vk0qmjzw.cpp
2014-05-01 09:35 - 2014-05-07 15:31 - 154458497 _____ () C:\Windows\MEMORY.DMP
2014-05-01 09:35 - 2014-05-01 09:35 - 00163104 _____ () C:\Windows\Minidump\Mini050114-01.dmp
2014-04-27 10:08 - 2014-04-14 19:05 - 00264616 _____ (Oracle Corporation) C:\Windows\System32\javaws.exe
2014-04-27 10:08 - 2014-04-14 19:05 - 00175528 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe
2014-04-27 10:08 - 2014-04-14 19:04 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\java.exe
2014-04-27 10:08 - 2014-02-02 20:10 - 00094632 _____ (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2014-04-27 10:06 - 2014-04-27 10:08 - 00003488 _____ () C:\Windows\System32\jupdate-1.7.0_55-b14.log
2014-04-25 11:25 - 2014-04-25 11:26 - 00002511 _____ () C:\Users\Axel\Downloads\~ESETUninstaller.log
2014-04-25 11:16 - 2014-04-25 11:25 - 00663552 _____ (ESET) C:\Users\Axel\Downloads\ESETUninstaller.exe
2014-04-14 20:24 - 2014-04-15 09:07 - 00000000 ____D () C:\ProgramData\2992199F9A
==================== One Month Modified Files and Folders =======
2014-05-07 18:38 - 2014-05-07 18:38 - 00000000 ____D () C:\FRST
2014-05-07 17:32 - 2007-07-05 07:18 - 00000000 ____D () C:\Windows\SMINST
2014-05-07 17:32 - 2006-11-02 13:45 - 00003168 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-07 17:32 - 2006-11-02 13:45 - 00003168 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-07 16:09 - 2012-12-05 23:48 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-05-07 15:34 - 2012-12-07 16:25 - 00002836 _____ () C:\Windows\setupact.log
2014-05-07 15:31 - 2014-05-07 15:31 - 00138376 _____ () C:\Windows\Minidump\Mini050714-03.dmp
2014-05-07 15:31 - 2014-05-01 09:35 - 154458497 _____ () C:\Windows\MEMORY.DMP
2014-05-07 15:31 - 2012-12-07 19:23 - 00000000 ____D () C:\Windows\Minidump
2014-05-07 15:30 - 2014-05-07 15:30 - 00138376 _____ () C:\Windows\Minidump\Mini050714-02.dmp
2014-05-07 15:29 - 2014-05-07 15:28 - 00138376 _____ () C:\Windows\Minidump\Mini050714-01.dmp
2014-05-06 09:56 - 2014-05-06 09:21 - 00000000 ____D () C:\ProgramData\vk0qmjzw.cpp
2014-05-06 08:31 - 2013-01-07 04:56 - 01202995 _____ () C:\Windows\WindowsUpdate.log
2014-05-01 09:35 - 2014-05-01 09:35 - 00163104 _____ () C:\Windows\Minidump\Mini050114-01.dmp
2014-04-27 10:36 - 2012-12-04 20:20 - 00129390 _____ () C:\Windows\PFRO.log
2014-04-27 10:34 - 2014-02-02 20:13 - 00000000 ____D () C:\ProgramData\Oracle
2014-04-27 10:08 - 2014-04-27 10:06 - 00003488 _____ () C:\Windows\System32\jupdate-1.7.0_55-b14.log
2014-04-27 10:08 - 2007-07-05 07:32 - 00000000 ____D () C:\Program Files\Java
2014-04-26 18:19 - 2006-11-02 11:33 - 01445178 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-25 11:26 - 2014-04-25 11:25 - 00002511 _____ () C:\Users\Axel\Downloads\~ESETUninstaller.log
2014-04-25 11:25 - 2014-04-25 11:16 - 00663552 _____ (ESET) C:\Users\Axel\Downloads\ESETUninstaller.exe
2014-04-25 11:22 - 2013-12-26 01:10 - 00000000 ____D () C:\ProgramData\InternetUpdater
2014-04-15 10:18 - 2013-12-20 10:10 - 00000000 ____D () C:\Program Files\SearchProtect
2014-04-15 10:18 - 2011-03-30 18:12 - 00000000 ____D () C:\users\Axel
2014-04-15 10:18 - 2006-11-02 12:18 - 00000000 ____D () C:\Windows\System32\spool
2014-04-15 10:18 - 2006-11-02 12:18 - 00000000 ____D () C:\Windows\registration
2014-04-15 10:18 - 2006-11-02 11:22 - 37224448 _____ () C:\Windows\System32\config\software_previous
2014-04-15 10:18 - 2006-11-02 11:22 - 22544384 _____ () C:\Windows\System32\config\system_previous
2014-04-15 10:13 - 2006-11-02 11:22 - 35651584 _____ () C:\Windows\System32\config\components_previous
2014-04-15 10:13 - 2006-11-02 11:22 - 00262144 _____ () C:\Windows\System32\config\sam_previous
2014-04-15 09:09 - 2006-11-02 11:22 - 00262144 _____ () C:\Windows\System32\config\default_previous
2014-04-15 09:08 - 2006-11-02 11:22 - 00262144 _____ () C:\Windows\System32\config\security_previous
2014-04-15 09:07 - 2014-04-14 20:24 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-14 19:05 - 2014-04-27 10:08 - 00264616 _____ (Oracle Corporation) C:\Windows\System32\javaws.exe
2014-04-14 19:05 - 2014-04-27 10:08 - 00175528 _____ (Oracle Corporation) C:\Windows\System32\javaw.exe
2014-04-14 19:04 - 2014-04-27 10:08 - 00175016 _____ (Oracle Corporation) C:\Windows\System32\java.exe
ZeroAccess:
C:\Windows\Installer\{d258f78d-b2a6-5ba5-3202-405f4b0fdc91}
C:\Windows\Installer\{d258f78d-b2a6-5ba5-3202-405f4b0fdc91}\@
C:\Windows\Installer\{d258f78d-b2a6-5ba5-3202-405f4b0fdc91}\L\201d3dde
C:\Windows\Installer\{d258f78d-b2a6-5ba5-3202-405f4b0fdc91}\L\4cce1f70
C:\Windows\Installer\{d258f78d-b2a6-5ba5-3202-405f4b0fdc91}\L\76603ac3
ZeroAccess:
C:\Users\Axel\AppData\Local\{d258f78d-b2a6-5ba5-3202-405f4b0fdc91}
C:\Users\Axel\AppData\Local\{d258f78d-b2a6-5ba5-3202-405f4b0fdc91}\@
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
Files to move or delete:
====================
C:\ProgramData\dsgsdgdsgdsgw.pad
C:\Users\Axel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
Some content of TEMP:
====================
C:\Users\Axel\AppData\Local\Temp\aPSZ.dll
C:\Users\Axel\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Axel\AppData\Local\Temp\setup{6C5528C5-8AF4-40B4-A355-2C6229372CC3}.exe
C:\Users\Axel\AppData\Local\Temp\setup{F989F88E-A60A-4A00-989E-3246E4D9C893}.exe
C:\Users\Axel\AppData\Local\Temp\uhoS.dll
C:\Users\Axel\AppData\Local\Temp\UkA0.dll
C:\Users\Axel\AppData\Local\Temp\_is7A73.exe
==================== Known DLLs (Whitelisted) ============
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2013-12-15 19:22:27
Restore point made on: 2013-12-16 20:02:22
Restore point made on: 2013-12-17 18:41:10
Restore point made on: 2013-12-19 17:15:36
Restore point made on: 2014-02-02 20:09:29
Restore point made on: 2014-02-13 18:39:55
Restore point made on: 2014-04-01 15:42:32
Restore point made on: 2014-04-27 10:06:05
==================== Memory info ===========================
Percentage of memory in use: 42%
Total physical RAM: 1013.41 MB
Available physical RAM: 586.45 MB
Total Pagefile: 778.52 MB
Available Pagefile: 633.44 MB
Total Virtual: 2047.88 MB
Available Virtual: 1981.21 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:105.56 GB) (Free:58.09 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HP_RECOVERY) (Fixed) (Total:6.23 GB) (Free:2.3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (TRANSCEND) (Removable) (Total:14.68 GB) (Free:14.68 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 112 GB) (Disk ID: 4D004CFF)
Partition 1: (Active) - (Size=106 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=6 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 15 GB) (Disk ID: 679B101F)
Partition 1: (Active) - (Size=15 GB) - (Type=0C)
LastRegBack: 2014-05-06 15:21
==================== End Of Log ============================
Vielen Dank im Vorraus. | 
Hinweise: Ich kann Dir niemals eine Garantie geben, dass wir alle schädlichen Dateien finden werden. Eine Formatierung ist meist der schnellere und immer der sicherste Weg, aber auch nur bei wirklicher Malware empfehlenswert. Adware & Co. können wir sehr gut entfernen. 
+ R Taste und schreibe notepad in das Ausführen Fenster.