Verschlüsselungstrojaner - XP Laptop betroffen

cosinus · 05.07.2012, 20:48

Dann musst du den Fix nochmal im normalen Modus ausprobieren
Achte darauf, dass möglichst alle sichtbaren Programme beendet werden und v.a. dein Virenscanner deaktiviert wurde vor dem Fix!

MikeG · 07.07.2012, 09:51

Hi Arne !

So, nachdem ich den Diagnosesystemstart - nur grundlegende Dienste laden ausgeführt habe, ist der OTL-Fix durchgelaufen:

Code:

ATTFilter

All processes killed
========== OTL ==========
HKU\S-1-5-21-1645522239-436374069-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
HKU\S-1-5-21-1645522239-436374069-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}\ not found.
HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not found.
Registry key HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Internet Explorer\SearchScopes\{73D6A76D-6D06-4FDC-AAF5-38200F576CEF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73D6A76D-6D06-4FDC-AAF5-38200F576CEF}\ not found.
Registry key HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00cbb66b-1d3b-46d3-9577-323a336acb50}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00cbb66b-1d3b-46d3-9577-323a336acb50}\ deleted successfully.
C:\Programme\BrowserCompanion\jsloader.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{963B125B-8B21-49A2-A3A8-E37092276531}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{963B125B-8B21-49A2-A3A8-E37092276531}\ deleted successfully.
C:\Programme\BrowserCompanion\updatebhoWin32.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Programme\Ask.com\GenericAskToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Programme\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Programme\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater not found.
C:\Programme\Ask.com\Updater\Updater.exe moved successfully.
Registry value HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Run\\Registry Reviver not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun not found.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer not found.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1645522239-436374069-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ deleted successfully.
C:\Programme\Bonjour\mdnsNSP.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{56F9679E-7826-4C84-81F3-532071A8BCC5} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F9679E-7826-4C84-81F3-532071A8BCC5}\ deleted successfully.
C:\Programme\Windows Desktop Search\MsnlNamespaceMgr.dll moved successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun|DWORD:1 /E : value set successfully!
C:\AUTOEXEC.BAT moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3fc9cd5a-841b-11dd-b846-0090f56d231d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3fc9cd5a-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3fc9cd5a-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3fc9cd5a-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3fc9cd5a-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3fc9cd5a-841b-11dd-b846-0090f56d231d}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3fc9cd5c-841b-11dd-b846-0090f56d231d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3fc9cd5c-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3fc9cd5c-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3fc9cd5c-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3fc9cd5c-841b-11dd-b846-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3fc9cd5c-841b-11dd-b846-0090f56d231d}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3ffd0c3a-8ac7-11dd-b84e-0090f56d231d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ffd0c3a-8ac7-11dd-b84e-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3ffd0c3a-8ac7-11dd-b84e-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ffd0c3a-8ac7-11dd-b84e-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3ffd0c3a-8ac7-11dd-b84e-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ffd0c3a-8ac7-11dd-b84e-0090f56d231d}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6923a840-a736-11dd-b870-0090f56d231d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6923a840-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6923a840-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6923a840-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6923a840-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6923a840-a736-11dd-b870-0090f56d231d}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6923a841-a736-11dd-b870-0090f56d231d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6923a841-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6923a841-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6923a841-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6923a841-a736-11dd-b870-0090f56d231d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6923a841-a736-11dd-b870-0090f56d231d}\ not found.
File F:\AutoRun.exe not found.
========== FILES ==========
Folder move failed. C:\WINDOWS\$NtUninstallKB20604$ scheduled to be moved on reboot.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At26.job moved successfully.
C:\WINDOWS\tasks\At27.job moved successfully.
C:\WINDOWS\tasks\At28.job moved successfully.
C:\WINDOWS\tasks\At29.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At30.job moved successfully.
C:\WINDOWS\tasks\At31.job moved successfully.
C:\WINDOWS\tasks\At32.job moved successfully.
C:\WINDOWS\tasks\At33.job moved successfully.
C:\WINDOWS\tasks\At34.job moved successfully.
C:\WINDOWS\tasks\At35.job moved successfully.
C:\WINDOWS\tasks\At36.job moved successfully.
C:\WINDOWS\tasks\At37.job moved successfully.
C:\WINDOWS\tasks\At38.job moved successfully.
C:\WINDOWS\tasks\At39.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At40.job moved successfully.
C:\WINDOWS\tasks\At41.job moved successfully.
C:\WINDOWS\tasks\At42.job moved successfully.
C:\WINDOWS\tasks\At43.job moved successfully.
C:\WINDOWS\tasks\At44.job moved successfully.
C:\WINDOWS\tasks\At45.job moved successfully.
C:\WINDOWS\tasks\At46.job moved successfully.
C:\WINDOWS\tasks\At47.job moved successfully.
C:\WINDOWS\tasks\At48.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\Programme\RegistryReviverSetup.exe moved successfully.
C:\Programme\Ask.com\Updater folder moved successfully.
C:\Programme\Ask.com\assets\oobe folder moved successfully.
C:\Programme\Ask.com\assets folder moved successfully.
C:\Programme\Ask.com folder moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\28Kn5qM.dat moved successfully.
C:\Dokumente und Einstellungen\Christian\Anwendungsdaten\lDJvvJaTaTOgOgee moved successfully.
C:\Programme\x-video-converter-ultimate6-de-softonic.exe moved successfully.
C:\Dokumente und Einstellungen\Christian\Lokale Einstellungen\Anwendungsdaten\UUdxxxVfVttUUdxxxrr moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ask\APN-Stub folder moved successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ask folder moved successfully.
C:\Dokumente und Einstellungen\Christian\Anwendungsdaten\Gyyw folder moved successfully.
C:\Dokumente und Einstellungen\Christian\Anwendungsdaten\Leunim folder moved successfully.
C:\Dokumente und Einstellungen\Christian\Anwendungsdaten\Luen folder moved successfully.
C:\Dokumente und Einstellungen\Christian\Anwendungsdaten\Ppppll folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1117372 bytes
 
User: All Users
 
User: Christian
->Temp folder emptied: 1107099346 bytes
->Temporary Internet Files folder emptied: 123029405 bytes
->Java cache emptied: 82517595 bytes
->Flash cache emptied: 55168 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 6679018 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1078447 bytes
 
User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes
 
User: TEMP.NT-AUTORITÄT
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33237 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2366775 bytes
%systemroot%\System32 .tmp files removed: 2951 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 60050243 bytes
RecycleBin emptied: 376941 bytes
 
Total Files Cleaned = 1.320,00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
 
User: All Users
 
User: Christian
->Flash cache emptied: 0 bytes
 
User: Default User
 
User: LocalService
 
User: NetworkService
 
User: TEMP
 
User: TEMP.NT-AUTORITÄT
 
Total Flash Files Cleaned = 0,00 mb
 
HOSTS file reset successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.
 
OTL by OldTimer - Version 3.2.53.1 log created on 07072012_101711

Files\Folders moved on Reboot...
Folder move failed. C:\WINDOWS\$NtUninstallKB20604$ scheduled to be moved on reboot.

PendingFileRenameOperations files...
File C:\WINDOWS\$NtUninstallKB20604$ not found!

Registry entries deleted on Reboot...

Sonstiges:
Der Taskmanager von XP lässt sich nicht mehr starten mit Strg - Alt - Entf.
I-Net (bisher per LAN-Kabel gelaufen) geht nicht mehr.

LG und besten Dank !

Michael

cosinus · 09.07.2012, 10:10

Zitat:

[2012.06.22 19:09:06 | 002,128,472 | ---- | C] (Kaspersky Lab ZAO) -- C:\Dokumente und Einstellungen\Christian\Desktop\tdsskiller.exe

Was hast du dem TDSS-Killer denn schon gemacht

das Teil ist KEIN Spielzeug!!

Logs dazu?

05.07.2012, 20:48	#16
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Verschlüsselungstrojaner - XP Laptop betroffen Dann musst du den Fix nochmal im normalen Modus ausprobieren Achte darauf, dass möglichst alle sichtbaren Programme beendet werden und v.a. dein Virenscanner deaktiviert wurde vor dem Fix! __________________ Logfiles bitte immer in CODE-Tags posten

Verschlüsselungstrojaner - XP Laptop betroffen

Plagegeister aller Art und deren Bekämpfung: Verschlüsselungstrojaner - XP Laptop betroffen