Windows-Verschlüsselungs Trojaner

maiklemmer · 12.06.2012, 18:07

Hallo zusammen,

mein Rechner hat wohl den Windows-Verschlüsselungs-Trojaner.

Ich habe OTL ausgeführt.

Anbei die OTL.txt:

Zitat:

OTL logfile created on: 6/12/2012 9:00:44 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Professional Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\Windows | %ProgramFiles% = F:\Program Files (x86)
Drive C: | 13.15 Gb Total Space | 6.12 Gb Free Space | 46.51% Space Free | Partition Type: NTFS
Drive D: | 134.77 Gb Total Space | 134.63 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
Drive F: | 150.13 Gb Total Space | 107.65 Gb Free Space | 71.70% Space Free | Partition Type: NTFS
Drive G: | 1.90 Gb Total Space | 1.90 Gb Free Space | 99.78% Space Free | Partition Type: FAT
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV:64bit: - (WinDefend) -- F:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- F:\Windows\System32\appmgmts.dll (Microsoft Corporation)
SRV - (AdobeARMservice) -- F:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (UMVPFSrv) -- F:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe (Logitech Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- F:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- F:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV:64bit: - (Ser2pl) -- F:\Windows\System32\drivers\ser2pl64.sys (Prolific Technology Inc.)
DRV:64bit: - (LVUVC64) Logitech Webcam 120(UVC) -- F:\Windows\System32\drivers\lvuvc64.sys (Logitech Inc.)
DRV:64bit: - (igfx) -- F:\Windows\System32\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (CnxtHdAudService) -- F:\Windows\System32\drivers\CHDRT64.sys (Conexant Systems Inc.)
DRV:64bit: - (RTL8167) -- F:\Windows\System32\drivers\Rt64win7.sys (Realtek )
DRV:64bit: - (TsUsbFlt) -- F:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (netvsc) -- F:\Windows\System32\drivers\netvsc60.sys (Microsoft Corporation)
DRV:64bit: - (dmvsc) -- F:\Windows\system32\drivers\dmvsc.sys (Microsoft Corporation)
DRV:64bit: - (SynthVid) -- F:\Windows\System32\drivers\VMBusVideoM.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbGD) -- F:\Windows\system32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (MEIx64) Intel(R) -- F:\Windows\System32\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) Intel(R) -- F:\Windows\System32\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV:64bit: - (PxHlpa64) -- F:\Windows\System32\drivers\PxHlpa64.sys (Sonic Solutions)
DRV:64bit: - (WSDPrintDevice) -- F:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV:64bit: - (StillCam) -- F:\Windows\System32\drivers\serscan.sys (Microsoft Corporation)
DRV:64bit: - (Ntfs) -- F:\Windows\System32\wbem\ntfs.mof ()
DRV:64bit: - (ebdrv) -- F:\Windows\system32\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- F:\Windows\system32\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- F:\Windows\System32\drivers\b57nd60a.sys (Broadcom Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\admin_ON_F\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USSMB/8
IE - HKU\admin_ON_F\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USSMB/8
IE - HKU\admin_ON_F\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Systeam_ON_F\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/USSMB/8
IE - HKU\Systeam_ON_F\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.uk.msn.com/USSMB/8
IE - HKU\Systeam_ON_F\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.type: 0

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: F:\Windows\System32\Macromed\Flash\NPSWF64_11_0_1.dll ()
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: F:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: F:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: F:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: F:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: F:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: F:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: F:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: F:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: F:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/10/08 10:42:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/10/08 10:25:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/12/10 10:37:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2011/10/08 11:23:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Thunderbird 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2011/10/22 10:49:39 | 000,000,000 | ---D | M] (No name found) -- F:\Users\admin\AppData\Roaming\Mozilla\Extensions
[2011/10/08 11:21:04 | 000,000,000 | ---D | M] (No name found) -- F:\Program Files (x86)\Mozilla Firefox\extensions
[2011/10/08 11:21:04 | 000,000,000 | ---D | M] (Java Console) -- F:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2011/09/29 03:09:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- F:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/05/03 22:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- F:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/28 21:24:37 | 000,001,392 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/09/28 21:16:42 | 000,002,252 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/09/28 21:24:37 | 000,001,153 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml
[2011/09/28 21:24:37 | 000,006,805 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml
[2011/09/28 21:24:37 | 000,001,178 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/09/28 21:24:37 | 000,001,105 | ---- | M] () -- F:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2012/01/07 13:20:27 | 000,002,501 | ---- | M]) - F:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.studivz.de
O1 - Hosts: 127.0.0.1 studivz.de
O1 - Hosts: 127.0.0.1 www.studivz.at
O1 - Hosts: 127.0.0.1 studivz.at
O1 - Hosts: 127.0.0.1 www.studivz.net
O1 - Hosts: 127.0.0.1 studivz.net
O1 - Hosts: 127.0.0.1 www.meinvz.de
O1 - Hosts: 127.0.0.1 meinvz.de
O1 - Hosts: 127.0.0.1 www.meinvz.at
O1 - Hosts: 127.0.0.1 meinvz.at
O1 - Hosts: 127.0.0.1 www.meinvz.net
O1 - Hosts: 127.0.0.1 meinvz.net
O1 - Hosts: 127.0.0.1 hxxp://www.youtube.com/
O1 - Hosts: 127.0.0.1 hxxp://mobil.meinvz.net/op/meinvz/de/mcat/
O1 - Hosts: 127.0.0.1 mobil.meinvz.net
O1 - Hosts: 127.0.0.1 www.icq.com
O1 - Hosts: 127.0.0.1 icq.com
O1 - Hosts: 127.0.0.1 www.icq.net
O1 - Hosts: 127.0.0.1 icq.net
O1 - Hosts: 127.0.0.1 www.icq.de
O1 - Hosts: 127.0.0.1 icq.de
O1 - Hosts: 127.0.0.1 hxxp://messenger.live.de/
O1 - Hosts: 127.0.0.1 messenger.live.de
O1 - Hosts: 127.0.0.1 hxxp://www.schuelervz.net/l/schueler/2/
O1 - Hosts: 127.0.0.1 www.schuelervz.net
O1 - Hosts: 43 more lines...
O2:64bit: - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - File not found
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - File not found
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - F:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [CANON DR2010C SVC] F:\Windows\System32\DR201SVC.dll (Canon Electronics)
O4:64bit: - HKLM..\Run: [DBRMTray] File not found
O4 - HKLM..\Run: [DivXUpdate] F:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [DR-2010C CaptureOnTouch] F:\Program Files (x86)\Canon Electronics\DR2010C\TouchDR.exe (Canon Electronics Inc.)
O4 - HKLM..\Run: [LWS] F:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKU\Administrator_ON_F..\Run: [Sidebar] F:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_F..\Run: [Sidebar] F:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_F..\Run: [Sidebar] F:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\Systeam_ON_F..\Run: [A4AF0EE0] F:\Users\Systeam\Joftqxfn\galraejyyj.exe ()
O4 - HKU\Systeam_ON_F..\Run: [Logitech Vid] F:\Program Files (x86)\Logitech\Vid HD\Vid.exe (Logitech Inc.)
O4 - HKU\Administrator_ON_F..\RunOnce: [mctadmin] File not found
O4 - HKU\LocalService_ON_F..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_F..\RunOnce: [mctadmin] File not found
O4 - Startup: F:\Users\Systeam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3.vbs ()
O4 - Startup: F:\Users\Systeam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.7.1
O18:64bit: - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - F:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - F:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - F:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/06/05 02:47:45 | 000,000,000 | ---D | C] -- F:\Users\Systeam\Documents\Meetings
[2012/06/05 01:50:29 | 000,000,000 | ---D | C] -- F:\Users\Systeam\Documents\Mitglieder
[2012/05/15 09:55:13 | 000,000,000 | ---D | C] -- F:\Users\Systeam\Documents\Baufirmen ACTIC
[1 F:\*.tmp files -> F:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/12 13:36:30 | 000,000,157 | ---- | M] () -- F:\Windows\setscan.ini
[2012/06/12 13:36:27 | 000,067,584 | --S- | M] () -- F:\Windows\bootstat.dat
[2012/06/12 13:33:37 | 000,021,088 | -H-- | M] () -- F:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/12 13:33:37 | 000,021,088 | -H-- | M] () -- F:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/12 13:26:20 | 000,002,048 | -HS- | M] () -- F:\_OTL
[2012/06/12 13:26:17 | 000,000,000 | ---- | M] () -- F:\Windows\System32\drivers\lvuvc.hs
[2012/06/12 12:02:58 | 1541,898,240 | -HS- | M] () -- F:\hiberfil.sys
[2012/06/12 11:53:08 | 000,003,240 | ---- | M] () -- F:\bootsqm.dat
[2012/06/12 10:55:12 | 000,124,070 | ---- | M] () -- F:\Users\Systeam\Desktop\aqVeNtqqNuQETdUOgDUGx
[2012/06/12 09:00:49 | 000,123,842 | ---- | M] () -- F:\Users\Systeam\Desktop\jdEtouoQEQUgUjOlJ
[2012/06/12 06:57:43 | 000,025,293 | ---- | M] () -- F:\Users\Systeam\Desktop\EsqypyfTuotuogdgdjg
[2012/06/11 06:28:05 | 000,437,758 | ---- | M] () -- F:\Users\Systeam\Documents\XdAfyNeqlnNXOxJe
[2012/06/10 10:55:54 | 000,018,086 | ---- | M] () -- F:\Users\Systeam\Desktop\jUoueotutTdAODjxDJD
[2012/06/10 07:40:45 | 000,024,929 | ---- | M] () -- F:\Users\Systeam\Desktop\QsrLrVfVVXeeqsso
[2012/06/10 07:24:02 | 000,014,634 | ---- | M] () -- F:\Users\Systeam\Desktop\XAddUAgAaojAxv
[2012/06/10 04:09:50 | 000,017,931 | ---- | M] () -- F:\Users\Systeam\Desktop\erJfLreqsNQqEss
[2012/06/09 03:51:53 | 000,123,910 | ---- | M] () -- F:\Users\Systeam\Desktop\jueEeQtuQsQUjdDdxOGDv
[2012/06/09 03:18:29 | 000,123,826 | ---- | M] () -- F:\Users\Systeam\Desktop\nxAgjOlAdAGlJpnpyVpfs
[2012/06/08 15:31:44 | 000,123,902 | ---- | M] () -- F:\Users\Systeam\Desktop\sqVNpyVsrsysodaQaO
[2012/06/08 15:27:47 | 000,123,859 | ---- | M] () -- F:\Users\Systeam\Desktop\eNXnXnfLfpreytstau
[2012/06/08 15:27:08 | 000,123,856 | ---- | M] () -- F:\Users\Systeam\Desktop\AUEoQusQsaUTAdDjDODlx
[2012/06/08 12:13:32 | 000,123,807 | ---- | M] () -- F:\Users\Systeam\Desktop\JDOdEOaOdADlGXJV
[2012/06/07 03:00:29 | 000,017,161 | ---- | M] () -- F:\Users\Systeam\Desktop\epvVvpLnpLXqfquyE
[2012/06/04 07:36:42 | 000,123,918 | ---- | M] () -- F:\Users\Systeam\Desktop\UEsssTQdEgAglvpLN
[2012/05/28 09:57:29 | 000,025,054 | ---- | M] () -- F:\Users\Systeam\Desktop\XvDAUDOAOGvpLfXrVyVet
[2012/05/26 07:58:58 | 000,013,515 | ---- | M] () -- F:\Users\Systeam\Desktop\JDOATAUDAxDJJNXyfyN
[2012/05/24 03:07:25 | 000,707,826 | ---- | M] () -- F:\Windows\System32\perfh007.dat
[2012/05/24 03:07:25 | 000,663,144 | ---- | M] () -- F:\Windows\System32\perfh009.dat
[2012/05/24 03:07:25 | 000,151,610 | ---- | M] () -- F:\Windows\System32\perfc007.dat
[2012/05/24 03:07:25 | 000,124,564 | ---- | M] () -- F:\Windows\System32\perfc009.dat
[2012/05/22 06:57:36 | 000,109,769 | ---- | M] () -- F:\Users\Systeam\Desktop\nxAjjgxOUDGDLfpXeNpf
[2012/05/18 05:25:49 | 000,113,717 | ---- | M] () -- F:\Users\Systeam\Documents\TOlexDJssNXvoLTl
[2012/05/15 06:34:37 | 000,000,000 | ---- | M] () -- F:\Users\Systeam\Documents\dAoQxpeXeXsyNpyXTfLE
[2012/05/14 06:44:05 | 000,003,872 | ---- | M] () -- F:\Users\Systeam\Desktop\Bewertungsbogen Praktikant.lnk
[2012/05/14 03:46:06 | 000,107,760 | ---- | M] () -- F:\Users\Systeam\Documents\xpNUrXqplApotLQL
[2012/05/14 02:14:15 | 000,020,570 | ---- | M] () -- F:\Users\Systeam\Desktop\XnGGAJDAJnvpXV
[1 F:\*.tmp files -> F:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/12 13:26:20 | 000,002,048 | -HS- | C] () -- F:\_OTL
[2012/06/12 11:53:08 | 000,003,240 | ---- | C] () -- F:\bootsqm.dat
[2012/05/14 06:42:58 | 000,003,872 | ---- | C] () -- F:\Users\Systeam\Desktop\Bewertungsbogen Praktikant.lnk
[2011/10/26 15:04:41 | 000,000,498 | RHS- | C] () -- F:\ProgramData\ntuser.pol
[2011/08/19 03:21:45 | 000,000,157 | ---- | C] () -- F:\Windows\setscan.ini
[2011/08/06 01:59:52 | 000,145,804 | ---- | C] () -- F:\Windows\SysWow64\igcompkrng600.bin
[2011/03/31 23:07:02 | 010,877,272 | ---- | C] () -- F:\Windows\SysWow64\LogiDPP.dll
[2011/03/31 23:07:02 | 000,102,744 | ---- | C] () -- F:\Windows\SysWow64\LogiDPPApp.exe
[2011/03/31 23:06:56 | 000,331,608 | ---- | C] () -- F:\Windows\SysWow64\DevManagerCore.dll
[2011/03/25 19:16:10 | 000,963,116 | ---- | C] () -- F:\Windows\SysWow64\igkrng600.bin
[2011/03/25 19:16:10 | 000,216,876 | ---- | C] () -- F:\Windows\SysWow64\igfcg600m.bin
[2011/02/11 13:45:27 | 001,619,658 | ---- | C] () -- F:\Windows\SysWow64\PerfStringBackup.INI
[2010/11/20 23:24:49 | 000,252,928 | ---- | C] () -- F:\Windows\SysWow64\DShowRdpFilter.dll
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- F:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- F:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- F:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- F:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- F:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 18:25:04 | 000,197,632 | ---- | C] () -- F:\Windows\SysWow64\ir32_32.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- F:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- F:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2011/08/16 08:50:22 | 000,000,000 | -HSD | M] -- F:\ProgramData\Anwendungsdaten
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Application Data
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Desktop
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Documents
[2011/08/16 08:50:22 | 000,000,000 | -HSD | M] -- F:\ProgramData\Dokumente
[2011/08/16 08:50:22 | 000,000,000 | -HSD | M] -- F:\ProgramData\Favoriten
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Favorites
[2012/05/19 03:58:08 | 000,000,000 | ---D | M] -- F:\ProgramData\ISIS Drivers
[2011/08/16 09:09:40 | 000,000,000 | ---D | M] -- F:\ProgramData\PCDr
[2011/10/23 03:42:33 | 000,000,000 | ---D | M] -- F:\ProgramData\ScanSoft
[2011/08/19 02:38:39 | 000,000,000 | ---D | M] -- F:\ProgramData\SQL Anywhere 10
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Start Menu
[2011/08/16 08:50:22 | 000,000,000 | -HSD | M] -- F:\ProgramData\Startmenü
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- F:\ProgramData\Templates
[2011/08/16 08:50:22 | 000,000,000 | -HSD | M] -- F:\ProgramData\Vorlagen
[2012/02/24 17:55:22 | 000,032,640 | ---- | M] () -- F:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 925 bytes -> F:\Users\Systeam\Documents\GAULUTfaVXjeqseJTQanU:OECustomProperty
< End of report >

Was muss ich jetzt tun?

Vielen Dank schon mal für Eure Hilfe,

Maik

cosinus · 14.06.2012, 14:19

Ist das ein Firmenrechner?

maiklemmer · 14.06.2012, 14:31

Hallo Arne,

danke, hat sich erledigt.

Trojaner ist jetzt weg, aber Dateien bleiben ja leider verschlüsselt

Viele Grüße,

Maik

cosinus · 14.06.2012, 14:32

Hinweise bzgl. der verschlüsselten Dateien:
Wann genau deine Daten entschlüsselt werden können wird dir niemand genau sagen können außer vllt einer

es kann sein, dass du eine neuere Variante hast, deren Verschlüsselungsalgorithmus noch unbekannt ist. Sowas kann man (noch) nicht entschlüsseln und ohne Schlüssel schon garnicht - ist ja auch logisch, sonst wär es ja keine vernünftige Verschlüsselung
Einfach hier nochmal reinsehen in regelmäßigen Abständen, obige Hinweise beachten. 8 Tools mitsamt hunderten Diskussionsbeiträgen stehen da schon

Eine Notlösung für Vista und Win7-User => http://www.trojaner-board.de/115496-...erstellen.html

Entschlüsselungsversuche der verschlüsselten Dateien sind nur auf zusätzliche Kopien der verschlüsselten Dateien anzuwenden, sonst zerhackt man sich die noch weiter ohne die "original" verschlüsselte Datei mehr zu haben. Das willst du sicher nicht!

Man darf sich aber keine falschen Hoffnungen machen. Mittlerweile sieht es finster aus => Delphi-PRAXiS - Einzelnen Beitrag anzeigen - Verschlüsselungs-Trojaner, Hilfe benötigt

Und in Zukunft willst du sicher mal an ein besseres Backupkonzept denken. Gerade bei Firmendaten

Hier ein Denkanstoß => http://www.trojaner-board.de/115678-...r-backups.html

14.06.2012, 14:19	#2
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Windows-Verschlüsselungs Trojaner Ist das ein Firmenrechner? __________________ __________________

Windows-Verschlüsselungs Trojaner

Plagegeister aller Art und deren Bekämpfung: Windows-Verschlüsselungs Trojaner