Windows 7: BKA Trojaner - Sperrbildschirm - abges. Modus startet nicht
Hallo,
ich habe den Laptop eines Arbeitskollegen erhalten um dort den BKA Trojaner zu entfernen.
Das hat bisher schon öfters geklappt.
Bei diesem beisse ich mir jedoch die Zähne aus. Ich kann nämlich den abgesicherten Modus nicht starten...
Aus diesem Grund habe ich schon einmal, wie in den Anleitungen beschrieben, FRST drüber laufen lassen.
Hier mal der Output: Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-06-2014 01
Ran by SYSTEM on MININT-IG5NB2L on 11-06-2014 16:09:59
Running from E:\
Platform: Windows 7 Ultimate (X64) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.
The only official download link for FRST:
Download link for 32-Bit version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: hxxp://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [AppMon Utility] => C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe [542560 2007-09-20] (Sony Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Winlogon: [Userinit] [X]
HKLM-x32\...\Winlogon: [Shell] [ ] () <=== ATTENTION
Startup: C:\Users\Martina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
ShortcutTarget: explorer.lnk -> C:\ProgramData\CAF74D6A386B4A4C2F0D0974B41974CA\gkz8rffo.cpp ()
Startup: C:\Users\Martina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
==================== Services (Whitelisted) =================
S2 AdobeARMservice; C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe [65192 2012-12-18] (Adobe Systems Incorporated)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [42856 2009-06-10] (Microsoft Corporation)
S3 idsvc; C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [878416 2009-06-10] (Microsoft Corporation)
S3 MozillaMaintenance; C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe [118680 2014-05-04] (Mozilla Foundation)
S3 odserv; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [441136 2006-10-26] (Microsoft Corporation)
S2 Winmgmt; C:\ProgramData\CAF74D6A386B4A4C2F0D0974B41974CA\gkz8rffo.cpp [168821 2014-06-09] ()
==================== Drivers (Whitelisted) ====================
S3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbdx.sys [430080 2009-07-13] (Broadcom Corporation)
S3 b57nd60x; C:\Windows\System32\DRIVERS\b57nd60x.sys [229888 2009-07-13] (Broadcom Corporation)
S3 E1G60; C:\Windows\System32\DRIVERS\E1G60I32.sys [118784 2009-07-13] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbdx.sys [3100160 2009-07-13] (Broadcom Corporation)
S3 netw5v32; C:\Windows\System32\DRIVERS\netw5v32.sys [4231168 2009-07-13] (Intel Corporation)
S3 R5U870FLx86; C:\Windows\System32\Drivers\R5U870FLx86.sys [73472 2013-03-02] (Ricoh)
S3 R5U870FUx86; C:\Windows\System32\Drivers\R5U870FUx86.sys [43904 2013-03-02] (Ricoh)
S3 RTL8167; C:\Windows\System32\DRIVERS\Rt86win7.sys [139776 2009-07-13] (Realtek Corporation )
S3 SrvHsfHDA; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [207360 2009-07-13] (Conexant Systems, Inc.)
S3 SrvHsfV92; C:\Windows\System32\DRIVERS\VSTDPV3.SYS [980992 2009-07-13] (Conexant Systems, Inc.)
S3 SrvHsfWinac; C:\Windows\System32\DRIVERS\VSTCNXT3.SYS [661504 2009-07-13] (Conexant Systems, Inc.)
S3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [818688 2013-03-02] (Texas Instruments)
S5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-14] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-06-11 16:09 - 2014-06-11 16:09 - 00000000 ____D () C:\FRST
2014-06-11 15:44 - 2014-06-11 15:44 - 00000000 ____D () C:\Temp
2014-06-11 14:55 - 2014-06-11 14:58 - 00000564 _____ () C:\ProgramData\RUNDLL32.EXE-1940-F.txt
2014-06-11 14:48 - 2014-06-11 14:51 - 00000452 _____ () C:\ProgramData\RUNDLL32.EXE-1908-F.txt
2014-06-11 14:46 - 2014-06-11 14:46 - 00000111 _____ () C:\ProgramData\RUNDLL32.EXE-1852-F.txt
2014-06-11 14:37 - 2014-06-11 14:38 - 00000174 _____ () C:\ProgramData\RUNDLL32.EXE-1708-F.txt
2014-06-11 14:36 - 2014-06-11 14:36 - 00000057 _____ () C:\ProgramData\RUNDLL32.EXE-1488-F.txt
2014-06-11 04:27 - 2014-06-11 04:29 - 00000230 _____ () C:\ProgramData\RUNDLL32.EXE-1976-F.txt
2014-06-11 04:24 - 2014-06-11 04:26 - 00000345 _____ () C:\ProgramData\RUNDLL32.EXE-1876-F.txt
2014-06-11 04:20 - 2014-06-11 04:20 - 00000058 _____ () C:\ProgramData\RUNDLL32.EXE-1924-F.txt
2014-06-11 04:14 - 2014-06-11 04:18 - 00000512 _____ () C:\ProgramData\RUNDLL32.EXE-1844-F.txt
2014-06-11 04:11 - 2014-06-11 04:12 - 00000173 _____ () C:\ProgramData\RUNDLL32.EXE-1880-F.txt
2014-06-11 04:09 - 2014-06-11 04:09 - 00000057 _____ () C:\ProgramData\RUNDLL32.EXE-1888-F.txt
2014-06-11 04:07 - 2014-06-11 04:08 - 00000175 _____ () C:\ProgramData\RUNDLL32.EXE-1748-F.txt
2014-06-10 13:14 - 2014-06-10 13:14 - 00000116 _____ () C:\ProgramData\RUNDLL32.EXE-1992-F.txt
2014-06-10 08:01 - 2014-06-10 08:08 - 00001943 _____ () C:\ProgramData\RUNDLL32.EXE-592-F.txt
2014-06-09 22:06 - 2014-06-09 22:11 - 00002348 _____ () C:\ProgramData\RUNDLL32.EXE-2120-F.txt
2014-06-09 22:03 - 2014-06-09 22:03 - 00000610 _____ () C:\ProgramData\RUNDLL32.EXE-2072-F.txt
2014-06-09 22:01 - 2014-06-09 22:01 - 00000365 _____ () C:\ProgramData\RUNDLL32.EXE-2116-F.txt
2014-06-09 21:53 - 2014-06-09 21:55 - 00001334 _____ () C:\ProgramData\RUNDLL32.EXE-280-F.txt
2014-06-09 21:46 - 2014-06-09 21:46 - 00000000 ____D () C:\ProgramData\CAF74D6A386B4A4C2F0D0974B41974CA
2014-05-22 08:57 - 2014-05-22 08:58 - 00000000 ____D () C:\Users\Martina\AppData\Local\Microsoft Games
==================== One Month Modified Files and Folders =======
2014-06-11 16:09 - 2014-06-11 16:09 - 00000000 ____D () C:\FRST
2014-06-11 15:44 - 2014-06-11 15:44 - 00000000 ____D () C:\Temp
2014-06-11 14:59 - 2013-03-02 21:57 - 01117419 _____ () C:\Windows\WindowsUpdate.log
2014-06-11 14:59 - 2009-07-14 05:39 - 00075385 _____ () C:\Windows\setupact.log
2014-06-11 14:59 - 2009-07-14 05:34 - 00014016 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-11 14:59 - 2009-07-14 05:34 - 00014016 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-11 14:58 - 2014-06-11 14:55 - 00000564 _____ () C:\ProgramData\RUNDLL32.EXE-1940-F.txt
2014-06-11 14:55 - 2013-03-02 21:55 - 00000000 ____D () C:\Users\Martina\AppData\Local\Temp
2014-06-11 14:54 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-11 14:51 - 2014-06-11 14:48 - 00000452 _____ () C:\ProgramData\RUNDLL32.EXE-1908-F.txt
2014-06-11 14:46 - 2014-06-11 14:46 - 00000111 _____ () C:\ProgramData\RUNDLL32.EXE-1852-F.txt
2014-06-11 14:38 - 2014-06-11 14:37 - 00000174 _____ () C:\ProgramData\RUNDLL32.EXE-1708-F.txt
2014-06-11 14:36 - 2014-06-11 14:36 - 00000057 _____ () C:\ProgramData\RUNDLL32.EXE-1488-F.txt
2014-06-11 04:29 - 2014-06-11 04:27 - 00000230 _____ () C:\ProgramData\RUNDLL32.EXE-1976-F.txt
2014-06-11 04:26 - 2014-06-11 04:24 - 00000345 _____ () C:\ProgramData\RUNDLL32.EXE-1876-F.txt
2014-06-11 04:20 - 2014-06-11 04:20 - 00000058 _____ () C:\ProgramData\RUNDLL32.EXE-1924-F.txt
2014-06-11 04:18 - 2014-06-11 04:14 - 00000512 _____ () C:\ProgramData\RUNDLL32.EXE-1844-F.txt
2014-06-11 04:12 - 2014-06-11 04:11 - 00000173 _____ () C:\ProgramData\RUNDLL32.EXE-1880-F.txt
2014-06-11 04:09 - 2014-06-11 04:09 - 00000057 _____ () C:\ProgramData\RUNDLL32.EXE-1888-F.txt
2014-06-11 04:08 - 2014-06-11 04:07 - 00000175 _____ () C:\ProgramData\RUNDLL32.EXE-1748-F.txt
2014-06-10 13:14 - 2014-06-10 13:14 - 00000116 _____ () C:\ProgramData\RUNDLL32.EXE-1992-F.txt
2014-06-10 08:08 - 2014-06-10 08:01 - 00001943 _____ () C:\ProgramData\RUNDLL32.EXE-592-F.txt
2014-06-09 22:11 - 2014-06-09 22:06 - 00002348 _____ () C:\ProgramData\RUNDLL32.EXE-2120-F.txt
2014-06-09 22:03 - 2014-06-09 22:03 - 00000610 _____ () C:\ProgramData\RUNDLL32.EXE-2072-F.txt
2014-06-09 22:01 - 2014-06-09 22:01 - 00000365 _____ () C:\ProgramData\RUNDLL32.EXE-2116-F.txt
2014-06-09 21:55 - 2014-06-09 21:53 - 00001334 _____ () C:\ProgramData\RUNDLL32.EXE-280-F.txt
2014-06-09 21:46 - 2014-06-09 21:46 - 00000000 ____D () C:\ProgramData\CAF74D6A386B4A4C2F0D0974B41974CA
2014-06-09 21:37 - 2009-11-10 19:44 - 01472002 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-06-09 21:37 - 2009-07-14 09:47 - 00643866 _____ () C:\Windows\System32\perfh007.dat
2014-06-09 21:37 - 2009-07-14 09:47 - 00126394 _____ () C:\Windows\System32\perfc007.dat
2014-06-08 19:15 - 2013-07-21 20:37 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird
2014-05-23 20:22 - 2009-07-14 05:53 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-05-22 08:58 - 2014-05-22 08:57 - 00000000 ____D () C:\Users\Martina\AppData\Local\Microsoft Games
2014-05-21 22:57 - 2014-05-04 14:05 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-21 22:55 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\System32\NDF
2014-05-12 19:34 - 2013-05-20 14:59 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-05-12 08:46 - 2013-05-20 15:29 - 00000000 ____D () C:\Users\Martina\AppData\Local\Mozilla
Some content of TEMP:
====================
C:\Users\Martina\AppData\Local\Temp\jr6Q.dll
C:\Users\Martina\AppData\Local\Temp\ose00000.exe
==================== Known DLLs (Whitelisted) ================
C:\Windows\SysWOW64\clbcatq.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\ole32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\advapi32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\COMDLG32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\gdi32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\IERTUTIL.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\IMAGEHLP.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\IMM32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\MSCTF.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\MSVCRT.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\NORMALIZ.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\NSI.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\OLEAUT32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\PSAPI.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\rpcrt4.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\sechost.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\Setupapi.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\SHELL32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\SHLWAPI.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\URLMON.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\user32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\USP10.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\WININET.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\WLDAP32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\WS2_32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\DifxApi.dll IS MISSING <==== ATTENTION!
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe
[2009-07-14 00:37] - [2009-07-14 02:14] - 0285696 ____A (Microsoft Corporation) 8EC6A4AB12B8F3759E21F8E3A388F2CF
C:\Windows\System32\wininit.exe
[2009-07-14 00:36] - [2009-07-14 02:14] - 0096256 ____A (Microsoft Corporation) B5C5DCAD3899512020D135600129D665
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\explorer.exe
[2009-11-10 19:48] - [2009-08-03 06:35] - 2613248 ____A (Microsoft Corporation) B95EEB0F4E5EFBF1038A35B3351CF047
C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe
[2009-07-14 00:19] - [2009-07-14 02:14] - 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866
C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe
[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\User32.dll
[2009-07-14 00:24] - [2009-07-14 02:16] - 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861
C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe
[2009-07-14 00:34] - [2009-07-14 02:14] - 0026112 ____A (Microsoft Corporation) 6DE80F60D7DE9CE6B8C2DDFDF79EF175
C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\rpcss.dll
[2009-07-14 00:45] - [2009-07-14 02:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2009-07-14 00:11] - [2009-07-14 02:19] - 0245328 ____A (Microsoft Corporation) 58DF9D2481A56EDDE167E51B334D44FD
==================== Restore Points =========================
Restore point made on: 2013-10-02 17:23:28
Restore point made on: 2013-12-01 20:14:15
Restore point made on: 2014-01-20 13:01:19
Restore point made on: 2014-02-10 16:41:56
Restore point made on: 2014-02-26 18:52:33
==================== Memory info ===========================
Percentage of memory in use: 24%
Total physical RAM: 2046.43 MB
Available physical RAM: 1540.77 MB
Total Pagefile: 2046.43 MB
Available Pagefile: 1538.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:74.52 GB) (Free:43 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (GRMCPRXVOL_DE_DVD) (CDROM) (Total:2.86 GB) (Free:0 GB) UDF
Drive e: () (Removable) (Total:0.94 GB) (Free:0.9 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 75 GB) (Disk ID: 83E265E5)
Partition 1: (Active) - (Size=75 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 961 MB) (Disk ID: 49E2A461)
Partition 1: (Active) - (Size=960 MB) - (Type=07 NTFS)
LastRegBack: 2014-05-30 21:24
==================== End Of Log ============================
Es wäre sehr nett, wenn mir jemand helfen könnte.
Gruß LarsDon | 
+ R Taste und schreibe notepad in das Ausführen Fenster.