| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Bundeskriminalamttrojaner bekämpft, aber verschlüsselte Dateien noch da, weil neue Art der verschlüsselung.Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
27.08.2013, 19:59
| #1 |
 |  Bundeskriminalamttrojaner bekämpft, aber verschlüsselte Dateien noch da, weil neue Art der verschlüsselung. Habe das gleiche Problem mit dem BKA Trojaner. Erst System gerettet mit: HitmanPro. Dann weiter wegen der verschlüsselten Dateien. Bilder in der Ansicht im Original zu sehen, Doppelklicken zum Ansehen dann nicht mehr zu sehen, sondern so ein Spruch wegen den Decrypter. DecryptHelper kann die Bilder nicht wiederherstellen, da: Datei seien unterschiedlich groß (Erst befallene Datei Auswählen dann die Originale) oder mit "der Schlüssel hat eine unzulässige größe" Angezeigt wird, wenn man den Schlüssel erstellen will mit diesem Programm. Ich merke aber, beim Anklicken der betroffenen Bilder um es in Großansicht zu sehen (Windows Bild und Fax Anzeige), das kurz das Original Bild zu sehen und dann dass neue. Hier ein Screen mir Original in der Ansicht und dann in der Großansicht: hxxp://www.fotos-hochladen.net/uploads/trojanerfa9ko5tb8u.jpg Originalbild (hat noch mein Schatzy auf dem PC gehabt) hat eine Größe von 497kb und das geänderte eine Größe von 523kb. Dateiname wurde nicht geändert, wenn ich das so richtig sehe. Es hat den Anschein, das nur die Bilder (nicht alle) verschlüsselt worden, da ich Rechner ja sofort ausgemacht hatte. Suche aber weiterhin noch nach betroffenen Dateien. Wer kann helfen? Trojaner gestern eingefangen und wieder, wie oben beschrieben, bekämpft. Wer kann helfen bzw. hat eine Idee? Danke für die Hilfe. Die Logdateien von HitmanPro: Code:
ATTFilter HitmanPro 3.7.7.203
www.hitmanpro.com
Computer name . . . . : HEIKEFRANK-PC
Windows . . . . . . . : 6.1.1.7601.X64/4
User name . . . . . . : HeikeFrank-PC\HeikeFrank
UAC . . . . . . . . . : Enabled
License . . . . . . . : Trial (30 days left)
Scan date . . . . . . : 2013-08-27 18:41:41
Scan mode . . . . . . : Quick
Scan duration . . . . : 3m 17s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 0
Objects scanned . . . : 3.938
Files scanned . . . . : 3.938
Remnants scanned . . : 0 files / 0 keys
Code:
ATTFilter HitmanPro 3.7.7.203
www.hitmanpro.com
Computer name . . . . : HEIKEFRANK-PC
Windows . . . . . . . : 6.1.1.7601.X64/4
User name . . . . . . : NT-AUTORITÄT\SYSTEM
UAC . . . . . . . . . : Disabled
License . . . . . . . : Trial (30 days left)
Scan date . . . . . . : 2013-08-27 18:23:29
Scan mode . . . . . . : Normal
Scan duration . . . . : 10m 48s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 70
Traces . . . . . . . : 418
Objects scanned . . . : 1.731.925
Files scanned . . . . : 56.710
Remnants scanned . . : 433.825 files / 1.241.390 keys
Malware _____________________________________________________________________
C:\Users\HeikeFrank\AppData\Local\Dirty\DirtyDecrypt.exe -> Quarantined
Size . . . . . . . : 24.576 bytes
Age . . . . . . . : 0.3 days (2013-08-27 10:59:27)
Entropy . . . . . : 7.7
SHA-256 . . . . . : AFDA8054EF87AAE6EBB5FABD8F523C1EEB1B43A084770E56E958C61DF0A6B86B
> G Data . . . . . . : Trojan.Ransom.ABZ
> Ikarus . . . . . . : Trojan-Ransomer!IK
> Kaspersky . . . . : Trojan.Win32.Agent.hwvv
Fuzzy . . . . . . : 116.0
Forensic Cluster
-3.1s C:\Users\HeikeFrank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sqm\
-2.4s C:\Users\HeikeFrank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat
-0.0s C:\Users\HeikeFrank\AppData\Roaming\Dirty\DirtyDecrypt.exe
0.0s C:\Users\HeikeFrank\AppData\Local\Dirty\DirtyDecrypt.exe
C:\Users\HeikeFrank\AppData\Local\Microsoft\gKSzyzmI.exe -> Quarantined
Size . . . . . . . : 260.096 bytes
Age . . . . . . . : 1.0 days (2013-08-26 18:24:01)
Entropy . . . . . : 7.8
SHA-256 . . . . . : F1868533101FD602919F11F4282BB75773340FB05CBE1BE51F5621A20C0E1052
Product
Publisher
Description . . . : Flash Player
Version
Copyright
> Kaspersky . . . . : Trojan-Ransom.Win32.Blocker.cdov
Fuzzy . . . . . . : 120.0
Forensic Cluster
-0.2s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofh\
0.0s C:\Users\HeikeFrank\AppData\Local\Microsoft\gKSzyzmI.exe
0.1s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\
0.1s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\BRWRKany.exe
0.1s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\BRWRKany.exe
0.3s C:\Users\HeikeFrank\AppData\Local\Temp\tKZLcvPQ.exe
1.1s C:\Users\HeikeFrank\AppData\Roaming\Dirty\
1.1s C:\Users\HeikeFrank\AppData\Roaming\Dirty\alertwall.jpg
1.1s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\Dirty\
1.1s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\Dirty\
1.3s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.3s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.3s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.3s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
3.9s C:\Program Files\Alwil Software\Avast4\DATA\chest\00000004
3.9s C:\Users\HeikeFrank\AppData\Local\Dirty\
5.5s C:\Program Files\Alwil Software\Avast4\DATA\chest\00000005
5.6s C:\Users\HeikeFrank\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-893107783-1421941348-1903558643-1001\8653a53c8bd87df069122c8dac120643_9ed3e83a-4f32-455d-a93d-2de9a83001bc
5.7s C:\Users\HeikeFrank\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-893107783-1421941348-1903558643-1001\ebf27182cc14d9ff1b2ae95902004a56_9ed3e83a-4f32-455d-a93d-2de9a83001bc
6.2s C:\Users\HeikeFrank\AppData\Local\iQrBJXva\
6.3s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhjnlc\
7.5s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhjnlcuy\
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\all.css
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\style-custom.css
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\1.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\agip.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\aral.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\arrow.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\avia.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-box-bottom.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-box.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-btn-sprite.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-fone.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-header-repeat.gif
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-html.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-li.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-track.gif
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\charge.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img1.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img2.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img3.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted-copy.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted-small.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img4.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\epay.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\esso.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\kash.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\kash.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo-ie.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo-ie.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\netto.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\netto.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\oder.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\omv.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\paysafe.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\rossmann.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\shell.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\shell.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\total.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\webcam.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\webcam.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\westfalen.png
8.1s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\x.jpg
8.1s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\index.html
12.0s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhj\
C:\Users\HeikeFrank\AppData\Local\Temp\tKZLcvPQ.exe -> Quarantined
Size . . . . . . . : 260.096 bytes
Age . . . . . . . : 1.0 days (2013-08-26 18:24:01)
Entropy . . . . . : 7.8
SHA-256 . . . . . : F1868533101FD602919F11F4282BB75773340FB05CBE1BE51F5621A20C0E1052
Product
Publisher
Description . . . : Flash Player
Version
Copyright
> Kaspersky . . . . : Trojan-Ransom.Win32.Blocker.cdov
Fuzzy . . . . . . : 120.0
Forensic Cluster
-0.5s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofh\
-0.3s C:\Users\HeikeFrank\AppData\Local\Microsoft\gKSzyzmI.exe
-0.2s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\
-0.2s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\BRWRKany.exe
-0.2s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\BRWRKany.exe
0.0s C:\Users\HeikeFrank\AppData\Local\Temp\tKZLcvPQ.exe
0.8s C:\Users\HeikeFrank\AppData\Roaming\Dirty\
0.8s C:\Users\HeikeFrank\AppData\Roaming\Dirty\alertwall.jpg
0.8s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\Dirty\
0.8s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\Dirty\
1.0s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.0s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.0s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.0s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
3.6s C:\Program Files\Alwil Software\Avast4\DATA\chest\00000004
3.6s C:\Users\HeikeFrank\AppData\Local\Dirty\
5.2s C:\Program Files\Alwil Software\Avast4\DATA\chest\00000005
5.3s C:\Users\HeikeFrank\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-893107783-1421941348-1903558643-1001\8653a53c8bd87df069122c8dac120643_9ed3e83a-4f32-455d-a93d-2de9a83001bc
5.4s C:\Users\HeikeFrank\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-893107783-1421941348-1903558643-1001\ebf27182cc14d9ff1b2ae95902004a56_9ed3e83a-4f32-455d-a93d-2de9a83001bc
5.9s C:\Users\HeikeFrank\AppData\Local\iQrBJXva\
5.9s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhjnlc\
7.1s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhjnlcuy\
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\all.css
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\style-custom.css
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\1.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\agip.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\aral.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\arrow.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\avia.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-box-bottom.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-box.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-btn-sprite.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-fone.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-header-repeat.gif
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-html.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-li.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-track.gif
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\charge.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img1.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img2.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img3.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted-copy.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted-small.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img4.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\epay.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\esso.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\kash.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\kash.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo-ie.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo-ie.jpg
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\netto.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\netto.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\oder.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\omv.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\paysafe.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\rossmann.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\shell.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\shell.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\total.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\webcam.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\webcam.png
7.7s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\westfalen.png
7.8s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\x.jpg
7.8s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\index.html
11.7s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhj\
C:\Users\HeikeFrank\AppData\Roaming\Dirty\DirtyDecrypt.exe -> Quarantined
Size . . . . . . . : 24.576 bytes
Age . . . . . . . : 0.3 days (2013-08-27 10:59:27)
Entropy . . . . . : 7.7
SHA-256 . . . . . : AFDA8054EF87AAE6EBB5FABD8F523C1EEB1B43A084770E56E958C61DF0A6B86B
> G Data . . . . . . : Trojan.Ransom.ABZ
> Ikarus . . . . . . : Trojan-Ransomer!IK
> Kaspersky . . . . : Trojan.Win32.Agent.hwvv
Fuzzy . . . . . . : 116.0
Forensic Cluster
-3.1s C:\Users\HeikeFrank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sqm\
-2.4s C:\Users\HeikeFrank\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat
0.0s C:\Users\HeikeFrank\AppData\Roaming\Dirty\DirtyDecrypt.exe
0.0s C:\Users\HeikeFrank\AppData\Local\Dirty\DirtyDecrypt.exe
C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\BRWRKany.exe -> Quarantined
Size . . . . . . . : 260.096 bytes
Age . . . . . . . : 1.0 days (2013-08-26 18:24:01)
Entropy . . . . . : 7.8
SHA-256 . . . . . : F1868533101FD602919F11F4282BB75773340FB05CBE1BE51F5621A20C0E1052
Product
Publisher
Description . . . : Flash Player
Version
Copyright
> Kaspersky . . . . : Trojan-Ransom.Win32.Blocker.cdov
Fuzzy . . . . . . : 120.0
Forensic Cluster
-0.3s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofh\
-0.1s C:\Users\HeikeFrank\AppData\Local\Microsoft\gKSzyzmI.exe
-0.0s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\
0.0s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\BRWRKany.exe
0.0s C:\{4A484EF0-BBE0-2C7D-9E17-0FB2EF09A212}\BRWRKany.exe
0.2s C:\Users\HeikeFrank\AppData\Local\Temp\tKZLcvPQ.exe
1.0s C:\Users\HeikeFrank\AppData\Roaming\Dirty\
1.0s C:\Users\HeikeFrank\AppData\Roaming\Dirty\alertwall.jpg
1.0s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\Dirty\
1.0s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\Dirty\
1.2s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.2s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.2s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
1.2s C:\Users\HeikeFrank\AppData\Local\Temp\~DF7D0EA12FBC3C5F8C.TMP
3.8s C:\Program Files\Alwil Software\Avast4\DATA\chest\00000004
3.8s C:\Users\HeikeFrank\AppData\Local\Dirty\
5.4s C:\Program Files\Alwil Software\Avast4\DATA\chest\00000005
5.5s C:\Users\HeikeFrank\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-893107783-1421941348-1903558643-1001\8653a53c8bd87df069122c8dac120643_9ed3e83a-4f32-455d-a93d-2de9a83001bc
5.6s C:\Users\HeikeFrank\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-893107783-1421941348-1903558643-1001\ebf27182cc14d9ff1b2ae95902004a56_9ed3e83a-4f32-455d-a93d-2de9a83001bc
6.1s C:\Users\HeikeFrank\AppData\Local\iQrBJXva\
6.2s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhjnlc\
7.4s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhjnlcuy\
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\all.css
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\css\style-custom.css
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\1.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\agip.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\aral.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\arrow.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\avia.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-box-bottom.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-box.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-btn-sprite.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-fone.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-header-repeat.gif
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-html.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-li.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\bg-track.gif
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\charge.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img1.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img2.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img3.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted-copy.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted-small.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\dotted.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\content\img4.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\epay.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\esso.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\kash.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\kash.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo-ie.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo-ie.jpg
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\logo.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\netto.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\netto.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\oder.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\omv.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\paysafe.png
7.9s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\rossmann.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\shell.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\shell.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\total.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\webcam.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\webcam.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\westfalen.png
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\images\x.jpg
8.0s C:\Users\HeikeFrank\AppData\Local\qAoHrCTf\index.html
11.9s C:\Users\HeikeFrank\AppData\Local\VirtualStore\Program Files (x86)\MIeeayhofhj\
Potential Unwanted Programs _________________________________________________
C:\Program Files (x86)\Conduit\ (Conduit)
C:\Program Files (x86)\Conduit\Community Alerts\ (Conduit)
C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll (Conduit)
Size . . . . . . . : 638.560 bytes
Age . . . . . . . : 72.0 days (2013-06-16 17:13:35)
Entropy . . . . . : 6.4
SHA-256 . . . . . : F22E58CDFE94D4A5FBBF2795A743B167ED9923E289E14654631E0077DD306C1D
Product . . . . . : Alert
Publisher . . . . : Conduit Ltd.
Description . . . : Alert
Version . . . . . : 1.1.4.1
Copyright . . . . : Copyright © Conduit Ltd. 2011.
RSA Key Size . . . : 1024
Authenticode . . . : Valid
Fuzzy . . . . . . : -7.0
C:\ProgramData\Babylon\ (Babylon)
C:\ProgramData\Conduit\ (Conduit)
C:\ProgramData\Conduit\conduitutil.exe (Conduit)
Size . . . . . . . : 59.709 bytes
Age . . . . . . . : 72.0 days (2013-06-16 17:13:00)
Entropy . . . . . : 6.6
SHA-256 . . . . . : 98585CBB5977020B5B25F9AF315DE21B3D74FC820DC61CB7E9F36C41965FB222
Publisher . . . . : Conduit
Version . . . . . : 0.0.0.1
Copyright . . . . : Conduit Ltd.
Fuzzy . . . . . . : 0.0
C:\Users\HeikeFrank\AppData\Local\Conduit\ (Conduit)
C:\Users\HeikeFrank\AppData\Roaming\Babylon\ (Babylon)
C:\Users\HeikeFrank\AppData\Roaming\Babylon\log_file.txt (Babylon)
HKLM\SOFTWARE\Classes\AppID\secman.DLL\ (Babylon)
HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\ (Delta Search)
HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon)
HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1\ (Babylon)
HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager\ (Babylon)
HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\secman.DLL\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}\ (Delta Search)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo)
HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ (Yontoo)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ (Yontoo)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ (Babylon)
HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\ (Babylon)
HKLM\SOFTWARE\Wow6432Node\Babylon\ (Babylon)
HKLM\SOFTWARE\Wow6432Node\DataMngr\ (SearchQU)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001\Software\AppDataLow\Software\Smartbar\ (Conduit)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001\Software\BabylonToolbar\ (Babylon)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001\Software\Conduit\ (Conduit)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001\Software\DataMngr\ (SearchQU)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001\Software\DataMngr_Toolbar\ (SearchQU)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon)
HKU\S-1-5-21-893107783-1421941348-1903558643-1001_Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ (Yontoo)
Repairs _____________________________________________________________________
Diese Einstellung entführt oder blockiert die Anwendung 'notepad.exe'.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger
__________________ GLG.......................Diebaer |
| Themen zu Bundeskriminalamttrojaner bekämpft, aber verschlüsselte Dateien noch da, weil neue Art der verschlüsselung. |
| .dll, appdatalow, avast, dateien, forensic, gebraucht, kaspersky, nicht mehr, pdf/exploit.pidief.phr, problem, pup.optional.babylon.a, pup.optional.conduit.a, pup.optional.datamngr, pup.optional.delta.a, pup.optional.iminent.a, pup.optional.searchprotect.a, pup.optional.tarma.a, scan, suche, traces, unterschiedlich, verschlüsselung, win32/adware.multiplug.h, win32/adware.multiplug.i, win32/filecoder.bh.gen, windows |
Baum-Darstellung