MIchael123 | 06.06.2012 12:05 | Verschlüsselungstrojaner TR/Ransom.Birele.oyq HAllo
ein Rechner (XP) ist von TR/Ransom.Birele.oyq (laut Avira) befallen.
d.h. Alle Nutzer-Dateien sind verschlüsselt und die Dateinamen sind eine wirre Zahlen und Buchstabenfolge. (verschlüsselungstrojaner)
Vor dem login kommt die Aufforderung zu zahlen (Ukash..)Ich habe den Virus schon an das Board gesendet. Falls jemand eine Möglichkeit fände wieder alles zu entschlüsseln wäre ich für Hinweise sehr dankbar.
Im Folgenden die logs von Avira und gmer und malwarebytes
Vielen Dank für Hilfe!
ciao
Michael
gmer: HTML-Code:
GMER Logfile:
[CODE]GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2012-06-06 09:41:13
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000062 ST3250824AS rev.3.AAE
Running: gmer.exe; Driver: C:\DOKUME~1\user\LOKALE~1\Temp\kxtdypow.sys
---- System - GMER 1.0.15 ----
SSDT F7B01FDC ZwClose
SSDT F7B01F96 ZwCreateKey
SSDT F7B01FE6 ZwCreateSection
SSDT F7B01F8C ZwCreateThread
SSDT F7B01F9B ZwDeleteKey
SSDT F7B01FA5 ZwDeleteValueKey
SSDT F7B01FD7 ZwDuplicateObject
SSDT F7B01FAA ZwLoadKey
SSDT F7B01F78 ZwOpenProcess
SSDT F7B01F7D ZwOpenThread
SSDT F7B01FB4 ZwReplaceKey
SSDT F7B01FAF ZwRestoreKey
SSDT F7B01FEB ZwSetContextThread
SSDT F7B01FA0 ZwSetValueKey
SSDT F7B01F87 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6BF8360, 0x242F4E, 0xE8000020]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----[/CODE] --- --- ---
logfile von OTL (gestartet über eine Windows PE CD)
OTL Logfile: Code:
OTL logfile created on: 6/5/2012 2:21:26 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
767.00 Mb Total Physical Memory | 563.00 Mb Available Physical Memory | 73.00% Memory free
707.00 Mb Paging File | 587.00 Mb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 127.99 Gb Total Space | 79.75 Gb Free Space | 62.31% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet003
========== Win32 Services (SafeList) ==========
SRV - [2012/05/05 10:45:26 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/25 08:14:26 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/06/28 08:28:59 | 000,269,480 | ---- | M] (Avira GmbH) [Auto] -- C:\Programme\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/06/11 12:30:04 | 000,136,360 | ---- | M] (Avira GmbH) [Auto] -- C:\Programme\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2006/10/26 14:49:34 | 000,441,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 09:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/26 08:40:34 | 000,335,872 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)
========== Driver Services (SafeList) ==========
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2011/06/28 08:29:01 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 08:29:01 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 07:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 05:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2007/02/02 03:37:00 | 000,982,272 | ---- | M] (Motorola Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2006/06/29 08:53:00 | 000,244,864 | ---- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/06/28 12:38:00 | 000,105,088 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)
DRV - [2006/06/05 23:09:00 | 004,284,928 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\B_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Programme\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Programme\Mozilla Firefox\components [2012/04/25 08:14:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins [2012/04/13 09:43:00 | 000,000,000 | ---D | M]
[2010/11/16 18:30:13 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\B\Anwendungsdaten\mozilla\Extensions
[2012/05/02 12:10:45 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\B\Anwendungsdaten\mozilla\Firefox\Profiles\yu13fq5d.default\extensions
[2012/06/01 10:54:15 | 000,000,000 | ---D | M] (No name found) -- C:\Dokumente und Einstellungen\B\Anwendungsdaten\mozilla\Firefox\Profiles\yu13fq5d.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/06 07:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2010/11/24 15:51:02 | 000,000,000 | ---D | M] (Skype extension) -- C:\Programme\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2012/04/25 08:14:26 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Programme\mozilla firefox\components\browsercomps.dll
[2011/05/06 08:31:36 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
[2011/05/06 08:31:36 | 000,002,252 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\bing.xml
[2011/05/06 08:31:36 | 000,001,153 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml
[2011/05/06 08:31:36 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
[2011/05/06 08:31:36 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
[2011/05/06 08:31:36 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml
O1 HOSTS File: ([2001/08/18 08:00:00 | 000,000,820 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Adobe ARM] C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SMSERIAL] C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKU\B_ON_C..\Run: [28F343A2] C:\WINDOWS\system32\31FA665828F343A2082F.exe (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\B_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\B_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\B_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegedit = 1
O7 - HKU\B_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289945114778 (WUWebControl Class)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programme\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\31FA665828F343A2082F.exe) - C:\WINDOWS\system32\31FA665828F343A2082F.exe (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O27 - HKLM IFEO\msconfig.exe: Debugger - P9KDMF.EXE File not found
O27 - HKLM IFEO\regedit.exe: Debugger - P9KDMF.EXE File not found
O27 - HKLM IFEO\taskmgr.exe: Debugger - P9KDMF.EXE File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/16 17:00:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{7435bdc2-f1c3-11df-a48b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{7435bdc2-f1c3-11df-a48b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7435bdc2-f1c3-11df-a48b-806d6172696f}\Shell\AutoRun\command - "" = H:\Programs\nu2menu\nu2menu.exe
O33 - MountPoints2\{be6a65a6-bcec-11e0-a8f0-001921581951}\Shell - "" = AutoRun
O33 - MountPoints2\{be6a65a6-bcec-11e0-a8f0-001921581951}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{be6a65a6-bcec-11e0-a8f0-001921581951}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{bec350fe-f28c-11df-a496-001921581951}\Shell - "" = AutoRun
O33 - MountPoints2\{bec350fe-f28c-11df-a496-001921581951}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bec350fe-f28c-11df-a496-001921581951}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2012/06/05 04:18:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/06/04 12:40:56 | 000,000,000 | ---D | C] -- C:\temp
[2012/06/01 10:39:56 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\B\Anwendungsdaten\Tbrnmgnt
[2012/06/01 10:39:27 | 000,046,910 | -H-- | C] (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services) -- C:\WINDOWS\System32\31FA665828F343A2082F.exe
[2012/05/29 05:43:12 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Dokumente und Einstellungen\B\Eigene Dateien\*.tmp files -> C:\Dokumente und Einstellungen\B\Eigene Dateien\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/06/05 04:20:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/05 04:17:59 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/05 04:17:22 | 000,073,451 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/06/04 07:45:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/06/04 02:38:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/01 10:39:27 | 000,046,910 | -H-- | M] (Nonprofit organization offering health, educational, and distance learning Internet broadcasting services) -- C:\WINDOWS\System32\31FA665828F343A2082F.exe
[2012/05/31 09:22:01 | 000,604,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2012/05/27 06:53:17 | 003,654,958 | ---- | M] () -- C:\Dokumente und Einstellungen\B\Eigene Dateien\sAtXgVjQXoVDQGorDqGa
[2012/05/24 18:34:02 | 060,273,365 | ---- | M] () -- C:\Dokumente und Einstellungen\B\Eigene Dateien\LNeqtTgdjJXLfs
[2012/05/24 18:23:25 | 027,191,173 | ---- | M] () -- C:\Dokumente und Einstellungen\B\Eigene Dateien\pjQXoVlQxorDyGardy
[2012/05/11 15:50:50 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh323
[2012/05/11 15:50:40 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh322
[2012/05/11 15:50:32 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh321
[2012/05/11 15:50:22 | 000,481,078 | ---- | M] () -- C:\WINDOWS\System32\winsh320
[2012/05/09 04:44:52 | 000,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/09 03:29:10 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/05/09 03:26:50 | 000,448,898 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2012/05/09 03:26:50 | 000,432,784 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/09 03:26:50 | 000,080,338 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2012/05/09 03:26:50 | 000,067,740 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/07 13:32:26 | 009,610,163 | ---- | M] () -- C:\Dokumente und Einstellungen\B\Eigene Dateien\aUjlJLfresoaOAx
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Dokumente und Einstellungen\B\Eigene Dateien\*.tmp files -> C:\Dokumente und Einstellungen\B\Eigene Dateien\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/06/01 14:02:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/01 10:40:02 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh325
[2012/06/01 10:40:02 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh324
[2012/06/01 10:40:02 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh323
[2012/06/01 10:40:02 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh322
[2012/06/01 10:40:02 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh321
[2012/06/01 10:40:02 | 000,481,078 | ---- | C] () -- C:\WINDOWS\System32\winsh320
[2012/02/26 08:52:24 | 000,005,632 | ---- | C] () -- C:\Dokumente und Einstellungen\B\Lokale Einstellungen\Anwendungsdaten\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/16 08:44:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/11/24 15:51:38 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/11/16 18:51:45 | 000,011,615 | ---- | C] () -- C:\WINDOWS\hpdj5700.ini
[2010/11/16 18:30:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/16 18:29:03 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/11/16 18:29:03 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/11/16 18:16:17 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2010/11/16 17:50:40 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2010/11/16 17:50:36 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/11/16 17:50:36 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/11/16 17:50:29 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/11/16 17:50:23 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2010/11/16 17:50:19 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/11/16 17:50:18 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2010/11/16 17:50:15 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2010/11/16 17:49:51 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2010/11/16 17:49:51 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2010/11/16 17:49:43 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2010/11/16 17:18:04 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/11/16 17:02:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/11/16 16:58:36 | 000,021,740 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/16 16:53:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/16 16:52:55 | 000,193,776 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/05/06 23:38:37 | 000,005,428 | ---- | C] () -- C:\WINDOWS\hpfmdl_s04_main.dat
[2004/05/06 23:38:37 | 000,000,362 | ---- | C] () -- C:\WINDOWS\hpfins_s04_main.dat
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/18 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/18 08:00:00 | 000,448,898 | ---- | C] () -- C:\WINDOWS\System32\perfh007.dat
[2001/08/18 08:00:00 | 000,432,784 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/18 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/18 08:00:00 | 000,269,480 | ---- | C] () -- C:\WINDOWS\System32\perfi007.dat
[2001/08/18 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/18 08:00:00 | 000,080,338 | ---- | C] () -- C:\WINDOWS\System32\perfc007.dat
[2001/08/18 08:00:00 | 000,067,740 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/18 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/18 08:00:00 | 000,034,478 | ---- | C] () -- C:\WINDOWS\System32\perfd007.dat
[2001/08/18 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/18 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/18 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
========== LOP Check ==========
[2012/06/01 10:39:56 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\B\Anwendungsdaten\Tbrnmgnt
[2011/02/15 08:57:12 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PC Drivers HeadQuarters
[2011/02/15 08:57:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\UAB
========== Purity Check ==========
< End of report > --- --- ---
[/HTML]
logfile von avira: HTML-Code:
Avira / Linux Version 1.9.152.0
Copyright (c) 2010 by Avira GmbH
All rights reserved.
engine set: 8.2.10.80
VDF Version: 7.11.31.242
Scan start time: Tue Jun 5 16:49:00 2012
configuration file: /etc/avira/scancl.conf
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Anwendungsdaten/Microsoft/Document Building Blocks/1031/TrsroVJsVjXvyx
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Anwendungsdaten/Mozilla/Firefox/Profiles/yu13fq5d.default/extensions/{20a82645-c095-46ed-80e3-08825760534b}/chrome/QJslsfgNjEpTVG
ALERT: [TR/Ransom.Birele.oyq] /media/Devices/sda1/Dokumente und Einstellungen/user/Anwendungsdaten/Tbrnmgnt/A2675A1328F343A2C97C.exe <<< Is the Trojan horse TR/Ransom.Birele.oyq
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Eigene Dateien/daOUjJXnVeutoOD
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Eigene Dateien/TAJpnfsutoglAxXNfyuao
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Eigene Dateien/TAxXJVyusEdlgxnrpytTQ
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Eigene Dateien/tpqtauUAvDLferso
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Eigene Dateien/tqtagUAJpLfeusEOljx
WARNING: [Bad archive header] /media/Devices/sda1/Dokumente und Einstellungen/user/Eigene Dateien/TrdyJTLdsvtLOeAtpgfjQ
ALERT: [TR/Ransom.Birele.oyq] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temp/ofwlnocuzf.pre <<< Is the Trojan horse TR/Ransom.Birele.oyq
ALERT: [TR/Ransom.Birele.oyq] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temp/Schreiben-1.zip --> Lastschrift Schreiben.com <<< Is the Trojan horse TR/Ransom.Birele.oyq
ALERT: [TR/Ransom.Birele.oyq] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temp/Schreiben.zip --> Lastschrift Schreiben.com <<< Is the Trojan horse TR/Ransom.Birele.oyq
ALERT: [TR/Ransom.Birele.oyq] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temp/aegkosaytb.pre <<< Is the Trojan horse TR/Ransom.Birele.oyq
ALERT: [TR/Ransom.Birele.oyq] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temp/hdofehxpgl.pre <<< Is the Trojan horse TR/Ransom.Birele.oyq
WARNING: [Unexpected end of file] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temp/BN0KXw59.zip.part
WARNING: [Unexpected end of file] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temp/cqDoSzSw.pages.part
WARNING: [Error reading file] /media/Devices/sda1/Dokumente und Einstellungen/user/Lokale Einstellungen/Temporary Internet Files/Content.IE5/2QW1WPOE/Firefox%20Setup%203.6.12[2].exe
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/Dc403/UaJdAQlnUDNxnOpyxpuf
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/dlgdLvlqVTQtAgT
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/DLGDrVEueAUTvGyrp
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/dQDdyaQAsNasLe
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/srLGvDdoTQyVrX
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/nVqfauGjgXLxeNdEQlAUX
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/nvunAelsfONjEXTVGu
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/OdoJlAfXQsqOaExDrfnu
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/Dc181/DDldduQyqXXGxgOEossf
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/Dc181/fsrVLvDjdTQtyNXLxlgd
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/Dc181/qrpLGDgUEueqVpvGAO
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/Dc181/vjATTstNNnLllUUQQyq
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/Dc181/yQsyNpLGlgUoQsqVpJxjO
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/XvTOEtrefLDJjUQTs
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/Dc415/JqjJQVVDeEnNOstpaAyuJ
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/jGoxgedEluqdQXtq
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/uesyXvLGgadosryfJl
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/qJpAfeJforeLsaNsjQ
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/qQXGjDgotuefLXJ
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/QTEdlvxnNeqtaOdAvXLV
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/EsysJpdAluEdNsxn
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/LvlqVpusjgaLGlNVoQs
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/tDOfEuDyfauGyNaLGeNd
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/TGgatoernVJDdj
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/rLVrlGoTOytQXfjl
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/saaAjJvffesooOOGGX
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/sEVXNxnJTjteuVyND
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/JgqAeXUfOQLoXlsxQr
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/orAopTVGuvEqlexUr
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/sNrnLDldduQyqXXGxggEo
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/TdEsNyfvlxjTQosNXfnD
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/XoGvadAsQoVNDxnaOA
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/yTtypNLxgldEsuq
WARNING: [Bad archive header] /media/Devices/sda1/RECYCLER/S-1-5-21-823518204-725345543-839522115-1003/uUjuaLdluGLglqGXgV
ALERT: [TR/Ransom.Birele.oyq] /media/Devices/sda1/WINDOWS/system32/31FA665828F343A2082F.exe <<< Is the Trojan horse TR/Ransom.Birele.oyq
Statistics :
Directories............... : 8768
Archives.................. : 2192
Files..................... : 177158
Infected.............. : 7
Ignored........... : 7
Warnings.............. : 559
Suspicious............ : 0
Infections................ : 7 und jetzt noch das logfile von mbam HTML-Code:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Datenbank Version: v2012.06.06.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
user :: M [Administrator]
06.06.2012 14:34:18
mbam-log-2012-06-06 (14-57-40).txt
Art des Suchlaufs: Vollständiger Suchlauf
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 240699
Laufzeit: 22 Minute(n), 46 Sekunde(n)
Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Keine Aktion durchgeführt.
Infizierte Registrierungswerte: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Daten: 1 -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Daten: 1 -> Keine Aktion durchgeführt.
Infizierte Dateiobjekte der Registrierung: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bösartig: (1) Gut: (0) -> Keine Aktion durchgeführt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bösartig: (1) Gut: (0) -> Keine Aktion durchgeführt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bösartig: (1) Gut: (0) -> Keine Aktion durchgeführt.
Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)
Infizierte Dateien: 6
C:\Dokumente und Einstellungen\user\Anwendungsdaten\Tbrnmgnt\A2675A1328F343A2C97C.exe.vir (Trojan.Ransom) -> Keine Aktion durchgeführt.
C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temp\ofwlnocuzf.pre.vir (Trojan.Ransom) -> Keine Aktion durchgeführt.
C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temp\aegkosaytb.pre.vir (Trojan.Ransom) -> Keine Aktion durchgeführt.
C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temp\hdofehxpgl.pre.vir (Trojan.Ransom) -> Keine Aktion durchgeführt.
C:\RECYCLER\S-1-5-21-823518204-725345543-839522115-1003\Dc430\31FA665828F343A2082F.exe.vir (Trojan.Ransom) -> Keine Aktion durchgeführt.
C:\WINDOWS\system32\31FA665828F343A2082F.exe.vir (Trojan.Ransom) -> Keine Aktion durchgeführt.
(Ende) |