verschluesselungs trojaner olt scan vorhanden

tyran · 24.05.2012, 15:41

Hallo,

ich habe einen pc mit dem verschluesselungs trojaner.

waere super wenn mir einer helfen koennte

hier der olt scan output

danke im vorraus fuer die Hilfe
tyran

Zitat:

OTL logfile created on: 5/24/2012 5:02:39 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Windows 7 Professional Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000407 | Country: Österreich | Language: DEA | Date Format: dd.MM.yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 454.25 Gb Total Space | 386.00 Gb Free Space | 84.98% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2012/05/10 00:56:56 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/05/09 00:44:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/09 00:44:29 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012/04/26 00:49:50 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/10/01 02:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 02:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/06/06 06:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/11/26 01:46:30 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/11/24 14:48:25 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/08/25 21:57:04 | 000,176,128 | ---- | M] (AMD) [Auto] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/02/18 08:26:44 | 001,047,368 | ---- | M] (TuneUp Software) [Auto] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2010/02/18 08:22:36 | 000,030,024 | ---- | M] (TuneUp Software) [Auto] -- C:\Windows\System32\uxtuneup.dll -- (UxTuneUp)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (cpuz134)
DRV - [2012/05/09 00:44:31 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/05/09 00:44:31 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/10/11 09:00:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/10/01 02:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV - [2011/10/01 02:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2011/10/01 02:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV - [2011/10/01 02:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV - [2010/11/24 14:21:23 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2010/11/20 08:30:17 | 000,296,064 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\Windows\System32\drivers\vpcvmm.sys -- (vpcvmm)
DRV - [2010/11/20 08:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 08:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 08:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 06:50:37 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\Windows\System32\drivers\vpcnfltr.sys -- (vpcnfltr)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 05:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 05:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/08/25 23:36:28 | 006,380,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2010/08/25 23:36:28 | 006,380,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010/08/25 21:20:36 | 000,221,696 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/06/17 09:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/05/24 14:07:38 | 000,204,448 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2009/10/14 02:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2009/09/22 21:18:08 | 000,078,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\vpcusb.sys -- (vpcusb)
DRV - [2009/09/22 21:18:07 | 000,165,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\vpchbus.sys -- (vpcbus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://nmd.msn.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://nmd.msn.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Fa._Kathan_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://nmd.msn.com
IE - HKU\Fa._Kathan_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://nmd.msn.com
IE - HKU\Fa._Kathan_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\Windows\System32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/26 00:49:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/30 01:53:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/05/10 03:19:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011/09/22 08:21:29 | 000,000,000 | ---D | M]

[2012/01/30 01:53:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/26 00:49:50 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/11/30 04:51:11 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/22 01:34:38 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012/02/22 01:34:38 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/22 01:34:38 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012/02/22 01:34:38 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012/02/22 01:34:38 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012/02/22 01:34:38 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKU\Fa._Kathan_ON_C..\Run: [B030F408] C:\Users\...\AppData\Roaming\Atvjezfnm\91034155B030F40816EE.exe ( passato tanto tempo)
O4 - HKU\Fa._Kathan_ON_C..\Run: [packqd] C:\Users\...\AppData\Roaming\packqd.exe ()
O4 - HKU\LocalService_ON_C..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_C..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (Intertrust Technologies, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 10.4.1)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/05/24 07:05:51 | 000,000,000 | ---D | C] -- C:\Users\...\AppData\Roaming\Atvjezfnm
[2012/05/24 07:05:21 | 000,000,000 | ---D | C] -- C:\Users\...\Desktop\Akte
[2012/05/23 03:50:52 | 000,000,000 | ---D | C] -- C:\Users\...\AppData\Local\{1D411B5E-7FE6-485D-9B45-7C722FA4D374}
[2012/05/10 07:39:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/05/10 07:38:48 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle
[2012/05/10 07:38:25 | 000,772,504 | ---- | C] (Oracle Corporation) -- C:\windows\System32\npDeployJava1.dll
[2012/05/10 07:38:25 | 000,227,720 | ---- | C] (Oracle Corporation) -- C:\windows\System32\javaws.exe
[2012/05/10 00:56:56 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerApp.exe
[2012/05/09 00:50:03 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ntkrnlpa.exe
[2012/05/09 00:50:03 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ntoskrnl.exe
[2012/05/09 00:50:03 | 002,343,424 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\win32k.sys
[2012/05/09 00:49:10 | 001,077,248 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\DWrite.dll
[2012/04/30 14:01:33 | 000,000,000 | ---D | C] -- C:\Program Files\Preislisten 06.03.2012
[2012/04/30 14:01:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Borland Shared
[2012/04/26 00:49:53 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/04/26 00:49:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla

========== Files - Modified Within 30 Days ==========

[2012/05/24 09:47:51 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/05/24 09:34:00 | 000,000,884 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/05/24 09:18:14 | 000,009,920 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/24 09:18:14 | 000,009,920 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/24 09:10:49 | 1609,179,136 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/22 02:12:41 | 000,023,552 | ---- | M] () -- C:\Users\...\Documents\QJAqnosDeldfxsNOrgE
[2012/05/18 00:59:16 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012/05/17 02:21:50 | 000,410,096 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2012/05/16 12:29:46 | 000,703,696 | ---- | M] () -- C:\windows\System32\perfh007.dat
[2012/05/16 12:29:46 | 000,664,242 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012/05/16 12:29:46 | 000,148,644 | ---- | M] () -- C:\windows\System32\perfc007.dat
[2012/05/16 12:29:46 | 000,124,938 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012/05/16 12:23:10 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/05/16 02:01:07 | 000,030,208 | ---- | M] () -- C:\Users\...\Documents\ONLofdQJDeVdyA
[2012/05/10 07:38:07 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\windows\System32\javaw.exe
[2012/05/10 07:38:07 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\windows\System32\java.exe
[2012/05/10 03:19:54 | 000,001,975 | ---- | M] () -- C:\Users\...\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2012/05/10 03:19:54 | 000,001,963 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
[2012/05/10 03:19:54 | 000,001,951 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
[2012/05/10 00:56:56 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerApp.exe
[2012/05/10 00:56:56 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerCPLApp.cpl
[2012/05/09 00:44:31 | 000,137,928 | ---- | M] (Avira GmbH) -- C:\windows\System32\drivers\avipbb.sys
[2012/05/09 00:44:31 | 000,083,392 | ---- | M] (Avira GmbH) -- C:\windows\System32\drivers\avgntflt.sys
[2012/05/02 14:09:38 | 000,015,149 | ---- | M] () -- C:\Users\...\Desktop\LgNvQVUtGaXDenEyAuv
[2012/04/30 14:01:34 | 000,001,919 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mein Traktor Preisliste 3-2012.lnk
[2012/04/30 14:01:34 | 000,001,907 | ---- | M] () -- C:\Users\Public\Desktop\Mein Traktor Preisliste 3-2012.lnk

========== Files Created - No Company Name ==========

[2012/05/10 03:19:54 | 000,001,963 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
[2012/05/10 00:56:59 | 000,000,884 | ---- | C] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/04/30 14:01:34 | 000,001,919 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mein Traktor Preisliste 3-2012.lnk
[2012/04/30 14:01:34 | 000,001,907 | ---- | C] () -- C:\Users\Public\Desktop\Mein Traktor Preisliste 3-2012.lnk
[2011/08/26 04:10:32 | 000,000,078 | ---- | C] () -- C:\windows\ricdb.ini
[2011/08/24 05:19:03 | 000,007,671 | ---- | C] () -- C:\windows\hpdj6122.ini
[2011/08/24 02:56:31 | 000,164,352 | ---- | C] () -- C:\windows\System32\unrar.dll
[2011/06/24 01:07:05 | 000,252,928 | ---- | C] () -- C:\windows\System32\DShowRdpFilter.dll
[2011/06/24 01:06:24 | 000,066,048 | ---- | C] () -- C:\windows\System32\PrintBrmUi.exe
[2011/03/02 13:09:08 | 000,116,224 | ---- | C] () -- C:\windows\System32\pdfcmnnt.dll
[2011/01/21 10:43:05 | 000,000,242 | ---- | C] () -- C:\windows\Brpfx04a.ini
[2011/01/21 10:43:05 | 000,000,093 | ---- | C] () -- C:\windows\brpcfx.ini
[2011/01/21 10:42:06 | 000,106,496 | ---- | C] () -- C:\windows\System32\BrMuSNMP.dll
[2011/01/21 10:42:06 | 000,000,066 | ---- | C] () -- C:\windows\Brfaxrx.ini
[2011/01/21 10:42:06 | 000,000,000 | ---- | C] () -- C:\windows\brdfxspd.dat
[2010/11/24 15:05:44 | 000,000,000 | ---- | C] () -- C:\Program Files\error.dat
[2010/11/24 15:05:44 | 000,000,000 | ---- | C] () -- C:\windows\brmx2001.ini
[2010/11/24 15:04:44 | 000,000,432 | ---- | C] () -- C:\windows\BRWMARK.INI
[2010/11/24 15:04:44 | 000,000,065 | ---- | C] () -- C:\windows\System32\BD8460N.DAT
[2010/11/24 15:04:37 | 000,045,056 | ---- | C] () -- C:\windows\System32\PTRCGER.DLL
[2010/11/24 15:04:28 | 000,045,056 | ---- | C] () -- C:\windows\System32\BRTCPCON.DLL
[2010/11/24 15:04:25 | 000,000,114 | ---- | C] () -- C:\windows\System32\BRLMW03A.INI
[2010/11/24 14:21:42 | 000,000,000 | ---- | C] () -- C:\windows\nsreg.dat
[2010/10/14 03:10:03 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2010/10/14 03:05:43 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
[2010/09/20 01:24:22 | 000,002,857 | ---- | C] () -- C:\windows\System32\atipblag.dat
[2010/09/20 01:24:21 | 000,294,912 | ---- | C] () -- C:\windows\System32\ATIODE.exe
[2010/09/20 01:24:21 | 000,219,348 | ---- | C] () -- C:\windows\System32\atiicdxx.dat
[2010/09/20 01:24:21 | 000,045,056 | ---- | C] () -- C:\windows\System32\ATIODCLI.exe
[2009/09/30 06:31:01 | 000,703,696 | ---- | C] () -- C:\windows\System32\perfh007.dat
[2009/09/30 06:31:01 | 000,295,922 | ---- | C] () -- C:\windows\System32\perfi007.dat
[2009/09/30 06:31:01 | 000,148,644 | ---- | C] () -- C:\windows\System32\perfc007.dat
[2009/09/30 06:31:01 | 000,038,104 | ---- | C] () -- C:\windows\System32\perfd007.dat
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/14 00:33:53 | 000,410,096 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,664,242 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,124,938 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2009/07/13 19:11:09 | 000,197,121 | ---- | C] () -- C:\Users\...\AppData\Roaming\packqd.exe
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
[2000/05/04 10:21:22 | 000,129,024 | R--- | C] () -- C:\windows\System32\ZipDll.dll
[2000/05/04 10:21:22 | 000,115,200 | R--- | C] () -- C:\windows\System32\UnzDll.dll
[1998/08/23 14:36:00 | 000,063,488 | ---- | C] () -- C:\windows\System32\eztw32.dll
[1601/02/13 04:28:18 | 000,000,017 | ---- | C] () -- C:\Users\...\AppData\Local\AypTslUVGsrOQvjq

========== LOP Check ==========

[2012/05/24 07:05:51 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\Atvjezfnm
[2012/05/24 07:17:10 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\DAEMON Tools Lite
[2011/08/24 05:19:45 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\InterTrust
[2010/11/24 15:23:39 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\KeePass
[2012/05/22 13:44:37 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\SoftGrid Client
[2012/05/24 07:17:14 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\TeamViewer
[2010/11/24 14:25:04 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\Thunderbird
[2012/01/31 07:14:03 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\TP
[2011/11/02 14:47:44 | 000,000,000 | ---D | M] -- C:\Users\...\AppData\Roaming\TuneUp Software
[2010/11/24 14:01:45 | 000,000,000 | -HSD | M] -- C:\ProgramData\Anwendungsdaten
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
[2010/11/24 14:20:28 | 000,000,000 | ---D | M] -- C:\ProgramData\DAEMON Tools Lite
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
[2010/11/24 14:01:45 | 000,000,000 | -HSD | M] -- C:\ProgramData\Dokumente
[2010/11/24 14:01:45 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favoriten
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
[2012/05/24 07:16:54 | 000,000,000 | ---D | M] -- C:\ProgramData\hds
[2011/08/26 04:10:31 | 000,000,000 | ---D | M] -- C:\ProgramData\RICOH
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
[2010/11/24 14:01:45 | 000,000,000 | -HSD | M] -- C:\ProgramData\Startmenü
[2009/07/14 00:53:55 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
[2010/11/24 14:48:10 | 000,000,000 | ---D | M] -- C:\ProgramData\TuneUp Software
[2012/02/01 05:32:04 | 000,000,000 | ---D | M] -- C:\ProgramData\VirtualizedApplications
[2010/11/24 14:01:45 | 000,000,000 | -HSD | M] -- C:\ProgramData\Vorlagen
[2010/11/24 14:47:48 | 000,000,000 | -HSD | M] -- C:\ProgramData\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
[2012/04/02 00:52:47 | 000,032,640 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

markusg · 24.05.2012, 19:57

hi
auf deinem zweiten pc gehe auf start, programme zubehör editor, kopiere dort
rein:

Code:

ATTFilter

:OTL
O4 - HKU\Fa._Kathan_ON_C..\Run: [B030F408] C:\Users\...\AppData\Roaming\Atvjezfnm\91034155B030F40816EE.exe ( passato tanto tempo)
O4 - HKU\Fa._Kathan_ON_C..\Run: [packqd] C:\Users\...\AppData\Roaming\packqd.exe ()
:Files
:Commands
[purity]
[EMPTYFLASH] 
[emptytemp]
[Reboot]

dieses speicherst du auf nem usb stick als fix.txt
nutze nun wieder OTLPENet.exe (starte also von der erstellten cd) und hake alles an, wie es bereits im post zu OTLPENet.exe beschrieben ist.
• Klicke nun bitte auf den Fix Button.
es sollte nun eine meldung ähnlich dieser: "load fix from file" erscheinen, lade also die fix.txt von deinem stick.
wenn dies nicht funktioniert, bitte den fix manuell eintragen.
dann klicke erneut den fix buton. pc startet evtl. neu. wenn ja, nimm die cd aus dem laufwerk, windows sollte nun normal starten und die otl.txt öffnen,
log posten bitte.

tyran · 26.05.2012, 07:37

Hallo,

also ich habe Win im abgesicherten Modus gestartet und Malewarebytes ausgeführt.

Dann konnte ich Win wieder normal starten.
Dann habe ich das OTL Script gestartet, wurde aber nicht korrekt ausgeführt. (daher auch kein Logfile)

Jetzt habe ich noch das Problem mit den verschlüsselten Dateien.
Die Entschlüsselungstools (DecryptHelper) helfen nicht, daher nehme ich an, dass ich die neue Version des Trojaners eingefangen habe.

Mir wäre wichtig, dass ich noch einige Daten retten könnte.

Ich habe eine verschlüsselte Datei, eine zugehörige originale Datei, das Mail mit dem Trojaner kann ich über gmx nicht mehr weiterleiten. Aber ich habe den Anhang der Mail zur Verfügung.

Ist es möglich hier noch etwas zu machen, damit ich die Dateien wieder retten kann.

danke im vorraus.

grüße tyran

verschluesselungs trojaner olt scan vorhanden

Log-Analyse und Auswertung: verschluesselungs trojaner olt scan vorhanden